WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1585 2015-03-06 16:15:41Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1534	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
		22	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	23
		24	# Options :
376	franck	25	# -i or --install
		26	# -u or --uninstall
1	root	27
376	franck	28	# Functions :
1378	richard	29	# testing : connectivity tests, free space test and mageia version test
1221	richard	30	# init : Installation of RPM and scripts
		31	# network : Network parameters
		32	# ACC : ALCASAR Control Center installation
		33	# CA : Certification Authority initialization
		34	# init_db : Initilization of radius database managed with MariaDB
1389	richard	35	# radius : FreeRadius initialisation
		36	# radius_web : copy ans modifiy original "freeradius web" in ACC
		37	# chilli : coovachilli initialisation (+authentication page)
		38	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	39	# antivirus : HAVP + libclamav configuration
1485	richard	40	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
1541	richard	44	# vnstat : little network stat daemon
1253	richard	45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
1564	richard	59	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
1015	richard	60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1471	richard	76	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1507	richard	77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
1538	richard	87	then
		88	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		89	else
		90	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	91	fi
1538	richard	92	response=0
		93	PTN='^[oOyYnN]$'
		94	until [[ $(expr $response : $PTN) -gt 0 ]]
		95	do
		96	if [ $Lang == "fr" ]
1563	franck	97	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	98	else echo -n "Do you accept the terms of this license (Y/n)? : "
		99	fi
		100	read response
		101	done
		102	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		103	then
		104	exit 1
		105	fi
959	franck	106	}
		107
1	root	108	header_install ()
		109	{
		110	clear
		111	echo "-----------------------------------------------------------------------------"
460	richard	112	echo " ALCASAR V$VERSION Installation"
1	root	113	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		114	echo "-----------------------------------------------------------------------------"
1389	richard	115	}
1	root	116
		117	##################################################################
1221	richard	118	## Function "testing" ##
1378	richard	119	## - Test of Mageia version ##
1529	richard	120	## - Test of ALCASAR version (if already installed) ##
1342	richard	121	## - Test of free space on /var (>10G) ##
1005	richard	122	## - Test of Internet access ##
29	richard	123	##################################################################
		124	testing ()
		125	{
1529	richard	126	# Test of Mageia version
		127	# extract the current Mageia version and hardware architecture (i586 ou X64)
		128	fic=`cat /etc/product.id`
		129	unknown_os=0
		130	old="$IFS"
		131	IFS=","
		132	set $fic
		133	for i in $*
		134	do
		135	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		136	then
		137	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		138	unknown_os=`expr $unknown_os + 1`
		139	fi
		140	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		141	then
		142	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		143	unknown_os=`expr $unknown_os + 1`
		144	fi
		145	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		146	then
		147	ARCH=`echo $i\|cut -d"=" -f2`
		148	unknown_os=`expr $unknown_os + 1`
		149	fi
		150	done
		151	IFS="$old"
1362	richard	152	# Test if ALCASAR is already installed
		153	if [ -e $CONF_FILE ]
		154	then
		155	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	156	if [ $Lang == "fr" ]
1362	richard	157	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		158	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	159	fi
1362	richard	160	response=0
		161	PTN='^[oOnNyY]$'
		162	until [[ $(expr $response : $PTN) -gt 0 ]]
		163	do
		164	if [ $Lang == "fr" ]
		165	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		166	else echo -n "Do you want to update (Y/n)?";
		167	fi
		168	read response
		169	done
		170	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		171	then
		172	rm -f /tmp/alcasar-conf*
		173	else
1564	richard	174	# Create the current conf file
1362	richard	175	$DIR_SCRIPTS/alcasar-conf.sh --create
		176	mode="update"
		177	fi
1529	richard	178	fi
		179	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "4" ) ]]
		180	then
		181	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	182	then
1529	richard	183	echo
1378	richard	184	if [ $Lang == "fr" ]
		185	then
1529	richard	186	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		187	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
1564	richard	188	echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
1529	richard	189	echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
1378	richard	190	else
		191	echo "The automatic update of ALCASAR can't be performed."
1529	richard	192	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
1564	richard	193	echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
1529	richard	194	echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
1378	richard	195	fi
1529	richard	196	else
		197	if [ $Lang == "fr" ]
		198	then
		199	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		200	else
		201	echo "The installation of ALCASAR can't be performed."
1378	richard	202	fi
		203	fi
1529	richard	204	echo
		205	if [ $Lang == "fr" ]
		206	then
		207	echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
		208	else
		209	echo "The OS must be replaced (Mageia4.1)"
		210	fi
		211	exit 0
1342	richard	212	fi
1529	richard	213	if [ ! -d /var/log/netflow/porttracker ]
		214	then
		215	# Test of free space on /var
		216	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		217	if [ $free_space -lt 10 ]
		218	then
		219	if [ $Lang == "fr" ]
		220	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		221	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		222	fi
		223	exit 0
		224	fi
		225	fi
1378	richard	226	if [ $Lang == "fr" ]
784	richard	227	then echo -n "Tests des paramètres réseau : "
595	richard	228	else echo -n "Network parameters tests : "
		229	fi
1471	richard	230	# Test of Ethernet links state
		231	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		232	for i in $DOWN_IF
		233	do
		234	if [ $Lang == "fr" ]
		235	then
		236	echo "Échec"
		237	echo "Le lien réseau de la carte $i n'est pas actif."
		238	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		239	else
		240	echo "Failed"
		241	echo "The link state of $i interface is down."
		242	echo "Make sure that this network card is connected to a switch or an A.P."
		243	fi
		244	exit 0
		245	done
		246	echo -n "."
		247
		248	# Test EXTIF config files
1499	richard	249	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		250	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
		251	PUBLIC_GATEWAY=`ip route list\|grep ^default\|cut -d" " -f3`
1471	richard	252	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		253	then
784	richard	254	if [ $Lang == "fr" ]
		255	then
		256	echo "Échec"
		257	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		258	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	259	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	260	else
		261	echo "Failed"
		262	echo "The Internet connected network card ($EXTIF) isn't well configured."
		263	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	264	echo "Apply the new configuration 'systemctl restart network'"
784	richard	265	fi
830	richard	266	echo "DEVICE=$EXTIF"
784	richard	267	echo "IPADDR="
		268	echo "NETMASK="
		269	echo "GATEWAY="
		270	echo "DNS1="
		271	echo "DNS2="
830	richard	272	echo "ONBOOT=yes"
784	richard	273	exit 0
		274	fi
		275	echo -n "."
1471	richard	276
		277	# Test if router is alive (Box FAI)
784	richard	278	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	279	if [ $Lang == "fr" ]
		280	then
		281	echo "Échec"
		282	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		283	echo "Réglez ce problème puis relancez ce script."
		284	else
		285	echo "Failed"
		286	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		287	echo "Resolv this problem, then restart this script."
		288	fi
29	richard	289	exit 0
		290	fi
308	richard	291	echo -n "."
978	franck	292	# On teste le lien vers le routeur par defaut
1499	richard	293	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	294	if [ $(expr $arp_reply) -eq 0 ]
308	richard	295	then
595	richard	296	if [ $Lang == "fr" ]
		297	then
		298	echo "Échec"
1499	richard	299	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	300	echo "Réglez ce problème puis relancez ce script."
		301	else
		302	echo "Failed"
		303	echo "The Internet gateway doesn't answered"
		304	echo "Resolv this problem, then restart this script."
		305	fi
308	richard	306	exit 0
		307	fi
		308	echo -n "."
421	franck	309	# On teste la connectivité Internet
29	richard	310	rm -rf /tmp/con_ok.html
308	richard	311	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	312	if [ ! -e /tmp/con_ok.html ]
		313	then
595	richard	314	if [ $Lang == "fr" ]
		315	then
		316	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		317	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		318	echo "Vérifiez la validité des adresses IP des DNS."
		319	else
		320	echo "The Internet connection try failed (google.fr)."
		321	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		322	echo "Verify the DNS IP addresses"
		323	fi
29	richard	324	exit 0
		325	fi
		326	rm -rf /tmp/con_ok.html
308	richard	327	echo ". : ok"
1389	richard	328	} # end of testing ()
302	richard	329
		330	##################################################################
1221	richard	331	## Function "init" ##
302	richard	332	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		333	## - Installation et modification des scripts du portail ##
		334	##################################################################
		335	init ()
		336	{
527	richard	337	if [ "$mode" != "update" ]
302	richard	338	then
		339	# On affecte le nom d'organisme
597	richard	340	header_install
302	richard	341	ORGANISME=!
		342	PTN='^[a-zA-Z0-9-]*$'
580	richard	343	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	344	do
595	richard	345	if [ $Lang == "fr" ]
597	richard	346	then echo -n "Entrez le nom de votre organisme : "
		347	else echo -n "Enter the name of your organism : "
595	richard	348	fi
330	franck	349	read ORGANISME
613	richard	350	if [ "$ORGANISME" == "" ]
330	franck	351	then
		352	ORGANISME=!
		353	fi
		354	done
302	richard	355	fi
1	root	356	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	357	rm -f $PASSWD_FILE
1350	richard	358	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		359	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	360	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	361	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	362	$SED "/^password.*/d" /boot/grub/menu.lst
		363	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	364	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	365	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	366	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	367	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	368	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	369	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	370	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	371	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		372	echo "$secretuam" >> $PASSWD_FILE
1350	richard	373	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	374	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		375	echo "$secretradius" >> $PASSWD_FILE
		376	chmod 640 $PASSWD_FILE
977	richard	377	# Scripts and conf files copy
		378	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	379	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	380	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	381	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	382	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	383	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	384	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		385	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	386	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		387	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	388	# generate central conf file
		389	cat <<EOF > $CONF_FILE
612	richard	390	##########################################
		391	## ##
		392	## ALCASAR Parameters ##
		393	## ##
		394	##########################################
1	root	395
612	richard	396	INSTALL_DATE=$DATE
		397	VERSION=$VERSION
		398	ORGANISM=$ORGANISME
923	franck	399	DOMAIN=$DOMAIN
612	richard	400	EOF
628	richard	401	chmod o-rwx $CONF_FILE
1	root	402	} # End of init ()
		403
		404	##################################################################
1221	richard	405	## Function "network" ##
1	root	406	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	407	## - Nommage DNS du système ##
1336	richard	408	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	409	## - Modification du fichier /etc/hosts ##
		410	## - Configuration du serveur de temps (NTP) ##
		411	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		412	##################################################################
		413	network ()
		414	{
		415	header_install
636	richard	416	if [ "$mode" != "update" ]
		417	then
		418	if [ $Lang == "fr" ]
		419	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		420	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		421	fi
		422	response=0
		423	PTN='^[oOyYnN]$'
		424	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	425	do
595	richard	426	if [ $Lang == "fr" ]
659	richard	427	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	428	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	429	fi
1	root	430	read response
		431	done
636	richard	432	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		433	then
		434	PRIVATE_IP_MASK="0"
		435	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		436	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	437	do
595	richard	438	if [ $Lang == "fr" ]
597	richard	439	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		440	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	441	fi
597	richard	442	read PRIVATE_IP_MASK
1	root	443	done
636	richard	444	else
		445	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		446	fi
595	richard	447	else
637	richard	448	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		449	rm -rf conf/etc/alcasar.conf
1	root	450	fi
861	richard	451	# Define LAN side global parameters
1243	richard	452	hostname $HOSTNAME.$DOMAIN
		453	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	454	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	455	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	456	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	457	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	458	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	459	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		460	then
		461	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		462	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		463	fi
		464	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		465	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	466	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	467	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	468	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		469	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	470	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		471	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	472	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1578	richard	473	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	474	# Define Internet parameters
1499	richard	475	DNS1=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|head -n 1` # 1st DNS server
		476	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		477	if [ $nb_dns == 2 ]
		478	then
		479	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		480	fi
70	franck	481	DNS1=${DNS1:=208.67.220.220}
		482	DNS2=${DNS2:=208.67.222.222}
1499	richard	483	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	484	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	485	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	486	# Wrtie the conf file
1469	richard	487	echo "EXTIF=$EXTIF" >> $CONF_FILE
		488	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	489	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		490	if [ $IP_SETTING == "dhcp" ]
		491	then
		492	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	493	echo "GW=dhcp" >> $CONF_FILE
		494	echo "DNS1=dhcp" >> $CONF_FILE
		495	echo "DNS2=dhcp" >> $CONF_FILE
1499	richard	496	else
		497	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	498	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		499	echo "DNS1=$DNS1" >> $CONF_FILE
		500	echo "DNS2=$DNS2" >> $CONF_FILE
1499	richard	501	fi
994	franck	502	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	503	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	504	echo "DHCP=on" >> $CONF_FILE
914	franck	505	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		506	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		507	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	508	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1499	richard	509	# network default
597	richard	510	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	511	cat <<EOF > /etc/sysconfig/network
		512	NETWORKING=yes
1243	richard	513	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	514	FORWARD_IPV4=true
		515	EOF
1499	richard	516	# /etc/hosts config
1	root	517	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		518	cat <<EOF > /etc/hosts
503	richard	519	127.0.0.1 localhost
1353	richard	520	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	521	EOF
1499	richard	522	# EXTIF (Internet) config
		523	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		524	if [ $IP_SETTING == "dhcp" ]
		525	then
		526	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	527	DEVICE=$EXTIF
1585	richard	528	BOOTPROTO=dhcp
		529	DNS1=127.0.0.1
		530	PEERDNS=no
		531	RESOLV_MODS=yes
		532	ONBOOT=yes
		533	METRIC=10
		534	MII_NOT_SUPPORTED=yes
		535	IPV6INIT=no
		536	IPV6TO4INIT=no
		537	ACCOUNTING=no
		538	USERCTL=no
		539	MTU=$MTU
		540	EOF
		541	else
		542	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		543	DEVICE=$EXTIF
14	richard	544	BOOTPROTO=static
597	richard	545	IPADDR=$PUBLIC_IP
		546	NETMASK=$PUBLIC_NETMASK
		547	GATEWAY=$PUBLIC_GATEWAY
14	richard	548	DNS1=127.0.0.1
1499	richard	549	RESOLV_MODS=yes
14	richard	550	ONBOOT=yes
		551	METRIC=10
		552	MII_NOT_SUPPORTED=yes
		553	IPV6INIT=no
		554	IPV6TO4INIT=no
		555	ACCOUNTING=no
		556	USERCTL=no
994	franck	557	MTU=$MTU
14	richard	558	EOF
1499	richard	559	fi
1336	richard	560	# Config INTIF (consultation LAN) in normal mode
841	richard	561	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		562	DEVICE=$INTIF
		563	BOOTPROTO=static
		564	ONBOOT=yes
		565	NOZEROCONF=yes
		566	MII_NOT_SUPPORTED=yes
		567	IPV6INIT=no
		568	IPV6TO4INIT=no
		569	ACCOUNTING=no
		570	USERCTL=no
		571	EOF
1558	richard	572	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1336	richard	573	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	574	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	575	DEVICE=$INTIF
		576	BOOTPROTO=static
		577	IPADDR=$PRIVATE_IP
604	richard	578	NETMASK=$PRIVATE_NETMASK
1	root	579	ONBOOT=yes
		580	METRIC=10
		581	NOZEROCONF=yes
		582	MII_NOT_SUPPORTED=yes
14	richard	583	IPV6INIT=no
		584	IPV6TO4INIT=no
		585	ACCOUNTING=no
		586	USERCTL=no
1	root	587	EOF
440	franck	588	# Mise à l'heure du serveur
		589	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		590	cat <<EOF > /etc/ntp/step-tickers
455	franck	591	0.fr.pool.ntp.org # adapt to your country
		592	1.fr.pool.ntp.org
		593	2.fr.pool.ntp.org
440	franck	594	EOF
		595	# Configuration du serveur de temps (sur lui même)
1	root	596	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		597	cat <<EOF > /etc/ntp.conf
456	franck	598	server 0.fr.pool.ntp.org # adapt to your country
447	franck	599	server 1.fr.pool.ntp.org
		600	server 2.fr.pool.ntp.org
		601	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	602	fudge 127.127.1.0 stratum 10
604	richard	603	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	604	restrict 127.0.0.1
310	richard	605	driftfile /var/lib/ntp/drift
1	root	606	logfile /var/log/ntp.log
		607	EOF
440	franck	608
310	richard	609	chown -R ntp:ntp /var/lib/ntp
1	root	610	# Renseignement des fichiers hosts.allow et hosts.deny
		611	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		612	cat <<EOF > /etc/hosts.allow
		613	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	614	sshd: ALL
1	root	615	ntpd: $PRIVATE_NETWORK_SHORT
		616	EOF
		617	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		618	cat <<EOF > /etc/hosts.deny
		619	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		620	EOF
790	richard	621	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	622	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	623	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	624	# load conntrack ftp module
		625	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		626	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	627	# load ipt_NETFLOW module
		628	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	629	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		630	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		631	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		632	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1515	richard	633	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
1157	stephane	634	#
860	richard	635	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	636	} # End of network ()
		637
		638	##################################################################
1221	richard	639	## Function "ACC" ##
		640	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	641	## - configuration du serveur web (Apache) ##
		642	## - définition du 1er comptes de gestion ##
		643	## - sécurisation des accès ##
		644	##################################################################
1221	richard	645	ACC ()
1	root	646	{
		647	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		648	mkdir $DIR_WEB
		649	# Copie et configuration des fichiers du centre de gestion
316	richard	650	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	651	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	652	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		653	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		654	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		655	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		656	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	657	chown -R apache:apache $DIR_WEB/*
1489	richard	658	# create the backup structure :
		659	# - base = users database
		660	# - archive = tarball of "base + http firewall + netflow"
		661	# - security = watchdog disconnection)
1564	richard	662	for i in base archive security;
1	root	663	do
		664	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		665	done
5	franck	666	chown -R root:apache $DIR_SAVE
71	richard	667	# Configuration et sécurisation php
		668	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	669	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		670	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	671	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		672	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	673	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		674	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		675	# Configuration et sécurisation Apache
790	richard	676	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	677	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	678	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	679	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1532	richard	680	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
		681	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
		682	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
		683	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] \|\| cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
		684	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
		685	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
		686	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
		687	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
		688	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
		689	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
1359	richard	690	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		691	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
1532	richard	692	# Error page management
1534	richard	693	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] \|\| cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
		694	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
1532	richard	695	Alias /error/ "/var/www/html/"
		696	<Directory "/usr/share/httpd/error">
		697	AllowOverride None
		698	Options IncludesNoExec
		699	AddOutputFilter Includes html
		700	AddHandler type-map var
		701	Require all granted
		702	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		703	ForceLanguagePriority Prefer Fallback
		704	</Directory>
		705	ErrorDocument 400 /error/error.php?error=400
		706	ErrorDocument 401 /error/error.php?error=401
		707	ErrorDocument 403 /error/error.php?error=403
		708	ErrorDocument 404 /error/error.php?error=404
		709	ErrorDocument 405 /error/error.php?error=405
		710	ErrorDocument 408 /error/error.php?error=408
		711	ErrorDocument 410 /error/error.php?error=410
		712	ErrorDocument 411 /error/error.php?error=411
		713	ErrorDocument 412 /error/error.php?error=412
		714	ErrorDocument 413 /error/error.php?error=413
		715	ErrorDocument 414 /error/error.php?error=414
		716	ErrorDocument 415 /error/error.php?error=415
		717	ErrorDocument 500 /error/error.php?error=500
		718	ErrorDocument 501 /error/error.php?error=501
		719	ErrorDocument 502 /error/error.php?error=502
		720	ErrorDocument 503 /error/error.php?error=503
		721	ErrorDocument 506 /error/error.php?error=506
		722	EOF
1359	richard	723	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		724	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		725	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		726	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	727	</body>
		728	</html>
		729	EOF
		730	# Définition du premier compte lié au profil 'admin'
509	richard	731	header_install
510	richard	732	if [ "$mode" = "install" ]
		733	then
613	richard	734	admin_portal=!
		735	PTN='^[a-zA-Z0-9-]*$'
		736	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		737	do
		738	header_install
		739	if [ $Lang == "fr" ]
		740	then
		741	echo ""
		742	echo "Définissez un premier compte d'administration du portail :"
		743	echo
		744	echo -n "Nom : "
		745	else
		746	echo ""
		747	echo "Define the first account allow to administrate the portal :"
		748	echo
		749	echo -n "Account : "
		750	fi
		751	read admin_portal
		752	if [ "$admin_portal" == "" ]
		753	then
		754	admin_portal=!
		755	fi
		756	done
1268	richard	757	# Creation of keys file for the admin account ("admin")
510	richard	758	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		759	mkdir -p $DIR_DEST_ETC/digest
		760	chmod 755 $DIR_DEST_ETC/digest
		761	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		762	do
1350	richard	763	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	764	done
		765	$DIR_DEST_SBIN/alcasar-profil.sh --list
		766	fi
434	richard	767	# synchronisation horaire
		768	ntpd -q -g &
1	root	769	# Sécurisation du centre
988	franck	770	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	771	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	772	<Directory $DIR_ACC>
1	root	773	SSLRequireSSL
		774	AllowOverride None
		775	Order deny,allow
		776	Deny from all
		777	Allow from 127.0.0.1
		778	Allow from $PRIVATE_NETWORK_MASK
990	franck	779	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	780	require valid-user
		781	AuthType digest
1243	richard	782	AuthName $HOSTNAME.$DOMAIN
1	root	783	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	784	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	785	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	786	</Directory>
316	richard	787	<Directory $DIR_ACC/admin>
1	root	788	SSLRequireSSL
		789	AllowOverride None
		790	Order deny,allow
		791	Deny from all
		792	Allow from 127.0.0.1
		793	Allow from $PRIVATE_NETWORK_MASK
990	franck	794	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	795	require valid-user
		796	AuthType digest
1243	richard	797	AuthName $HOSTNAME.$DOMAIN
1	root	798	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	799	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	800	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	801	</Directory>
344	richard	802	<Directory $DIR_ACC/manager>
1	root	803	SSLRequireSSL
		804	AllowOverride None
		805	Order deny,allow
		806	Deny from all
		807	Allow from 127.0.0.1
		808	Allow from $PRIVATE_NETWORK_MASK
990	franck	809	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	810	require valid-user
		811	AuthType digest
1243	richard	812	AuthName $HOSTNAME.$DOMAIN
1	root	813	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	814	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	815	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	816	</Directory>
316	richard	817	<Directory $DIR_ACC/backup>
		818	SSLRequireSSL
		819	AllowOverride None
		820	Order deny,allow
		821	Deny from all
		822	Allow from 127.0.0.1
		823	Allow from $PRIVATE_NETWORK_MASK
990	franck	824	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	825	require valid-user
		826	AuthType digest
1243	richard	827	AuthName $HOSTNAME.$DOMAIN
316	richard	828	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	829	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	830	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	831	</Directory>
811	richard	832	Alias /save/ "$DIR_SAVE/"
		833	<Directory $DIR_SAVE>
		834	SSLRequireSSL
		835	Options Indexes
		836	Order deny,allow
		837	Deny from all
		838	Allow from 127.0.0.1
		839	Allow from $PRIVATE_NETWORK_MASK
990	franck	840	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	841	require valid-user
		842	AuthType digest
1243	richard	843	AuthName $HOSTNAME.$DOMAIN
811	richard	844	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	845	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	846	</Directory>
1	root	847	EOF
1378	richard	848	# Launch after coova
		849	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1389	richard	850	} # End of ACC ()
1	root	851
		852	##########################################################################################
1221	richard	853	## Fonction "CA" ##
1	root	854	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		855	##########################################################################################
1221	richard	856	CA ()
1	root	857	{
510	richard	858	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	859	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	860	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	861	cat <<EOF > $FIC_VIRTUAL_SSL
		862	# default SSL virtual host, used for all HTTPS requests that do not
		863	# match a ServerName or ServerAlias in any <VirtualHost> block.
		864
		865	<VirtualHost _default_:443>
		866	# general configuration
		867	ServerAdmin root@localhost
		868	ServerName localhost
		869
		870	# SSL configuration
		871	SSLEngine on
		872	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		873	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		874	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		875	CustomLog logs/ssl_request_log \
		876	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		877	ErrorLog logs/ssl_error_log
		878	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		879	</VirtualHost>
		880	EOF
		881
5	franck	882	chown -R root:apache /etc/pki
1	root	883	chmod -R 750 /etc/pki
1389	richard	884	} # End of CA ()
1	root	885
		886	##########################################################################################
1221	richard	887	## Fonction "init_db" ##
1	root	888	## - Initialisation de la base Mysql ##
		889	## - Affectation du mot de passe de l'administrateur (root) ##
		890	## - Suppression des bases et des utilisateurs superflus ##
		891	## - Création de la base 'radius' ##
		892	## - Installation du schéma de cette base ##
		893	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		894	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		895	##########################################################################################
		896	init_db ()
		897	{
1355	richard	898	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	899	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		900	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	901	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1574	richard	902	/usr/bin/systemctl start mysqld.service
1	root	903	sleep 4
		904	mysqladmin -u root password $mysqlpwd
		905	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	906	# Secure the server
		907	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		908	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	909	# Create 'radius' database
1317	richard	910	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	911	# Add an empty radius database structure
364	franck	912	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	913	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	914	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1515	richard	915	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		916	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1574	richard	917	/usr/bin/systemctl daemon-reload
1389	richard	918	} # End of init_db ()
1	root	919
		920	##########################################################################
1389	richard	921	## Fonction "radius" ##
1	root	922	## - Paramètrage des fichiers de configuration FreeRadius ##
		923	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		924	## - Modification de fichier de conf pour l'accès à Mysql ##
		925	##########################################################################
1389	richard	926	radius ()
1	root	927	{
		928	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		929	chown -R radius:radius /etc/raddb
		930	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	931	# Set radius.conf parameters
1	root	932	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		933	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		934	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	935	# remove the proxy function
1	root	936	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		937	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	938	# remove EAP module
654	richard	939	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	940	# listen on loopback (should be modified later if EAP enabled)
1	root	941	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	942	# enable the SQL module (and SQL counter)
1	root	943	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		944	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		945	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	946	# only include modules for ALCASAR needs
		947	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		948	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		949	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		950	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		951	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		952	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	953	# remvove virtual server and copy our conf file
1	root	954	rm -f /etc/raddb/sites-enabled/*
1278	richard	955	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	956	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		957	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		958	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		959	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	960	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	961	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	962	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	963	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		964	cat << EOF > /etc/raddb/clients.conf
		965	client 127.0.0.1 {
		966	secret = $secretradius
		967	shortname = localhost
		968	}
		969	EOF
1278	richard	970	# sql.conf modification
1	root	971	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		972	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		973	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		974	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		975	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	976	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	977	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	978	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		979	# counter.conf modification (change the Max-All-Session-Time counter)
		980	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		981	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		982	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	983	# make certain that mysql is up before radius start
		984	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		985	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	986	/usr/bin/systemctl daemon-reload
1389	richard	987	} # End radius ()
1	root	988
		989	##########################################################################
1389	richard	990	## Function "radius_web" ##
1	root	991	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		992	## - Création du lien vers la page de changement de mot de passe ##
		993	##########################################################################
1389	richard	994	radius_web ()
1	root	995	{
		996	# copie de l'interface d'origine dans la structure Alcasar
316	richard	997	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		998	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		999	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	1000	# copie des fichiers modifiés
		1001	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	1002	chown -R apache:apache $DIR_ACC/manager/
344	richard	1003	# Modification des fichiers de configuration
1	root	1004	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	1005	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	1006	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		1007	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		1008	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		1009	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		1010	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		1011	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		1012	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	1013	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	1014	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	1015	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	1016	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	1017	nas1_name: alcasar-$ORGANISME
1	root	1018	nas1_model: Portail captif
		1019	nas1_ip: $PRIVATE_IP
		1020	nas1_port_num: 0
		1021	nas1_community: public
		1022	EOF
		1023	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		1024	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	1025	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	1026	# Ajout du mappage des attributs chillispot
		1027	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	1028	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1029	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1030	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1031	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1032	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1033	chown -R apache:apache /etc/freeradius-web
1	root	1034	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1035	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1036	<Directory $DIR_WEB/pass>
1	root	1037	SSLRequireSSL
		1038	AllowOverride None
		1039	Order deny,allow
		1040	Deny from all
		1041	Allow from 127.0.0.1
		1042	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1043	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1044	</Directory>
		1045	EOF
1389	richard	1046	} # End of radius_web ()
1	root	1047
799	richard	1048	##################################################################################
1389	richard	1049	## Fonction "chilli" ##
799	richard	1050	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1051	## - Paramètrage de la page d'authentification (intercept.php) ##
		1052	##################################################################################
1389	richard	1053	chilli ()
1	root	1054	{
1370	richard	1055	# chilli unit for systemd
		1056	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1057	# This file is part of systemd.
		1058	#
		1059	# systemd is free software; you can redistribute it and/or modify it
		1060	# under the terms of the GNU General Public License as published by
		1061	# the Free Software Foundation; either version 2 of the License, or
		1062	# (at your option) any later version.
1370	richard	1063	[Unit]
		1064	Description=chilli is a captive portal daemon
		1065	After=network.target
		1066
		1067	[Service]
1379	richard	1068	Type=forking
1370	richard	1069	ExecStart=/usr/libexec/chilli start
		1070	ExecStop=/usr/libexec/chilli stop
		1071	ExecReload=/usr/libexec/chilli reload
		1072	PIDFile=/var/run/chilli.pid
		1073
		1074	[Install]
		1075	WantedBy=multi-user.target
		1076	EOF
799	richard	1077	# init file creation
1370	richard	1078	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1079	cat <<EOF > /usr/libexec/chilli
799	richard	1080	#!/bin/sh
		1081	#
		1082	# chilli CoovaChilli init
		1083	#
		1084	# chkconfig: 2345 65 35
		1085	# description: CoovaChilli
		1086	### BEGIN INIT INFO
		1087	# Provides: chilli
		1088	# Required-Start: network
		1089	# Should-Start:
		1090	# Required-Stop: network
		1091	# Should-Stop:
		1092	# Default-Start: 2 3 5
		1093	# Default-Stop:
		1094	# Description: CoovaChilli access controller
		1095	### END INIT INFO
		1096
		1097	[ -f /usr/sbin/chilli ] \|\| exit 0
		1098	. /etc/init.d/functions
		1099	CONFIG=/etc/chilli.conf
		1100	pidfile=/var/run/chilli.pid
		1101	[ -f \$CONFIG ] \|\| {
		1102	echo "\$CONFIG Not found"
		1103	exit 0
		1104	}
		1105	RETVAL=0
		1106	prog="chilli"
		1107	case \$1 in
		1108	start)
		1109	if [ -f \$pidfile ] ; then
		1110	gprintf "chilli is already running"
		1111	else
		1112	gprintf "Starting \$prog: "
		1113	rm -f /var/run/chilli* # cleaning
		1114	/sbin/modprobe tun >/dev/null 2>&1
		1115	echo 1 > /proc/sys/net/ipv4/ip_forward
		1116	[ -e /dev/net/tun ] \|\| {
		1117	(cd /dev;
		1118	mkdir net;
		1119	cd net;
		1120	mknod tun c 10 200)
		1121	}
1336	richard	1122	ifconfig $INTIF 0.0.0.0
1576	richard	1123	/usr/sbin/ethtool -K $INTIF gro off
799	richard	1124	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1125	RETVAL=$?
		1126	fi
		1127	;;
		1128
		1129	reload)
		1130	killall -HUP chilli
		1131	;;
		1132
		1133	restart)
		1134	\$0 stop
		1135	sleep 2
		1136	\$0 start
		1137	;;
		1138
		1139	status)
		1140	status chilli
		1141	RETVAL=0
		1142	;;
		1143
		1144	stop)
		1145	if [ -f \$pidfile ] ; then
		1146	gprintf "Shutting down \$prog: "
		1147	killproc /usr/sbin/chilli
		1148	RETVAL=\$?
		1149	[ \$RETVAL = 0 ] && rm -f $pidfile
		1150	else
		1151	gprintf "chilli is not running"
		1152	fi
		1153	;;
		1154
		1155	*)
		1156	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1157	exit 1
		1158	esac
		1159	echo
		1160	EOF
1373	richard	1161	chmod a+x /usr/libexec/chilli
799	richard	1162	# conf file creation
346	richard	1163	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1164	cat <<EOF > /etc/chilli.conf
		1165	# coova config for ALCASAR
		1166	cmdsocket /var/run/chilli.sock
1336	richard	1167	unixipc chilli.$INTIF.ipc
1551	richard	1168	pidfile /var/run/chilli.pid
346	richard	1169	net $PRIVATE_NETWORK_MASK
595	richard	1170	dhcpif $INTIF
841	richard	1171	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1172	#nodynip
865	richard	1173	#statip
		1174	dynip $PRIVATE_NETWORK_MASK
1249	richard	1175	domain $DOMAIN
355	richard	1176	dns1 $PRIVATE_IP
		1177	dns2 $PRIVATE_IP
346	richard	1178	uamlisten $PRIVATE_IP
503	richard	1179	uamport 3990
837	richard	1180	macauth
		1181	macpasswd password
1243	richard	1182	locationname $HOSTNAME.$DOMAIN
346	richard	1183	radiusserver1 127.0.0.1
		1184	radiusserver2 127.0.0.1
		1185	radiussecret $secretradius
		1186	radiusauthport 1812
		1187	radiusacctport 1813
1243	richard	1188	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1189	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1190	uamsecret $secretuam
1249	richard	1191	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1192	coaport 3799
1379	richard	1193	conup $DIR_DEST_BIN/alcasar-conup.sh
		1194	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1195	include $DIR_DEST_ETC/alcasar-uamallowed
		1196	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1197	#dhcpgateway
1157	stephane	1198	#dhcprelayagent
		1199	#dhcpgatewayport
346	richard	1200	EOF
1336	richard	1201	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1202	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1203	# create files for trusted domains and urls
1148	crox53	1204	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1205	chown root:apache $DIR_DEST_ETC/alcasar-*
		1206	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1207	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1208	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1209	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1210	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1211	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1212	if [ "$chilli_exist" == "1" ]
		1213	then
		1214	userdel -r chilli 2>/dev/null
		1215	fi
		1216	groupadd -f chilli
		1217	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1218	} # End of chilli ()
1349	richard	1219
1	root	1220	##################################################################
1389	richard	1221	## Fonction "dansguardian" ##
1	root	1222	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1223	##################################################################
1389	richard	1224	dansguardian ()
1	root	1225	{
		1226	mkdir /var/dansguardian
		1227	chown dansguardian /var/dansguardian
1375	richard	1228	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1229	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1230	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1231	# By default the filter is off
1556	richard	1232	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1293	richard	1233	# French deny HTML page
497	richard	1234	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1235	# Listen only on LAN side
497	richard	1236	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1237	# DG send its flow to HAVP
		1238	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1239	# replace the default deny HTML page
1	root	1240	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1241	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1242	# Don't log
		1243	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1244	# Run 10 daemons (20 in largest server)
659	richard	1245	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1246	# on désactive par défaut le controle de contenu des pages html
497	richard	1247	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1248	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1249	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1250	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1251	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1252	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1253	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1254	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1255	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1256	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1257	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1258	touch $DIR_DG/lists/bannedextensionlist
		1259	touch $DIR_DG/lists/bannedmimetypelist
		1260	# 'Safesearch' regex actualisation
498	richard	1261	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1262	# empty LAN IP list that won't be WEB filtered
		1263	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1264	touch $DIR_DG/lists/exceptioniplist
		1265	# Keep a copy of URL & domain filter configuration files
		1266	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1267	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1268	} # End of dansguardian ()
1	root	1269
71	richard	1270	##################################################################
1221	richard	1271	## Fonction "antivirus" ##
1357	richard	1272	## - configuration of havp, libclamav and freshclam ##
71	richard	1273	##################################################################
		1274	antivirus ()
		1275	{
1358	richard	1276	# create 'havp' user
288	richard	1277	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1278	if [ "$havp_exist" == "1" ]
288	richard	1279	then
478	richard	1280	userdel -r havp 2>/dev/null
894	richard	1281	groupdel havp 2>/dev/null
288	richard	1282	fi
307	richard	1283	groupadd -f havp
1486	richard	1284	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1285	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1286	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1287	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1288	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1289	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1290	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1291	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1292	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1293	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1294	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1295	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1296	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1297	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1298	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1299	# skip checking of youtube flow (too heavy load / risk too low)
		1300	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1301	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1302	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1303	# adapt init script and systemd unit
335	richard	1304	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1305	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1306	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1307	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1308	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1309	# replace of the intercept page (template)
340	richard	1310	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1311	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1312	# update virus database every 4 hours (24h/6)
1357	richard	1313	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1314	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1315	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1316	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1317	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1318	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1319	# update now
1382	richard	1320	/usr/bin/freshclam --no-warnings
1389	richard	1321	} # End of antivirus ()
71	richard	1322
1486	richard	1323	##########################################################################
		1324	## Fonction "tinyproxy" ##
		1325	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1326	##########################################################################
1485	richard	1327	tinyproxy ()
		1328	{
1486	richard	1329	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1330	if [ "$tinyproxy_exist" == "1" ]
		1331	then
		1332	userdel -r tinyproxy 2>/dev/null
		1333	groupdel tinyproxy 2>/dev/null
		1334	fi
		1335	groupadd -f tinyproxy
1488	richard	1336	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1518	richard	1337	mkdir -p var/run/tinyproxy /var/log/tinyproxy
1517	richard	1338	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1486	richard	1339	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1340	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1341	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1342	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1343	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1344	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1345	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1346	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1347	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1348	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1349	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1350	# Create the systemd unit
		1351	cat << EOF > /lib/systemd/system/tinyproxy.service
		1352	# This file is part of systemd.
		1353	#
		1354	# systemd is free software; you can redistribute it and/or modify it
		1355	# under the terms of the GNU General Public License as published by
		1356	# the Free Software Foundation; either version 2 of the License, or
		1357	# (at your option) any later version.
1485	richard	1358
1509	richard	1359	# This unit launches tinyproxy (a very light proxy).
1518	richard	1360	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1361	[Unit]
		1362	Description=Tinyproxy Web Proxy Server
		1363	After=network.target iptables.service
		1364
		1365	[Service]
		1366	Type=forking
1518	richard	1367	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1368	ExecStartPre=/bin/sleep 2
		1369	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1370	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1371
		1372	[Install]
		1373	WantedBy=multi-user.target
		1374	EOF
		1375
1485	richard	1376	} # end of tinyproxy
1	root	1377	##################################################################################
1389	richard	1378	## function "ulogd" ##
476	richard	1379	## - Ulog config for multi-log files ##
		1380	##################################################################################
1389	richard	1381	ulogd ()
476	richard	1382	{
		1383	# Three instances of ulogd (three different logfiles)
		1384	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1385	nl=1
1358	richard	1386	for log_type in traceability ssh ext-access
478	richard	1387	do
1365	richard	1388	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1389	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1390	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1554	richard	1391	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1392	if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
478	richard	1393	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1394	[emu1]
478	richard	1395	file="/var/log/firewall/$log_type.log"
		1396	sync=1
		1397	EOF
1452	richard	1398	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1399	nl=`expr $nl + 1`
		1400	done
476	richard	1401	chown -R root:apache /var/log/firewall
		1402	chmod 750 /var/log/firewall
		1403	chmod 640 /var/log/firewall/*
1389	richard	1404	} # End of ulogd ()
476	richard	1405
1159	crox53	1406
		1407	##########################################################
1389	richard	1408	## Function "nfsen" ##
1567	richard	1409	## - install the nfsen grapher ##
		1410	## - install the two plugins porttracker & surfmap ##
1159	crox53	1411	##########################################################
1389	richard	1412	nfsen()
1	root	1413	{
1569	richard	1414	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1365	richard	1415	# Add PortTracker plugin
1534	richard	1416	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1417	do
1536	richard	1418	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1419	done
1569	richard	1420	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1365	richard	1421	# use of our conf file and init unit
1569	richard	1422	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1570	richard	1423	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1424	DirTmp=$(pwd)
1569	richard	1425	cd /tmp/nfsen-1.3.7/
1570	richard	1426	/usr/bin/perl install.pl etc/nfsen.conf
		1427	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1428	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1429	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1430	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1431	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1432	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1433	# nfsen unit for systemd
		1434	cat << EOF > /lib/systemd/system/nfsen.service
		1435	# This file is part of systemd.
		1436	#
		1437	# systemd is free software; you can redistribute it and/or modify it
		1438	# under the terms of the GNU General Public License as published by
		1439	# the Free Software Foundation; either version 2 of the License, or
		1440	# (at your option) any later version.
		1441
		1442	# This unit launches nfsen (a Netflow grapher).
		1443	[Unit]
		1444	Description= NfSen init script
		1445	After=network.target iptables.service
		1446
		1447	[Service]
		1448	Type=oneshot
		1449	RemainAfterExit=yes
1393	richard	1450	PIDFile=/var/run/nfsen/nfsen.pid
		1451	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1452	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1453	ExecStart=/usr/bin/nfsen start
		1454	ExecStop=/usr/bin/nfsen stop
1393	richard	1455	ExecReload=/usr/bin/nfsen restart
1372	richard	1456	TimeoutSec=0
		1457
		1458	[Install]
		1459	WantedBy=multi-user.target
		1460	EOF
1365	richard	1461	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1462	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1463	# expire delay for the profile "live"
1574	richard	1464	/usr/bin/systemctl start nfsen
1393	richard	1465	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1466	# add SURFmap plugin
1509	richard	1467	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1468	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1469	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1470	cd /tmp/
		1471	/usr/bin/sh SURFmap/install.sh
1544	richard	1472	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1473	# clear the installation
1221	richard	1474	cd $DirTmp
1509	richard	1475	rm -rf /tmp/nfsen*
		1476	rm -rf /tmp/SURFmap*
1389	richard	1477	} # End of nfsen ()
1	root	1478
1390	richard	1479	##################################################
1541	richard	1480	## Function "vnstat" ##
		1481	## Initialization of Vnstat and vnstat phpFE ##
		1482	##################################################
		1483	vnstat ()
		1484	{
		1485	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1486	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1487	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1488	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
		1489	$SED "s?\$iface_title.*?\$iface_title['$EXTIF'] = 'Internet outbound';?g" $DIR_ACC/manager/stats/config.php
		1490	/usr/bin/vnstat -u -i $EXTIF
		1491	} # End of vnstat
		1492	##################################################
1389	richard	1493	## Function "dnsmasq" ##
1390	richard	1494	##################################################
1389	richard	1495	dnsmasq ()
219	jeremy	1496	{
		1497	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1498	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1499	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1500	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1501	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1502	cat << EOF > /etc/dnsmasq.conf
520	richard	1503	# Configuration file for "dnsmasq in forward mode"
1387	richard	1504	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1505	listen-address=$PRIVATE_IP
1390	richard	1506	pid-file=/var/run/dnsmasq.pid
259	richard	1507	listen-address=127.0.0.1
286	richard	1508	no-dhcp-interface=$INTIF
1387	richard	1509	no-dhcp-interface=tun0
		1510	no-dhcp-interface=lo
259	richard	1511	bind-interfaces
		1512	cache-size=256
		1513	domain=$DOMAIN
		1514	domain-needed
		1515	expand-hosts
		1516	bogus-priv
		1517	filterwin2k
		1518	server=$DNS1
		1519	server=$DNS2
1387	richard	1520	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1521	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1522	dhcp-option=option:router,$PRIVATE_IP
1482	richard	1523	dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1524
1387	richard	1525	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1526	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1527	EOF
1356	richard	1528	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1529	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1530	# Configuration file for "dnsmasq with blacklist"
1387	richard	1531	# Add Toulouse blacklist domains
1472	richard	1532	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1533	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1534	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1535	listen-address=$PRIVATE_IP
		1536	port=54
		1537	no-dhcp-interface=$INTIF
1387	richard	1538	no-dhcp-interface=tun0
1472	richard	1539	no-dhcp-interface=lo
498	richard	1540	bind-interfaces
		1541	cache-size=256
		1542	domain=$DOMAIN
		1543	domain-needed
		1544	expand-hosts
		1545	bogus-priv
		1546	filterwin2k
		1547	server=$DNS1
		1548	server=$DNS2
		1549	EOF
1379	richard	1550	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1551	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1552	# Configuration file for "dnsmasq with whitelist"
1356	richard	1553	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1554	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1555	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1556	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1557	listen-address=$PRIVATE_IP
		1558	port=55
		1559	no-dhcp-interface=$INTIF
1387	richard	1560	no-dhcp-interface=tun0
1472	richard	1561	no-dhcp-interface=lo
1356	richard	1562	bind-interfaces
		1563	cache-size=256
		1564	domain=$DOMAIN
		1565	domain-needed
		1566	expand-hosts
		1567	bogus-priv
		1568	filterwin2k
1472	richard	1569	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1570	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1571	EOF
1472	richard	1572	# 4th dnsmasq listen on udp 56 ("blackhole")
		1573	cat << EOF > /etc/dnsmasq-blackhole.conf
		1574	# Configuration file for "dnsmasq as a blackhole"
		1575	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1576	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1577	pid-file=/var/run/dnsmasq-blackhole.pid
		1578	listen-address=$PRIVATE_IP
		1579	port=56
		1580	no-dhcp-interface=$INTIF
		1581	no-dhcp-interface=tun0
		1582	no-dhcp-interface=lo
		1583	bind-interfaces
		1584	cache-size=256
		1585	domain=$DOMAIN
		1586	domain-needed
		1587	expand-hosts
		1588	bogus-priv
		1589	filterwin2k
		1590	EOF
		1591
1517	richard	1592	# the main instance should start after network and chilli (which create tun0)
1547	richard	1593	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1594	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1595	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1596	for list in blacklist whitelist blackhole
		1597	do
		1598	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1599	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1600	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1601	done
308	richard	1602	} # End dnsmasq
		1603
		1604	##########################################################
1221	richard	1605	## Fonction "BL" ##
308	richard	1606	##########################################################
		1607	BL ()
		1608	{
1384	richard	1609	# copy and extract toulouse BL
648	richard	1610	rm -rf $DIR_DG/lists/blacklists
		1611	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1612	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1613	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1614	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1615	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1616	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1617	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1618	# creation of file for the rehabilited domains and urls
648	richard	1619	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1620	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1621	touch $DIR_DG/lists/exceptionsitelist
		1622	touch $DIR_DG/lists/exceptionurllist
311	richard	1623	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1624	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1625	# Dansguardian filter config for ALCASAR
		1626	EOF
648	richard	1627	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1628	# Dansguardian domain filter config for ALCASAR
		1629	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1630	#**
		1631	# block all SSL and CONNECT tunnels
		1632	**s
		1633	# block all SSL and CONNECT tunnels specified only as an IP
		1634	*ips
		1635	# block all sites specified only by an IP
		1636	*ip
		1637	EOF
1000	richard	1638	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1639	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1640	# Bing - add 'adlt=strict'
		1641	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1642	# Youtube - add 'edufilter=your_ID'
885	richard	1643	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1644	EOF
1000	richard	1645	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1646	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1647	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1648	if [ "$mode" != "update" ]; then
		1649	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1650	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
654	richard	1651	fi
308	richard	1652	}
219	jeremy	1653
1	root	1654	##########################################################
1221	richard	1655	## Fonction "cron" ##
1	root	1656	## - Mise en place des différents fichiers de cron ##
		1657	##########################################################
		1658	cron ()
		1659	{
		1660	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1661	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1662	cat <<EOF > /etc/crontab
		1663	SHELL=/bin/bash
		1664	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1665	MAILTO=root
		1666	HOME=/
		1667
		1668	# run-parts
		1669	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1670	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1671	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1672	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1673	EOF
		1674	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1675	cat <<EOF >> /etc/anacrontab
667	franck	1676	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1677	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1678	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1679	EOF
1247	crox53	1680
811	richard	1681	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1682	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1683	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1684	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1685	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1686	EOF
952	franck	1687	cat <<EOF > /etc/cron.d/alcasar-archive
		1688	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1689	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1690	EOF
1566	richard	1691	cat << EOF > /etc/cron.d/alcasar-ticket-clean
		1692	# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
		1693	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1694	EOF
722	franck	1695	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1696	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1697	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1698	EOF
1247	crox53	1699	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1700	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1701	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1702	#EOF
1159	crox53	1703
1	root	1704	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1705	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1706	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1707	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1708	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1709	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1710	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1711	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1712	rm -f /etc/cron.daily/freeradius-web
		1713	rm -f /etc/cron.monthly/freeradius-web
		1714	cat << EOF > /etc/cron.d/freeradius-web
		1715	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1716	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1717	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1718	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1719	EOF
671	franck	1720	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1721	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1722	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1723	EOF
808	franck	1724	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1725	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1726	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1727	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1728	EOF
522	richard	1729	# suppression des crons usagers
		1730	rm -f /var/spool/cron/*
1	root	1731	} # End cron
		1732
		1733	##################################################################
1221	richard	1734	## Fonction "Fail2Ban" ##
1163	crox53	1735	##- Modification de la configuration de fail2ban ##
		1736	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1737	##################################################################
		1738	fail2ban()
		1739	{
1191	crox53	1740	$DIR_CONF/fail2ban.sh
1474	richard	1741	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1742	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1743	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1744	chmod 644 /var/log/fail2ban.log
1489	richard	1745	chmod 644 /var/Save/security/watchdog.log
1418	richard	1746	/usr/bin/touch /var/log/auth.log
1515	richard	1747	# fail2ban unit
		1748	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1749	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1750	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1751	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1752	} #Fin de fail2ban_install()
		1753
		1754	##################################################################
1376	richard	1755	## Fonction "gammu_smsd" ##
		1756	## - Creation de la base de donnée Gammu ##
		1757	## - Creation du fichier de config: gammu_smsd_conf ##
		1758	## ##
		1759	##################################################################
		1760	gammu_smsd()
		1761	{
		1762	# Create 'gammu' databse
		1763	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1764	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1765	# Add a gammu database structure
		1766	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1767
		1768	# config file for the daemon
		1769	cat << EOF > /etc/gammu_smsd_conf
		1770	[gammu]
		1771	port = /dev/ttyUSB0
		1772	connection = at115200
		1773
		1774	;########################################################
		1775
		1776	[smsd]
		1777
		1778	PIN = 1234
		1779
		1780	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1781	logformat = textall
		1782	debuglevel = 0
		1783
		1784	service = sql
		1785	driver = native_mysql
		1786	user = $DB_USER
		1787	password = $radiuspwd
		1788	pc = localhost
		1789	database = $DB_GAMMU
		1790
		1791	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1792
		1793	StatusFrequency = 30
1380	richard	1794	;LoopSleep = 2
1376	richard	1795
		1796	;ResetFrequency = 300
		1797	;HardResetFrequency = 120
		1798
		1799	CheckSecurity = 1
		1800	CheckSignal = 1
		1801	CheckBattery = 0
		1802	EOF
		1803
		1804	chmod 755 /etc/gammu_smsd_conf
		1805
		1806	#Creation dossier de log Gammu-smsd
1382	richard	1807	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1808	chmod 755 /var/log/gammu-smsd
		1809
		1810	#Edition du script sql gammu <-> radius
1452	richard	1811	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1812	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1813
1380	richard	1814	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1815	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1816	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1817	EOF
		1818
1376	richard	1819	} # END gammu_smsd()
		1820
		1821	##################################################################
1221	richard	1822	## Fonction "post_install" ##
1	root	1823	## - Modification des bannières (locales et ssh) et des prompts ##
		1824	## - Installation de la structure de chiffrement pour root ##
		1825	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1826	## - Mise en place du la rotation des logs ##
5	franck	1827	## - Configuration dans le cas d'une mise à jour ##
1	root	1828	##################################################################
		1829	post_install()
		1830	{
		1831	# création de la bannière locale
1007	richard	1832	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1833	cp -f $DIR_CONF/banner /etc/mageia-release
		1834	echo " V$VERSION" >> /etc/mageia-release
1	root	1835	# création de la bannière SSH
1007	richard	1836	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1837	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1838	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1839	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1840	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1841	# postfix banner anonymisation
		1842	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1843	# sshd écoute côté LAN et WAN
1548	richard	1844	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
860	richard	1845	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1846	echo "SSH=off" >> $CONF_FILE
1063	richard	1847	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1848	echo "QOS=off" >> $CONF_FILE
		1849	echo "LDAP=off" >> $CONF_FILE
786	richard	1850	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1851	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1852	echo "MULTIWAN=off" >> $CONF_FILE
		1853	echo "FAILOVER=30" >> $CONF_FILE
		1854	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1855	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1856	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1857	# Coloration des prompts
		1858	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1859	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1860	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1861	# Droits d'exécution pour utilisateur apache et sysadmin
		1862	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1863	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1864	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1865	# Modify some logrotate files (gammu, ulogd)
1	root	1866	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1867	chmod 644 /etc/logrotate.d/*
714	franck	1868	# rectification sur versions précédentes de la compression des logs
706	franck	1869	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1870	# actualisation des fichiers logs compressés
1342	richard	1871	for dir in firewall dansguardian httpd
706	franck	1872	do
714	franck	1873	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1874	done
1221	richard	1875	# create the alcasar-load_balancing unit
		1876	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1877	# This file is part of systemd.
		1878	#
		1879	# systemd is free software; you can redistribute it and/or modify it
		1880	# under the terms of the GNU General Public License as published by
		1881	# the Free Software Foundation; either version 2 of the License, or
		1882	# (at your option) any later version.
		1883
		1884	# This unit lauches alcasar-load-balancing.sh script.
		1885	[Unit]
		1886	Description=alcasar-load_balancing.sh execution
		1887	After=network.target iptables.service
		1888
		1889	[Service]
		1890	Type=oneshot
		1891	RemainAfterExit=yes
		1892	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1893	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1894	TimeoutSec=0
		1895	SysVStartPriority=99
		1896
		1897	[Install]
		1898	WantedBy=multi-user.target
1157	stephane	1899	EOF
1221	richard	1900	# processes launched at boot time (Systemctl)
1525	franck	1901	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1221	richard	1902	do
1574	richard	1903	/usr/bin/systemctl -q enable $i.service
1221	richard	1904	done
1452	richard	1905
		1906	# disable processes at boot time (Systemctl)
		1907	for i in ulogd
		1908	do
1574	richard	1909	/usr/bin/systemctl -q disable $i.service
1452	richard	1910	done
		1911
1221	richard	1912	# Apply French Security Agency (ANSSI) rules
1362	richard	1913	# ignore ICMP broadcast (smurf attack)
		1914	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1915	# ignore ICMP errors bogus
		1916	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1917	# remove ICMP redirects responces
		1918	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1919	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1920	# enable SYN Cookies (Syn flood attacks)
		1921	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1922	# enable kernel antispoofing
		1923	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1924	# ignore source routing
		1925	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1926	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1927	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1928	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1929	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1930	# remove Magic SysReq Keys
1363	richard	1931	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1932	# switch to multi-users runlevel (instead of x11)
1221	richard	1933	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1934	# GRUB modifications
		1935	# limit wait time to 3s
		1936	# create an alcasar entry instead of linux-nonfb
		1937	# change display to 1024*768 (vga791)
1221	richard	1938	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1939	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1940	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1941	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1942	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1943	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1944	# Remove unused services and users
1502	richard	1945	for svc in sshd
1221	richard	1946	do
1574	richard	1947	/usr/bin/systemctl -q disable $svc.service
1221	richard	1948	done
		1949	# Load and apply the previous conf file
		1950	if [ "$mode" = "update" ]
532	richard	1951	then
1266	richard	1952	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1953	$DIR_DEST_BIN/alcasar-conf.sh --load
		1954	PARENT_SCRIPT=`basename $0`
		1955	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1956	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1957	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1958	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
532	richard	1959	fi
1221	richard	1960	rm -f /tmp/alcasar-conf*
		1961	chown -R root:apache $DIR_DEST_ETC/*
		1962	chmod -R 660 $DIR_DEST_ETC/*
		1963	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1964	# Apply and save the firewall rules
		1965	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1966	sleep 2
1	root	1967	cd $DIR_INSTALL
5	franck	1968	echo ""
1	root	1969	echo "#############################################################################"
638	richard	1970	if [ $Lang == "fr" ]
		1971	then
		1972	echo "# Fin d'installation d'ALCASAR #"
		1973	echo "# #"
		1974	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1975	echo "# des Accès au Réseau ( ALCASAR ) #"
		1976	echo "# #"
		1977	echo "#############################################################################"
		1978	echo
		1979	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1980	echo
		1981	echo "- Lisez attentivement la documentation d'exploitation"
		1982	echo
		1983	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1984	echo
		1985	echo " Appuyez sur 'Entrée' pour continuer"
		1986	else
		1987	echo "# Enf of ALCASAR install process #"
		1988	echo "# #"
		1989	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1990	echo "# des Accès au Réseau ( ALCASAR ) #"
		1991	echo "# #"
		1992	echo "#############################################################################"
		1993	echo
		1994	echo "- The system will be rebooted in order to operate ALCASAR"
		1995	echo
		1996	echo "- Read the exploitation documentation"
		1997	echo
		1998	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1999	echo
		2000	echo " Hit 'Enter' to continue"
		2001	fi
815	richard	2002	sleep 2
		2003	if [ "$mode" != "update" ]
820	richard	2004	then
815	richard	2005	read a
		2006	fi
774	richard	2007	clear
1	root	2008	reboot
		2009	} # End post_install ()
		2010
		2011	#################################
1005	richard	2012	# Main Install loop #
1	root	2013	#################################
832	richard	2014	dir_exec=`dirname "$0"`
		2015	if [ $dir_exec != "." ]
		2016	then
		2017	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		2018	echo "Launch this program from the ALCASAR archive directory"
		2019	exit 0
		2020	fi
		2021	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2022	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2023	nb_args=$#
		2024	args=$1
		2025	if [ $nb_args -eq 0 ]
		2026	then
		2027	nb_args=1
		2028	args="-h"
		2029	fi
1062	richard	2030	chmod -R u+x $DIR_SCRIPTS/*
1	root	2031	case $args in
		2032	-\? \| -h* \| --h*)
		2033	echo "$usage"
		2034	exit 0
		2035	;;
291	franck	2036	-i \| --install)
1538	richard	2037	header_install
959	franck	2038	license
1544	richard	2039	header_install
29	richard	2040	testing
595	richard	2041	# RPMs install
		2042	$DIR_SCRIPTS/alcasar-urpmi.sh
		2043	if [ "$?" != "0" ]
1	root	2044	then
595	richard	2045	exit 0
		2046	fi
1249	richard	2047	if [ -e $CONF_FILE ]
595	richard	2048	then
597	richard	2049	# Uninstall the running version
532	richard	2050	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2051	fi
636	richard	2052	# Test if manual update
1362	richard	2053	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2054	then
636	richard	2055	header_install
595	richard	2056	if [ $Lang == "fr" ]
636	richard	2057	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2058	else echo "The configuration file of an old version has been found";
595	richard	2059	fi
597	richard	2060	response=0
		2061	PTN='^[oOnNyY]$'
		2062	until [[ $(expr $response : $PTN) -gt 0 ]]
		2063	do
		2064	if [ $Lang == "fr" ]
		2065	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2066	else echo -n "Do you want to use it (Y/n)?";
		2067	fi
		2068	read response
		2069	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2070	then rm -f /tmp/alcasar-conf*
		2071	fi
		2072	done
		2073	fi
636	richard	2074	# Test if update
1057	richard	2075	if [ -e /tmp/alcasar-conf* ]
597	richard	2076	then
		2077	if [ $Lang == "fr" ]
		2078	then echo "#### Installation avec mise à jour ####";
		2079	else echo "#### Installation with update ####";
		2080	fi
636	richard	2081	# Extract the central configuration file
1057	richard	2082	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2083	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2084	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2085	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2086	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2087	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2088	mode="update"
1	root	2089	fi
1541	richard	2090	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2091	do
		2092	$func
1362	richard	2093	# echo "* 'debug' : end of function $func *"; read a
14	richard	2094	done
5	franck	2095	;;
291	franck	2096	-u \| --uninstall)
5	franck	2097	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2098	then
597	richard	2099	if [ $Lang == "fr" ]
		2100	then echo "ALCASAR n'est pas installé!";
		2101	else echo "ALCASAR isn't installed!";
		2102	fi
1	root	2103	exit 0
		2104	fi
5	franck	2105	response=0
		2106	PTN='^[oOnN]$'
580	richard	2107	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2108	do
597	richard	2109	if [ $Lang == "fr" ]
		2110	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2111	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2112	fi
5	franck	2113	read response
		2114	done
1103	richard	2115	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2116	then
1103	richard	2117	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2118	else
		2119	rm -f /tmp/alcasar-conf*
1	root	2120	fi
597	richard	2121	# Uninstall the running version
65	richard	2122	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2123	;;
		2124	*)
		2125	echo "Argument inconnu :$1";
460	richard	2126	echo "Unknown argument :$1";
1	root	2127	echo "$usage"
		2128	exit 1
		2129	;;
		2130	esac
10	franck	2131	# end of script
366	franck	2132

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1585