WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1684 2015-07-30 12:50:48Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1534	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
		22	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	23
		24	# Options :
376	franck	25	# -i or --install
		26	# -u or --uninstall
1	root	27
376	franck	28	# Functions :
1378	richard	29	# testing : connectivity tests, free space test and mageia version test
1221	richard	30	# init : Installation of RPM and scripts
		31	# network : Network parameters
		32	# ACC : ALCASAR Control Center installation
		33	# CA : Certification Authority initialization
		34	# init_db : Initilization of radius database managed with MariaDB
1389	richard	35	# radius : FreeRadius initialisation
		36	# radius_web : copy ans modifiy original "freeradius web" in ACC
		37	# chilli : coovachilli initialisation (+authentication page)
		38	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	39	# antivirus : HAVP + libclamav configuration
1485	richard	40	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
1541	richard	44	# vnstat : little network stat daemon
1253	richard	45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
1564	richard	59	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
1015	richard	60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1471	richard	76	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1507	richard	77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
1538	richard	87	then
		88	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		89	else
		90	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	91	fi
1538	richard	92	response=0
		93	PTN='^[oOyYnN]$'
		94	until [[ $(expr $response : $PTN) -gt 0 ]]
		95	do
		96	if [ $Lang == "fr" ]
1563	franck	97	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	98	else echo -n "Do you accept the terms of this license (Y/n)? : "
		99	fi
		100	read response
		101	done
		102	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		103	then
		104	exit 1
		105	fi
959	franck	106	}
		107
1	root	108	header_install ()
		109	{
		110	clear
		111	echo "-----------------------------------------------------------------------------"
460	richard	112	echo " ALCASAR V$VERSION Installation"
1	root	113	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		114	echo "-----------------------------------------------------------------------------"
1389	richard	115	}
1	root	116
		117	##################################################################
1221	richard	118	## Function "testing" ##
1378	richard	119	## - Test of Mageia version ##
1529	richard	120	## - Test of ALCASAR version (if already installed) ##
1342	richard	121	## - Test of free space on /var (>10G) ##
1005	richard	122	## - Test of Internet access ##
29	richard	123	##################################################################
		124	testing ()
		125	{
1529	richard	126	# Test of Mageia version
		127	# extract the current Mageia version and hardware architecture (i586 ou X64)
		128	fic=`cat /etc/product.id`
		129	unknown_os=0
		130	old="$IFS"
		131	IFS=","
		132	set $fic
		133	for i in $*
		134	do
		135	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		136	then
		137	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		138	unknown_os=`expr $unknown_os + 1`
		139	fi
		140	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		141	then
		142	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		143	unknown_os=`expr $unknown_os + 1`
		144	fi
		145	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		146	then
		147	ARCH=`echo $i\|cut -d"=" -f2`
		148	unknown_os=`expr $unknown_os + 1`
		149	fi
		150	done
		151	IFS="$old"
1362	richard	152	# Test if ALCASAR is already installed
		153	if [ -e $CONF_FILE ]
		154	then
		155	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	156	if [ $Lang == "fr" ]
1362	richard	157	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		158	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	159	fi
1362	richard	160	response=0
		161	PTN='^[oOnNyY]$'
		162	until [[ $(expr $response : $PTN) -gt 0 ]]
		163	do
		164	if [ $Lang == "fr" ]
		165	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		166	else echo -n "Do you want to update (Y/n)?";
		167	fi
		168	read response
		169	done
		170	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		171	then
		172	rm -f /tmp/alcasar-conf*
		173	else
1684	richard	174	# Retrieve former NICname
		175	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
		176	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
1564	richard	177	# Create the current conf file
1362	richard	178	$DIR_SCRIPTS/alcasar-conf.sh --create
		179	mode="update"
		180	fi
1529	richard	181	fi
		182	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "4" ) ]]
		183	then
		184	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	185	then
1529	richard	186	echo
1378	richard	187	if [ $Lang == "fr" ]
		188	then
1529	richard	189	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		190	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
1564	richard	191	echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
1529	richard	192	echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
1378	richard	193	else
		194	echo "The automatic update of ALCASAR can't be performed."
1529	richard	195	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
1564	richard	196	echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
1529	richard	197	echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
1378	richard	198	fi
1529	richard	199	else
		200	if [ $Lang == "fr" ]
		201	then
		202	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		203	else
		204	echo "The installation of ALCASAR can't be performed."
1378	richard	205	fi
		206	fi
1529	richard	207	echo
		208	if [ $Lang == "fr" ]
		209	then
		210	echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
		211	else
		212	echo "The OS must be replaced (Mageia4.1)"
		213	fi
		214	exit 0
1342	richard	215	fi
1529	richard	216	if [ ! -d /var/log/netflow/porttracker ]
		217	then
		218	# Test of free space on /var
		219	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		220	if [ $free_space -lt 10 ]
		221	then
		222	if [ $Lang == "fr" ]
		223	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		224	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		225	fi
		226	exit 0
		227	fi
		228	fi
1378	richard	229	if [ $Lang == "fr" ]
784	richard	230	then echo -n "Tests des paramètres réseau : "
595	richard	231	else echo -n "Network parameters tests : "
		232	fi
1471	richard	233	# Test of Ethernet links state
		234	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		235	for i in $DOWN_IF
		236	do
		237	if [ $Lang == "fr" ]
		238	then
		239	echo "Échec"
		240	echo "Le lien réseau de la carte $i n'est pas actif."
		241	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		242	else
		243	echo "Failed"
		244	echo "The link state of $i interface is down."
		245	echo "Make sure that this network card is connected to a switch or an A.P."
		246	fi
		247	exit 0
		248	done
		249	echo -n "."
		250
		251	# Test EXTIF config files
1499	richard	252	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		253	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
		254	PUBLIC_GATEWAY=`ip route list\|grep ^default\|cut -d" " -f3`
1471	richard	255	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		256	then
784	richard	257	if [ $Lang == "fr" ]
		258	then
		259	echo "Échec"
		260	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		261	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	262	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	263	else
		264	echo "Failed"
		265	echo "The Internet connected network card ($EXTIF) isn't well configured."
		266	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	267	echo "Apply the new configuration 'systemctl restart network'"
784	richard	268	fi
830	richard	269	echo "DEVICE=$EXTIF"
784	richard	270	echo "IPADDR="
		271	echo "NETMASK="
		272	echo "GATEWAY="
		273	echo "DNS1="
		274	echo "DNS2="
830	richard	275	echo "ONBOOT=yes"
784	richard	276	exit 0
		277	fi
		278	echo -n "."
1471	richard	279
		280	# Test if router is alive (Box FAI)
784	richard	281	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	282	if [ $Lang == "fr" ]
		283	then
		284	echo "Échec"
		285	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		286	echo "Réglez ce problème puis relancez ce script."
		287	else
		288	echo "Failed"
		289	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		290	echo "Resolv this problem, then restart this script."
		291	fi
29	richard	292	exit 0
		293	fi
308	richard	294	echo -n "."
978	franck	295	# On teste le lien vers le routeur par defaut
1499	richard	296	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	297	if [ $(expr $arp_reply) -eq 0 ]
308	richard	298	then
595	richard	299	if [ $Lang == "fr" ]
		300	then
		301	echo "Échec"
1499	richard	302	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	303	echo "Réglez ce problème puis relancez ce script."
		304	else
		305	echo "Failed"
		306	echo "The Internet gateway doesn't answered"
		307	echo "Resolv this problem, then restart this script."
		308	fi
308	richard	309	exit 0
		310	fi
		311	echo -n "."
421	franck	312	# On teste la connectivité Internet
29	richard	313	rm -rf /tmp/con_ok.html
308	richard	314	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	315	if [ ! -e /tmp/con_ok.html ]
		316	then
595	richard	317	if [ $Lang == "fr" ]
		318	then
		319	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		320	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		321	echo "Vérifiez la validité des adresses IP des DNS."
		322	else
		323	echo "The Internet connection try failed (google.fr)."
		324	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		325	echo "Verify the DNS IP addresses"
		326	fi
29	richard	327	exit 0
		328	fi
		329	rm -rf /tmp/con_ok.html
308	richard	330	echo ". : ok"
1389	richard	331	} # end of testing ()
302	richard	332
		333	##################################################################
1221	richard	334	## Function "init" ##
302	richard	335	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		336	## - Installation et modification des scripts du portail ##
		337	##################################################################
		338	init ()
		339	{
527	richard	340	if [ "$mode" != "update" ]
302	richard	341	then
		342	# On affecte le nom d'organisme
597	richard	343	header_install
302	richard	344	ORGANISME=!
		345	PTN='^[a-zA-Z0-9-]*$'
580	richard	346	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	347	do
595	richard	348	if [ $Lang == "fr" ]
597	richard	349	then echo -n "Entrez le nom de votre organisme : "
		350	else echo -n "Enter the name of your organism : "
595	richard	351	fi
330	franck	352	read ORGANISME
613	richard	353	if [ "$ORGANISME" == "" ]
330	franck	354	then
		355	ORGANISME=!
		356	fi
		357	done
302	richard	358	fi
1	root	359	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	360	rm -f $PASSWD_FILE
1350	richard	361	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		362	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	363	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	364	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	365	$SED "/^password.*/d" /boot/grub/menu.lst
		366	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	367	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	368	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	369	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	370	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	371	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	372	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	373	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	374	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		375	echo "$secretuam" >> $PASSWD_FILE
1350	richard	376	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	377	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		378	echo "$secretradius" >> $PASSWD_FILE
		379	chmod 640 $PASSWD_FILE
977	richard	380	# Scripts and conf files copy
		381	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	382	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	383	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	384	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	385	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	386	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	387	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		388	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	389	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		390	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	391	# generate central conf file
		392	cat <<EOF > $CONF_FILE
612	richard	393	##########################################
		394	## ##
		395	## ALCASAR Parameters ##
		396	## ##
		397	##########################################
1	root	398
612	richard	399	INSTALL_DATE=$DATE
		400	VERSION=$VERSION
		401	ORGANISM=$ORGANISME
923	franck	402	DOMAIN=$DOMAIN
612	richard	403	EOF
628	richard	404	chmod o-rwx $CONF_FILE
1	root	405	} # End of init ()
		406
		407	##################################################################
1221	richard	408	## Function "network" ##
1	root	409	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	410	## - Nommage DNS du système ##
1336	richard	411	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	412	## - Modification du fichier /etc/hosts ##
		413	## - Configuration du serveur de temps (NTP) ##
		414	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		415	##################################################################
		416	network ()
		417	{
		418	header_install
636	richard	419	if [ "$mode" != "update" ]
		420	then
		421	if [ $Lang == "fr" ]
		422	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		423	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		424	fi
		425	response=0
		426	PTN='^[oOyYnN]$'
		427	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	428	do
595	richard	429	if [ $Lang == "fr" ]
659	richard	430	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	431	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	432	fi
1	root	433	read response
		434	done
636	richard	435	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		436	then
		437	PRIVATE_IP_MASK="0"
		438	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		439	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	440	do
595	richard	441	if [ $Lang == "fr" ]
597	richard	442	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		443	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	444	fi
597	richard	445	read PRIVATE_IP_MASK
1	root	446	done
636	richard	447	else
		448	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		449	fi
595	richard	450	else
637	richard	451	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		452	rm -rf conf/etc/alcasar.conf
1	root	453	fi
861	richard	454	# Define LAN side global parameters
1243	richard	455	hostname $HOSTNAME.$DOMAIN
		456	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	457	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	458	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	459	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	460	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	461	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	462	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		463	then
		464	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		465	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		466	fi
		467	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		468	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	469	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	470	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	471	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		472	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	473	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		474	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	475	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1578	richard	476	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	477	# Define Internet parameters
1613	franck	478	DNS1=`grep ^nameserver /etc/resolv.conf\|awk -F" " '{print $2}'\|head -n 1` # 1st DNS server
1499	richard	479	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		480	if [ $nb_dns == 2 ]
		481	then
		482	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		483	fi
70	franck	484	DNS1=${DNS1:=208.67.220.220}
		485	DNS2=${DNS2:=208.67.222.222}
1499	richard	486	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	487	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	488	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	489	# Wrtie the conf file
1469	richard	490	echo "EXTIF=$EXTIF" >> $CONF_FILE
		491	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	492	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		493	if [ $IP_SETTING == "dhcp" ]
		494	then
		495	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	496	echo "GW=dhcp" >> $CONF_FILE
1499	richard	497	else
		498	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	499	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
1499	richard	500	fi
1587	richard	501	echo "DNS1=$DNS1" >> $CONF_FILE
		502	echo "DNS2=$DNS2" >> $CONF_FILE
994	franck	503	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	504	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	505	echo "DHCP=on" >> $CONF_FILE
914	franck	506	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		507	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		508	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	509	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1610	franck	510	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
		511	echo "INT_DNS_IP=none" >> $CONF_FILE
		512	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
1499	richard	513	# network default
597	richard	514	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	515	cat <<EOF > /etc/sysconfig/network
		516	NETWORKING=yes
1243	richard	517	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	518	FORWARD_IPV4=true
		519	EOF
1499	richard	520	# /etc/hosts config
1	root	521	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		522	cat <<EOF > /etc/hosts
503	richard	523	127.0.0.1 localhost
1353	richard	524	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	525	EOF
1499	richard	526	# EXTIF (Internet) config
		527	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		528	if [ $IP_SETTING == "dhcp" ]
		529	then
		530	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	531	DEVICE=$EXTIF
1585	richard	532	BOOTPROTO=dhcp
		533	DNS1=127.0.0.1
		534	PEERDNS=no
		535	RESOLV_MODS=yes
		536	ONBOOT=yes
1613	franck	537	NOZEROCONF=yes
1585	richard	538	METRIC=10
		539	MII_NOT_SUPPORTED=yes
		540	IPV6INIT=no
		541	IPV6TO4INIT=no
		542	ACCOUNTING=no
		543	USERCTL=no
		544	MTU=$MTU
		545	EOF
		546	else
		547	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		548	DEVICE=$EXTIF
14	richard	549	BOOTPROTO=static
597	richard	550	IPADDR=$PUBLIC_IP
		551	NETMASK=$PUBLIC_NETMASK
		552	GATEWAY=$PUBLIC_GATEWAY
14	richard	553	DNS1=127.0.0.1
1499	richard	554	RESOLV_MODS=yes
14	richard	555	ONBOOT=yes
		556	METRIC=10
1610	franck	557	NOZEROCONF=yes
14	richard	558	MII_NOT_SUPPORTED=yes
		559	IPV6INIT=no
		560	IPV6TO4INIT=no
		561	ACCOUNTING=no
		562	USERCTL=no
994	franck	563	MTU=$MTU
14	richard	564	EOF
1499	richard	565	fi
1336	richard	566	# Config INTIF (consultation LAN) in normal mode
841	richard	567	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		568	DEVICE=$INTIF
		569	BOOTPROTO=static
		570	ONBOOT=yes
		571	NOZEROCONF=yes
		572	MII_NOT_SUPPORTED=yes
		573	IPV6INIT=no
		574	IPV6TO4INIT=no
		575	ACCOUNTING=no
		576	USERCTL=no
		577	EOF
1558	richard	578	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1336	richard	579	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	580	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	581	DEVICE=$INTIF
		582	BOOTPROTO=static
		583	IPADDR=$PRIVATE_IP
604	richard	584	NETMASK=$PRIVATE_NETMASK
1	root	585	ONBOOT=yes
		586	METRIC=10
		587	NOZEROCONF=yes
		588	MII_NOT_SUPPORTED=yes
14	richard	589	IPV6INIT=no
		590	IPV6TO4INIT=no
		591	ACCOUNTING=no
		592	USERCTL=no
1	root	593	EOF
440	franck	594	# Mise à l'heure du serveur
		595	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		596	cat <<EOF > /etc/ntp/step-tickers
455	franck	597	0.fr.pool.ntp.org # adapt to your country
		598	1.fr.pool.ntp.org
		599	2.fr.pool.ntp.org
440	franck	600	EOF
		601	# Configuration du serveur de temps (sur lui même)
1	root	602	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		603	cat <<EOF > /etc/ntp.conf
456	franck	604	server 0.fr.pool.ntp.org # adapt to your country
447	franck	605	server 1.fr.pool.ntp.org
		606	server 2.fr.pool.ntp.org
		607	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	608	fudge 127.127.1.0 stratum 10
604	richard	609	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	610	restrict 127.0.0.1
310	richard	611	driftfile /var/lib/ntp/drift
1	root	612	logfile /var/log/ntp.log
1594	richard	613	disable monitor
1	root	614	EOF
440	franck	615
310	richard	616	chown -R ntp:ntp /var/lib/ntp
1	root	617	# Renseignement des fichiers hosts.allow et hosts.deny
		618	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		619	cat <<EOF > /etc/hosts.allow
		620	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	621	sshd: ALL
1	root	622	ntpd: $PRIVATE_NETWORK_SHORT
		623	EOF
		624	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		625	cat <<EOF > /etc/hosts.deny
		626	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		627	EOF
790	richard	628	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	629	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	630	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	631	# load conntrack ftp module
		632	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		633	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	634	# load ipt_NETFLOW module
		635	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	636	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		637	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		638	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		639	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1515	richard	640	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
1157	stephane	641	#
860	richard	642	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	643	} # End of network ()
		644
		645	##################################################################
1221	richard	646	## Function "ACC" ##
		647	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	648	## - configuration du serveur web (Apache) ##
		649	## - définition du 1er comptes de gestion ##
		650	## - sécurisation des accès ##
		651	##################################################################
1221	richard	652	ACC ()
1	root	653	{
		654	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		655	mkdir $DIR_WEB
		656	# Copie et configuration des fichiers du centre de gestion
316	richard	657	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	658	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	659	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		660	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		661	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		662	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		663	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	664	chown -R apache:apache $DIR_WEB/*
1489	richard	665	# create the backup structure :
		666	# - base = users database
		667	# - archive = tarball of "base + http firewall + netflow"
		668	# - security = watchdog disconnection)
1564	richard	669	for i in base archive security;
1	root	670	do
		671	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		672	done
5	franck	673	chown -R root:apache $DIR_SAVE
71	richard	674	# Configuration et sécurisation php
		675	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	676	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		677	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	678	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		679	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	680	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		681	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		682	# Configuration et sécurisation Apache
790	richard	683	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	684	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	685	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	686	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1532	richard	687	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
		688	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
		689	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
		690	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] \|\| cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
		691	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
		692	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
		693	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
		694	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
		695	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
		696	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
1359	richard	697	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		698	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
1676	richard	699	$SED "s?^SSLCipherSuite.*?SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!DSS?g" /etc/httpd/conf/conf.d/ssl.conf #DSS is no more secured
1532	richard	700	# Error page management
1534	richard	701	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] \|\| cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
		702	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
1532	richard	703	Alias /error/ "/var/www/html/"
		704	<Directory "/usr/share/httpd/error">
		705	AllowOverride None
		706	Options IncludesNoExec
		707	AddOutputFilter Includes html
		708	AddHandler type-map var
		709	Require all granted
		710	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		711	ForceLanguagePriority Prefer Fallback
		712	</Directory>
		713	ErrorDocument 400 /error/error.php?error=400
		714	ErrorDocument 401 /error/error.php?error=401
		715	ErrorDocument 403 /error/error.php?error=403
		716	ErrorDocument 404 /error/error.php?error=404
		717	ErrorDocument 405 /error/error.php?error=405
		718	ErrorDocument 408 /error/error.php?error=408
		719	ErrorDocument 410 /error/error.php?error=410
		720	ErrorDocument 411 /error/error.php?error=411
		721	ErrorDocument 412 /error/error.php?error=412
		722	ErrorDocument 413 /error/error.php?error=413
		723	ErrorDocument 414 /error/error.php?error=414
		724	ErrorDocument 415 /error/error.php?error=415
		725	ErrorDocument 500 /error/error.php?error=500
		726	ErrorDocument 501 /error/error.php?error=501
		727	ErrorDocument 502 /error/error.php?error=502
		728	ErrorDocument 503 /error/error.php?error=503
		729	ErrorDocument 506 /error/error.php?error=506
		730	EOF
1359	richard	731	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		732	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		733	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		734	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	735	</body>
		736	</html>
		737	EOF
		738	# Définition du premier compte lié au profil 'admin'
510	richard	739	if [ "$mode" = "install" ]
		740	then
1676	richard	741	header_install
613	richard	742	admin_portal=!
		743	PTN='^[a-zA-Z0-9-]*$'
		744	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		745	do
		746	header_install
		747	if [ $Lang == "fr" ]
		748	then
		749	echo ""
		750	echo "Définissez un premier compte d'administration du portail :"
		751	echo
		752	echo -n "Nom : "
		753	else
		754	echo ""
		755	echo "Define the first account allow to administrate the portal :"
		756	echo
		757	echo -n "Account : "
		758	fi
		759	read admin_portal
		760	if [ "$admin_portal" == "" ]
		761	then
		762	admin_portal=!
		763	fi
		764	done
1268	richard	765	# Creation of keys file for the admin account ("admin")
510	richard	766	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		767	mkdir -p $DIR_DEST_ETC/digest
		768	chmod 755 $DIR_DEST_ETC/digest
		769	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		770	do
1350	richard	771	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	772	done
		773	$DIR_DEST_SBIN/alcasar-profil.sh --list
		774	fi
434	richard	775	# synchronisation horaire
		776	ntpd -q -g &
1	root	777	# Sécurisation du centre
988	franck	778	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	779	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	780	<Directory $DIR_ACC>
1	root	781	SSLRequireSSL
		782	AllowOverride None
		783	Order deny,allow
		784	Deny from all
		785	Allow from 127.0.0.1
		786	Allow from $PRIVATE_NETWORK_MASK
990	franck	787	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	788	require valid-user
		789	AuthType digest
1243	richard	790	AuthName $HOSTNAME.$DOMAIN
1	root	791	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	792	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	793	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	794	</Directory>
316	richard	795	<Directory $DIR_ACC/admin>
1	root	796	SSLRequireSSL
		797	AllowOverride None
		798	Order deny,allow
		799	Deny from all
		800	Allow from 127.0.0.1
		801	Allow from $PRIVATE_NETWORK_MASK
990	franck	802	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	803	require valid-user
		804	AuthType digest
1243	richard	805	AuthName $HOSTNAME.$DOMAIN
1	root	806	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	807	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	808	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	809	</Directory>
344	richard	810	<Directory $DIR_ACC/manager>
1	root	811	SSLRequireSSL
		812	AllowOverride None
		813	Order deny,allow
		814	Deny from all
		815	Allow from 127.0.0.1
		816	Allow from $PRIVATE_NETWORK_MASK
990	franck	817	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	818	require valid-user
		819	AuthType digest
1243	richard	820	AuthName $HOSTNAME.$DOMAIN
1	root	821	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	822	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	823	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	824	</Directory>
316	richard	825	<Directory $DIR_ACC/backup>
		826	SSLRequireSSL
		827	AllowOverride None
		828	Order deny,allow
		829	Deny from all
		830	Allow from 127.0.0.1
		831	Allow from $PRIVATE_NETWORK_MASK
990	franck	832	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	833	require valid-user
		834	AuthType digest
1243	richard	835	AuthName $HOSTNAME.$DOMAIN
316	richard	836	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	837	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	838	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	839	</Directory>
811	richard	840	Alias /save/ "$DIR_SAVE/"
		841	<Directory $DIR_SAVE>
		842	SSLRequireSSL
		843	Options Indexes
		844	Order deny,allow
		845	Deny from all
		846	Allow from 127.0.0.1
		847	Allow from $PRIVATE_NETWORK_MASK
990	franck	848	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	849	require valid-user
		850	AuthType digest
1243	richard	851	AuthName $HOSTNAME.$DOMAIN
811	richard	852	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	853	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	854	</Directory>
1	root	855	EOF
1378	richard	856	# Launch after coova
		857	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1389	richard	858	} # End of ACC ()
1	root	859
		860	##########################################################################################
1221	richard	861	## Fonction "CA" ##
1	root	862	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		863	##########################################################################################
1221	richard	864	CA ()
1	root	865	{
510	richard	866	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	867	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	868	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	869	cat <<EOF > $FIC_VIRTUAL_SSL
		870	# default SSL virtual host, used for all HTTPS requests that do not
		871	# match a ServerName or ServerAlias in any <VirtualHost> block.
		872
		873	<VirtualHost _default_:443>
		874	# general configuration
		875	ServerAdmin root@localhost
		876	ServerName localhost
		877
		878	# SSL configuration
		879	SSLEngine on
		880	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		881	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		882	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		883	CustomLog logs/ssl_request_log \
		884	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		885	ErrorLog logs/ssl_error_log
		886	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		887	</VirtualHost>
		888	EOF
		889
5	franck	890	chown -R root:apache /etc/pki
1	root	891	chmod -R 750 /etc/pki
1389	richard	892	} # End of CA ()
1	root	893
		894	##########################################################################################
1221	richard	895	## Fonction "init_db" ##
1	root	896	## - Initialisation de la base Mysql ##
		897	## - Affectation du mot de passe de l'administrateur (root) ##
		898	## - Suppression des bases et des utilisateurs superflus ##
		899	## - Création de la base 'radius' ##
		900	## - Installation du schéma de cette base ##
		901	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		902	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		903	##########################################################################################
		904	init_db ()
		905	{
1355	richard	906	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	907	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		908	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	909	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1574	richard	910	/usr/bin/systemctl start mysqld.service
1	root	911	sleep 4
		912	mysqladmin -u root password $mysqlpwd
		913	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	914	# Secure the server
		915	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		916	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	917	# Create 'radius' database
1317	richard	918	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	919	# Add an empty radius database structure
364	franck	920	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	921	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	922	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1515	richard	923	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		924	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1574	richard	925	/usr/bin/systemctl daemon-reload
1389	richard	926	} # End of init_db ()
1	root	927
		928	##########################################################################
1389	richard	929	## Fonction "radius" ##
1	root	930	## - Paramètrage des fichiers de configuration FreeRadius ##
		931	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		932	## - Modification de fichier de conf pour l'accès à Mysql ##
		933	##########################################################################
1389	richard	934	radius ()
1	root	935	{
		936	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		937	chown -R radius:radius /etc/raddb
		938	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	939	# Set radius.conf parameters
1	root	940	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		941	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		942	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	943	# remove the proxy function
1	root	944	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		945	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	946	# remove EAP module
654	richard	947	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	948	# listen on loopback (should be modified later if EAP enabled)
1	root	949	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	950	# enable the SQL module (and SQL counter)
1	root	951	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		952	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		953	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	954	# only include modules for ALCASAR needs
		955	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		956	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		957	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		958	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		959	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		960	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	961	# remvove virtual server and copy our conf file
1	root	962	rm -f /etc/raddb/sites-enabled/*
1278	richard	963	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	964	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		965	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		966	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		967	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	968	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	969	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	970	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	971	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		972	cat << EOF > /etc/raddb/clients.conf
		973	client 127.0.0.1 {
		974	secret = $secretradius
		975	shortname = localhost
		976	}
		977	EOF
1278	richard	978	# sql.conf modification
1	root	979	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		980	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		981	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		982	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		983	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	984	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	985	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	986	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		987	# counter.conf modification (change the Max-All-Session-Time counter)
		988	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		989	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		990	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	991	# make certain that mysql is up before radius start
		992	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		993	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	994	/usr/bin/systemctl daemon-reload
1389	richard	995	} # End radius ()
1	root	996
		997	##########################################################################
1389	richard	998	## Function "radius_web" ##
1	root	999	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		1000	## - Création du lien vers la page de changement de mot de passe ##
		1001	##########################################################################
1389	richard	1002	radius_web ()
1	root	1003	{
		1004	# copie de l'interface d'origine dans la structure Alcasar
316	richard	1005	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		1006	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		1007	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	1008	# copie des fichiers modifiés
		1009	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	1010	chown -R apache:apache $DIR_ACC/manager/
344	richard	1011	# Modification des fichiers de configuration
1	root	1012	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	1013	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	1014	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		1015	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		1016	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		1017	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		1018	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		1019	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		1020	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	1021	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	1022	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	1023	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	1024	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	1025	nas1_name: alcasar-$ORGANISME
1	root	1026	nas1_model: Portail captif
		1027	nas1_ip: $PRIVATE_IP
		1028	nas1_port_num: 0
		1029	nas1_community: public
		1030	EOF
		1031	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		1032	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	1033	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	1034	# Ajout du mappage des attributs chillispot
		1035	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	1036	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1037	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1038	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1039	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1040	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1041	chown -R apache:apache /etc/freeradius-web
1	root	1042	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1043	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1044	<Directory $DIR_WEB/pass>
1	root	1045	SSLRequireSSL
		1046	AllowOverride None
		1047	Order deny,allow
		1048	Deny from all
		1049	Allow from 127.0.0.1
		1050	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1051	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1052	</Directory>
		1053	EOF
1389	richard	1054	} # End of radius_web ()
1	root	1055
799	richard	1056	##################################################################################
1389	richard	1057	## Fonction "chilli" ##
799	richard	1058	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1059	## - Paramètrage de la page d'authentification (intercept.php) ##
		1060	##################################################################################
1389	richard	1061	chilli ()
1	root	1062	{
1370	richard	1063	# chilli unit for systemd
		1064	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1065	# This file is part of systemd.
		1066	#
		1067	# systemd is free software; you can redistribute it and/or modify it
		1068	# under the terms of the GNU General Public License as published by
		1069	# the Free Software Foundation; either version 2 of the License, or
		1070	# (at your option) any later version.
1370	richard	1071	[Unit]
		1072	Description=chilli is a captive portal daemon
		1073	After=network.target
		1074
		1075	[Service]
1379	richard	1076	Type=forking
1370	richard	1077	ExecStart=/usr/libexec/chilli start
		1078	ExecStop=/usr/libexec/chilli stop
		1079	ExecReload=/usr/libexec/chilli reload
		1080	PIDFile=/var/run/chilli.pid
		1081
		1082	[Install]
		1083	WantedBy=multi-user.target
		1084	EOF
799	richard	1085	# init file creation
1370	richard	1086	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1087	cat <<EOF > /usr/libexec/chilli
799	richard	1088	#!/bin/sh
		1089	#
		1090	# chilli CoovaChilli init
		1091	#
		1092	# chkconfig: 2345 65 35
		1093	# description: CoovaChilli
		1094	### BEGIN INIT INFO
		1095	# Provides: chilli
		1096	# Required-Start: network
		1097	# Should-Start:
		1098	# Required-Stop: network
		1099	# Should-Stop:
		1100	# Default-Start: 2 3 5
		1101	# Default-Stop:
		1102	# Description: CoovaChilli access controller
		1103	### END INIT INFO
		1104
		1105	[ -f /usr/sbin/chilli ] \|\| exit 0
		1106	. /etc/init.d/functions
		1107	CONFIG=/etc/chilli.conf
		1108	pidfile=/var/run/chilli.pid
		1109	[ -f \$CONFIG ] \|\| {
		1110	echo "\$CONFIG Not found"
		1111	exit 0
		1112	}
		1113	RETVAL=0
		1114	prog="chilli"
		1115	case \$1 in
		1116	start)
		1117	if [ -f \$pidfile ] ; then
		1118	gprintf "chilli is already running"
		1119	else
		1120	gprintf "Starting \$prog: "
		1121	rm -f /var/run/chilli* # cleaning
		1122	/sbin/modprobe tun >/dev/null 2>&1
		1123	echo 1 > /proc/sys/net/ipv4/ip_forward
		1124	[ -e /dev/net/tun ] \|\| {
		1125	(cd /dev;
		1126	mkdir net;
		1127	cd net;
		1128	mknod tun c 10 200)
		1129	}
1336	richard	1130	ifconfig $INTIF 0.0.0.0
1576	richard	1131	/usr/sbin/ethtool -K $INTIF gro off
799	richard	1132	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1133	RETVAL=$?
		1134	fi
		1135	;;
		1136
		1137	reload)
		1138	killall -HUP chilli
		1139	;;
		1140
		1141	restart)
		1142	\$0 stop
		1143	sleep 2
		1144	\$0 start
		1145	;;
		1146
		1147	status)
		1148	status chilli
		1149	RETVAL=0
		1150	;;
		1151
		1152	stop)
		1153	if [ -f \$pidfile ] ; then
		1154	gprintf "Shutting down \$prog: "
		1155	killproc /usr/sbin/chilli
		1156	RETVAL=\$?
		1157	[ \$RETVAL = 0 ] && rm -f $pidfile
		1158	else
		1159	gprintf "chilli is not running"
		1160	fi
		1161	;;
		1162
		1163	*)
		1164	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1165	exit 1
		1166	esac
		1167	echo
		1168	EOF
1373	richard	1169	chmod a+x /usr/libexec/chilli
799	richard	1170	# conf file creation
346	richard	1171	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1172	cat <<EOF > /etc/chilli.conf
		1173	# coova config for ALCASAR
		1174	cmdsocket /var/run/chilli.sock
1336	richard	1175	unixipc chilli.$INTIF.ipc
1551	richard	1176	pidfile /var/run/chilli.pid
346	richard	1177	net $PRIVATE_NETWORK_MASK
595	richard	1178	dhcpif $INTIF
841	richard	1179	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1180	#nodynip
865	richard	1181	#statip
		1182	dynip $PRIVATE_NETWORK_MASK
1249	richard	1183	domain $DOMAIN
355	richard	1184	dns1 $PRIVATE_IP
		1185	dns2 $PRIVATE_IP
346	richard	1186	uamlisten $PRIVATE_IP
503	richard	1187	uamport 3990
837	richard	1188	macauth
		1189	macpasswd password
1243	richard	1190	locationname $HOSTNAME.$DOMAIN
346	richard	1191	radiusserver1 127.0.0.1
		1192	radiusserver2 127.0.0.1
		1193	radiussecret $secretradius
		1194	radiusauthport 1812
		1195	radiusacctport 1813
1243	richard	1196	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1197	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1198	uamsecret $secretuam
1249	richard	1199	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1200	coaport 3799
1379	richard	1201	conup $DIR_DEST_BIN/alcasar-conup.sh
		1202	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1203	include $DIR_DEST_ETC/alcasar-uamallowed
		1204	include $DIR_DEST_ETC/alcasar-uamdomain
1613	franck	1205	#dhcpgateway none
		1206	#dhcprelayagent none
1610	franck	1207	#dhcpgatewayport none
346	richard	1208	EOF
1336	richard	1209	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1210	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1211	# create files for trusted domains and urls
1148	crox53	1212	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1213	chown root:apache $DIR_DEST_ETC/alcasar-*
		1214	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1215	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1216	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1217	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1218	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1219	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1220	if [ "$chilli_exist" == "1" ]
		1221	then
		1222	userdel -r chilli 2>/dev/null
		1223	fi
		1224	groupadd -f chilli
		1225	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1226	} # End of chilli ()
1349	richard	1227
1	root	1228	##################################################################
1389	richard	1229	## Fonction "dansguardian" ##
1	root	1230	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1231	##################################################################
1389	richard	1232	dansguardian ()
1	root	1233	{
		1234	mkdir /var/dansguardian
		1235	chown dansguardian /var/dansguardian
1375	richard	1236	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1237	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1238	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1239	# By default the filter is off
1556	richard	1240	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1293	richard	1241	# French deny HTML page
497	richard	1242	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1243	# Listen only on LAN side
497	richard	1244	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1245	# DG send its flow to HAVP
		1246	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1247	# replace the default deny HTML page
1	root	1248	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1249	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1250	# Don't log
		1251	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1252	# Run 10 daemons (20 in largest server)
659	richard	1253	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1254	# on désactive par défaut le controle de contenu des pages html
497	richard	1255	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1256	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1257	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1258	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1259	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1260	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1261	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1262	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1263	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1264	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1265	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1266	touch $DIR_DG/lists/bannedextensionlist
		1267	touch $DIR_DG/lists/bannedmimetypelist
		1268	# 'Safesearch' regex actualisation
498	richard	1269	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1270	# empty LAN IP list that won't be WEB filtered
		1271	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1272	touch $DIR_DG/lists/exceptioniplist
		1273	# Keep a copy of URL & domain filter configuration files
		1274	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1275	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1276	} # End of dansguardian ()
1	root	1277
71	richard	1278	##################################################################
1221	richard	1279	## Fonction "antivirus" ##
1357	richard	1280	## - configuration of havp, libclamav and freshclam ##
71	richard	1281	##################################################################
		1282	antivirus ()
		1283	{
1358	richard	1284	# create 'havp' user
288	richard	1285	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1286	if [ "$havp_exist" == "1" ]
288	richard	1287	then
478	richard	1288	userdel -r havp 2>/dev/null
894	richard	1289	groupdel havp 2>/dev/null
288	richard	1290	fi
307	richard	1291	groupadd -f havp
1486	richard	1292	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1293	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1294	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1295	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1296	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1297	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1298	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1299	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1300	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1301	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1302	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1303	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1304	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1305	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1306	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1307	# skip checking of youtube flow (too heavy load / risk too low)
		1308	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1309	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1310	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1311	# adapt init script and systemd unit
335	richard	1312	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1313	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1314	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1315	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1316	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1317	# replace of the intercept page (template)
340	richard	1318	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1319	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1320	# update virus database every 4 hours (24h/6)
1357	richard	1321	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1322	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1323	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1324	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1325	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1326	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1327	# update now
1382	richard	1328	/usr/bin/freshclam --no-warnings
1389	richard	1329	} # End of antivirus ()
71	richard	1330
1486	richard	1331	##########################################################################
		1332	## Fonction "tinyproxy" ##
		1333	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1334	##########################################################################
1485	richard	1335	tinyproxy ()
		1336	{
1486	richard	1337	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1338	if [ "$tinyproxy_exist" == "1" ]
		1339	then
		1340	userdel -r tinyproxy 2>/dev/null
		1341	groupdel tinyproxy 2>/dev/null
		1342	fi
		1343	groupadd -f tinyproxy
1488	richard	1344	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1668	richard	1345	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
		1346	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1486	richard	1347	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1348	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1349	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1350	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1351	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1352	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1353	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1354	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1355	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1356	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1357	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1358	# Create the systemd unit
		1359	cat << EOF > /lib/systemd/system/tinyproxy.service
		1360	# This file is part of systemd.
		1361	#
		1362	# systemd is free software; you can redistribute it and/or modify it
		1363	# under the terms of the GNU General Public License as published by
		1364	# the Free Software Foundation; either version 2 of the License, or
		1365	# (at your option) any later version.
1485	richard	1366
1509	richard	1367	# This unit launches tinyproxy (a very light proxy).
1518	richard	1368	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1369	[Unit]
		1370	Description=Tinyproxy Web Proxy Server
		1371	After=network.target iptables.service
		1372
		1373	[Service]
		1374	Type=forking
1518	richard	1375	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1376	ExecStartPre=/bin/sleep 2
		1377	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1378	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1379
		1380	[Install]
		1381	WantedBy=multi-user.target
		1382	EOF
		1383
1485	richard	1384	} # end of tinyproxy
1	root	1385	##################################################################################
1389	richard	1386	## function "ulogd" ##
476	richard	1387	## - Ulog config for multi-log files ##
		1388	##################################################################################
1389	richard	1389	ulogd ()
476	richard	1390	{
		1391	# Three instances of ulogd (three different logfiles)
		1392	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1393	nl=1
1358	richard	1394	for log_type in traceability ssh ext-access
478	richard	1395	do
1365	richard	1396	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1397	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1398	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1554	richard	1399	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1400	if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
478	richard	1401	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1402	[emu1]
478	richard	1403	file="/var/log/firewall/$log_type.log"
		1404	sync=1
		1405	EOF
1452	richard	1406	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1407	nl=`expr $nl + 1`
		1408	done
476	richard	1409	chown -R root:apache /var/log/firewall
		1410	chmod 750 /var/log/firewall
		1411	chmod 640 /var/log/firewall/*
1389	richard	1412	} # End of ulogd ()
476	richard	1413
1159	crox53	1414
		1415	##########################################################
1389	richard	1416	## Function "nfsen" ##
1567	richard	1417	## - install the nfsen grapher ##
		1418	## - install the two plugins porttracker & surfmap ##
1159	crox53	1419	##########################################################
1389	richard	1420	nfsen()
1	root	1421	{
1569	richard	1422	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1365	richard	1423	# Add PortTracker plugin
1534	richard	1424	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1425	do
1536	richard	1426	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1427	done
1569	richard	1428	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1365	richard	1429	# use of our conf file and init unit
1569	richard	1430	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1570	richard	1431	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1432	DirTmp=$(pwd)
1569	richard	1433	cd /tmp/nfsen-1.3.7/
1570	richard	1434	/usr/bin/perl install.pl etc/nfsen.conf
		1435	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1436	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1437	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1438	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1439	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1440	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1441	# nfsen unit for systemd
		1442	cat << EOF > /lib/systemd/system/nfsen.service
		1443	# This file is part of systemd.
		1444	#
		1445	# systemd is free software; you can redistribute it and/or modify it
		1446	# under the terms of the GNU General Public License as published by
		1447	# the Free Software Foundation; either version 2 of the License, or
		1448	# (at your option) any later version.
		1449
		1450	# This unit launches nfsen (a Netflow grapher).
		1451	[Unit]
		1452	Description= NfSen init script
		1453	After=network.target iptables.service
		1454
		1455	[Service]
		1456	Type=oneshot
		1457	RemainAfterExit=yes
1393	richard	1458	PIDFile=/var/run/nfsen/nfsen.pid
		1459	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1460	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1461	ExecStart=/usr/bin/nfsen start
		1462	ExecStop=/usr/bin/nfsen stop
1393	richard	1463	ExecReload=/usr/bin/nfsen restart
1372	richard	1464	TimeoutSec=0
		1465
		1466	[Install]
		1467	WantedBy=multi-user.target
		1468	EOF
1365	richard	1469	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1470	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1471	# expire delay for the profile "live"
1574	richard	1472	/usr/bin/systemctl start nfsen
1393	richard	1473	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1474	# add SURFmap plugin
1509	richard	1475	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1476	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1477	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1478	cd /tmp/
		1479	/usr/bin/sh SURFmap/install.sh
1544	richard	1480	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1481	# clear the installation
1221	richard	1482	cd $DirTmp
1509	richard	1483	rm -rf /tmp/nfsen*
		1484	rm -rf /tmp/SURFmap*
1389	richard	1485	} # End of nfsen ()
1	root	1486
1390	richard	1487	##################################################
1541	richard	1488	## Function "vnstat" ##
		1489	## Initialization of Vnstat and vnstat phpFE ##
		1490	##################################################
		1491	vnstat ()
		1492	{
		1493	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1494	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1495	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1496	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
		1497	/usr/bin/vnstat -u -i $EXTIF
		1498	} # End of vnstat
		1499	##################################################
1389	richard	1500	## Function "dnsmasq" ##
1390	richard	1501	##################################################
1389	richard	1502	dnsmasq ()
219	jeremy	1503	{
		1504	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1505	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1506	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1507	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1508	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1509	cat << EOF > /etc/dnsmasq.conf
520	richard	1510	# Configuration file for "dnsmasq in forward mode"
1387	richard	1511	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1512	listen-address=$PRIVATE_IP
1390	richard	1513	pid-file=/var/run/dnsmasq.pid
259	richard	1514	listen-address=127.0.0.1
286	richard	1515	no-dhcp-interface=$INTIF
1387	richard	1516	no-dhcp-interface=tun0
		1517	no-dhcp-interface=lo
259	richard	1518	bind-interfaces
		1519	cache-size=256
		1520	domain=$DOMAIN
		1521	domain-needed
		1522	expand-hosts
		1523	bogus-priv
		1524	filterwin2k
		1525	server=$DNS1
		1526	server=$DNS2
1387	richard	1527	# DHCP service is configured. It will be enabled in "bypass" mode
1610	franck	1528	#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
		1529	#dhcp-option=option:router,$PRIVATE_IP
		1530	#dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1531
1387	richard	1532	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1533	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1534	EOF
1356	richard	1535	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1536	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1537	# Configuration file for "dnsmasq with blacklist"
1387	richard	1538	# Add Toulouse blacklist domains
1472	richard	1539	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1540	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1541	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1542	listen-address=$PRIVATE_IP
		1543	port=54
		1544	no-dhcp-interface=$INTIF
1387	richard	1545	no-dhcp-interface=tun0
1472	richard	1546	no-dhcp-interface=lo
498	richard	1547	bind-interfaces
		1548	cache-size=256
		1549	domain=$DOMAIN
		1550	domain-needed
		1551	expand-hosts
		1552	bogus-priv
		1553	filterwin2k
		1554	server=$DNS1
		1555	server=$DNS2
		1556	EOF
1379	richard	1557	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1558	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1559	# Configuration file for "dnsmasq with whitelist"
1356	richard	1560	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1561	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1562	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1563	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1564	listen-address=$PRIVATE_IP
		1565	port=55
		1566	no-dhcp-interface=$INTIF
1387	richard	1567	no-dhcp-interface=tun0
1472	richard	1568	no-dhcp-interface=lo
1356	richard	1569	bind-interfaces
		1570	cache-size=256
		1571	domain=$DOMAIN
		1572	domain-needed
		1573	expand-hosts
		1574	bogus-priv
		1575	filterwin2k
1472	richard	1576	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1577	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1578	EOF
1472	richard	1579	# 4th dnsmasq listen on udp 56 ("blackhole")
		1580	cat << EOF > /etc/dnsmasq-blackhole.conf
		1581	# Configuration file for "dnsmasq as a blackhole"
		1582	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1583	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1584	pid-file=/var/run/dnsmasq-blackhole.pid
		1585	listen-address=$PRIVATE_IP
		1586	port=56
		1587	no-dhcp-interface=$INTIF
		1588	no-dhcp-interface=tun0
		1589	no-dhcp-interface=lo
		1590	bind-interfaces
		1591	cache-size=256
		1592	domain=$DOMAIN
		1593	domain-needed
		1594	expand-hosts
		1595	bogus-priv
		1596	filterwin2k
		1597	EOF
		1598
1517	richard	1599	# the main instance should start after network and chilli (which create tun0)
1547	richard	1600	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1601	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1602	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1603	for list in blacklist whitelist blackhole
		1604	do
		1605	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1606	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1607	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1608	done
308	richard	1609	} # End dnsmasq
		1610
		1611	##########################################################
1221	richard	1612	## Fonction "BL" ##
308	richard	1613	##########################################################
		1614	BL ()
		1615	{
1384	richard	1616	# copy and extract toulouse BL
648	richard	1617	rm -rf $DIR_DG/lists/blacklists
		1618	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1619	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1620	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1621	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1622	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1623	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1624	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1625	# creation of file for the rehabilited domains and urls
648	richard	1626	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1627	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1628	touch $DIR_DG/lists/exceptionsitelist
		1629	touch $DIR_DG/lists/exceptionurllist
311	richard	1630	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1631	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1632	# Dansguardian filter config for ALCASAR
		1633	EOF
648	richard	1634	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1635	# Dansguardian domain filter config for ALCASAR
		1636	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1637	#**
		1638	# block all SSL and CONNECT tunnels
		1639	**s
		1640	# block all SSL and CONNECT tunnels specified only as an IP
		1641	*ips
		1642	# block all sites specified only by an IP
		1643	*ip
		1644	EOF
1000	richard	1645	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1646	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1647	# Bing - add 'adlt=strict'
		1648	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1649	# Youtube - add 'edufilter=your_ID'
885	richard	1650	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1651	EOF
1000	richard	1652	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1653	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1654	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1655	if [ "$mode" != "update" ]; then
		1656	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1657	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
654	richard	1658	fi
308	richard	1659	}
219	jeremy	1660
1	root	1661	##########################################################
1221	richard	1662	## Fonction "cron" ##
1	root	1663	## - Mise en place des différents fichiers de cron ##
		1664	##########################################################
		1665	cron ()
		1666	{
		1667	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1668	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1669	cat <<EOF > /etc/crontab
		1670	SHELL=/bin/bash
		1671	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1672	MAILTO=root
		1673	HOME=/
		1674
		1675	# run-parts
		1676	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1677	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1678	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1679	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1680	EOF
		1681	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1682	cat <<EOF >> /etc/anacrontab
667	franck	1683	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1684	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1685	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1686	EOF
1247	crox53	1687
811	richard	1688	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1689	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1690	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1691	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1692	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1693	EOF
952	franck	1694	cat <<EOF > /etc/cron.d/alcasar-archive
		1695	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1696	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1697	EOF
1566	richard	1698	cat << EOF > /etc/cron.d/alcasar-ticket-clean
		1699	# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
		1700	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1701	EOF
722	franck	1702	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1703	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1704	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1705	EOF
1247	crox53	1706	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1707	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1708	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1709	#EOF
1159	crox53	1710
1	root	1711	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1712	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1713	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1714	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1715	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1716	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1717	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1718	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1719	rm -f /etc/cron.daily/freeradius-web
		1720	rm -f /etc/cron.monthly/freeradius-web
		1721	cat << EOF > /etc/cron.d/freeradius-web
		1722	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1723	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1724	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1725	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1726	EOF
671	franck	1727	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1728	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1729	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1730	EOF
808	franck	1731	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1732	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1733	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1734	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1735	EOF
522	richard	1736	# suppression des crons usagers
		1737	rm -f /var/spool/cron/*
1	root	1738	} # End cron
		1739
		1740	##################################################################
1221	richard	1741	## Fonction "Fail2Ban" ##
1163	crox53	1742	##- Modification de la configuration de fail2ban ##
		1743	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1744	##################################################################
		1745	fail2ban()
		1746	{
1191	crox53	1747	$DIR_CONF/fail2ban.sh
1474	richard	1748	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1749	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1750	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1751	chmod 644 /var/log/fail2ban.log
1489	richard	1752	chmod 644 /var/Save/security/watchdog.log
1418	richard	1753	/usr/bin/touch /var/log/auth.log
1515	richard	1754	# fail2ban unit
		1755	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1756	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1757	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1758	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1759	} #Fin de fail2ban_install()
		1760
		1761	##################################################################
1376	richard	1762	## Fonction "gammu_smsd" ##
		1763	## - Creation de la base de donnée Gammu ##
		1764	## - Creation du fichier de config: gammu_smsd_conf ##
		1765	## ##
		1766	##################################################################
		1767	gammu_smsd()
		1768	{
		1769	# Create 'gammu' databse
		1770	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1771	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1772	# Add a gammu database structure
		1773	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1774
		1775	# config file for the daemon
		1776	cat << EOF > /etc/gammu_smsd_conf
		1777	[gammu]
		1778	port = /dev/ttyUSB0
		1779	connection = at115200
		1780
		1781	;########################################################
		1782
		1783	[smsd]
		1784
		1785	PIN = 1234
		1786
		1787	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1788	logformat = textall
		1789	debuglevel = 0
		1790
		1791	service = sql
		1792	driver = native_mysql
		1793	user = $DB_USER
		1794	password = $radiuspwd
		1795	pc = localhost
		1796	database = $DB_GAMMU
		1797
		1798	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1799
		1800	StatusFrequency = 30
1380	richard	1801	;LoopSleep = 2
1376	richard	1802
		1803	;ResetFrequency = 300
		1804	;HardResetFrequency = 120
		1805
		1806	CheckSecurity = 1
		1807	CheckSignal = 1
		1808	CheckBattery = 0
		1809	EOF
		1810
		1811	chmod 755 /etc/gammu_smsd_conf
		1812
		1813	#Creation dossier de log Gammu-smsd
1382	richard	1814	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1815	chmod 755 /var/log/gammu-smsd
		1816
		1817	#Edition du script sql gammu <-> radius
1452	richard	1818	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1819	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1820
1380	richard	1821	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1822	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1823	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1824	EOF
		1825
1376	richard	1826	} # END gammu_smsd()
		1827
		1828	##################################################################
1221	richard	1829	## Fonction "post_install" ##
1	root	1830	## - Modification des bannières (locales et ssh) et des prompts ##
		1831	## - Installation de la structure de chiffrement pour root ##
		1832	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1833	## - Mise en place du la rotation des logs ##
5	franck	1834	## - Configuration dans le cas d'une mise à jour ##
1	root	1835	##################################################################
		1836	post_install()
		1837	{
		1838	# création de la bannière locale
1007	richard	1839	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1840	cp -f $DIR_CONF/banner /etc/mageia-release
		1841	echo " V$VERSION" >> /etc/mageia-release
1	root	1842	# création de la bannière SSH
1007	richard	1843	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1844	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1845	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1846	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1847	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1848	# postfix banner anonymisation
		1849	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1850	# sshd écoute côté LAN et WAN
1548	richard	1851	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
860	richard	1852	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1853	echo "SSH=off" >> $CONF_FILE
1631	richard	1854	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
628	richard	1855	echo "QOS=off" >> $CONF_FILE
		1856	echo "LDAP=off" >> $CONF_FILE
786	richard	1857	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1858	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1859	echo "MULTIWAN=off" >> $CONF_FILE
		1860	echo "FAILOVER=30" >> $CONF_FILE
		1861	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1862	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1863	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1864	# Coloration des prompts
		1865	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1866	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1867	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1868	# Droits d'exécution pour utilisateur apache et sysadmin
		1869	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1870	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1871	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1872	# Modify some logrotate files (gammu, ulogd)
1	root	1873	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1874	chmod 644 /etc/logrotate.d/*
714	franck	1875	# rectification sur versions précédentes de la compression des logs
706	franck	1876	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1877	# actualisation des fichiers logs compressés
1342	richard	1878	for dir in firewall dansguardian httpd
706	franck	1879	do
714	franck	1880	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1881	done
1221	richard	1882	# create the alcasar-load_balancing unit
		1883	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1884	# This file is part of systemd.
		1885	#
		1886	# systemd is free software; you can redistribute it and/or modify it
		1887	# under the terms of the GNU General Public License as published by
		1888	# the Free Software Foundation; either version 2 of the License, or
		1889	# (at your option) any later version.
		1890
		1891	# This unit lauches alcasar-load-balancing.sh script.
		1892	[Unit]
		1893	Description=alcasar-load_balancing.sh execution
		1894	After=network.target iptables.service
		1895
		1896	[Service]
		1897	Type=oneshot
		1898	RemainAfterExit=yes
		1899	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1900	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1901	TimeoutSec=0
		1902	SysVStartPriority=99
		1903
		1904	[Install]
		1905	WantedBy=multi-user.target
1157	stephane	1906	EOF
1221	richard	1907	# processes launched at boot time (Systemctl)
1525	franck	1908	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1221	richard	1909	do
1574	richard	1910	/usr/bin/systemctl -q enable $i.service
1221	richard	1911	done
1452	richard	1912
		1913	# disable processes at boot time (Systemctl)
		1914	for i in ulogd
		1915	do
1574	richard	1916	/usr/bin/systemctl -q disable $i.service
1452	richard	1917	done
		1918
1221	richard	1919	# Apply French Security Agency (ANSSI) rules
1362	richard	1920	# ignore ICMP broadcast (smurf attack)
		1921	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1922	# ignore ICMP errors bogus
		1923	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1924	# remove ICMP redirects responces
		1925	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1926	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1927	# enable SYN Cookies (Syn flood attacks)
		1928	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1929	# enable kernel antispoofing
		1930	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1931	# ignore source routing
		1932	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1933	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1934	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1935	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1936	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1937	# remove Magic SysReq Keys
1363	richard	1938	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1939	# switch to multi-users runlevel (instead of x11)
1221	richard	1940	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1600	richard	1941	# GRUB modifications (only one time)
1005	richard	1942	# limit wait time to 3s
		1943	# create an alcasar entry instead of linux-nonfb
		1944	# change display to 1024*768 (vga791)
1600	richard	1945	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst\|wc -l`
		1946	if [ $grub_already_modified == 0 ]
		1947	then
		1948	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1949	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1950	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1601	richard	1951	$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1600	richard	1952	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1953	$SED "/^gfxmenu/d" /boot/grub/menu.lst
		1954	fi
1003	richard	1955	# Remove unused services and users
1502	richard	1956	for svc in sshd
1221	richard	1957	do
1574	richard	1958	/usr/bin/systemctl -q disable $svc.service
1221	richard	1959	done
		1960	# Load and apply the previous conf file
		1961	if [ "$mode" = "update" ]
532	richard	1962	then
1668	richard	1963	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1221	richard	1964	$DIR_DEST_BIN/alcasar-conf.sh --load
		1965	PARENT_SCRIPT=`basename $0`
		1966	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1967	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1968	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1969	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
532	richard	1970	fi
1221	richard	1971	rm -f /tmp/alcasar-conf*
		1972	chown -R root:apache $DIR_DEST_ETC/*
		1973	chmod -R 660 $DIR_DEST_ETC/*
		1974	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1975	# Apply and save the firewall rules
		1976	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1977	sleep 2
1	root	1978	cd $DIR_INSTALL
5	franck	1979	echo ""
1	root	1980	echo "#############################################################################"
638	richard	1981	if [ $Lang == "fr" ]
		1982	then
		1983	echo "# Fin d'installation d'ALCASAR #"
		1984	echo "# #"
		1985	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1986	echo "# des Accès au Réseau ( ALCASAR ) #"
		1987	echo "# #"
		1988	echo "#############################################################################"
		1989	echo
		1990	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1991	echo
		1992	echo "- Lisez attentivement la documentation d'exploitation"
		1993	echo
		1994	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1995	echo
		1996	echo " Appuyez sur 'Entrée' pour continuer"
		1997	else
		1998	echo "# Enf of ALCASAR install process #"
		1999	echo "# #"
		2000	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		2001	echo "# des Accès au Réseau ( ALCASAR ) #"
		2002	echo "# #"
		2003	echo "#############################################################################"
		2004	echo
		2005	echo "- The system will be rebooted in order to operate ALCASAR"
		2006	echo
		2007	echo "- Read the exploitation documentation"
		2008	echo
		2009	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		2010	echo
		2011	echo " Hit 'Enter' to continue"
		2012	fi
815	richard	2013	sleep 2
		2014	if [ "$mode" != "update" ]
820	richard	2015	then
815	richard	2016	read a
		2017	fi
774	richard	2018	clear
1	root	2019	reboot
		2020	} # End post_install ()
		2021
		2022	#################################
1005	richard	2023	# Main Install loop #
1	root	2024	#################################
832	richard	2025	dir_exec=`dirname "$0"`
		2026	if [ $dir_exec != "." ]
		2027	then
		2028	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		2029	echo "Launch this program from the ALCASAR archive directory"
		2030	exit 0
		2031	fi
		2032	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2033	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2034	nb_args=$#
		2035	args=$1
		2036	if [ $nb_args -eq 0 ]
		2037	then
		2038	nb_args=1
		2039	args="-h"
		2040	fi
1062	richard	2041	chmod -R u+x $DIR_SCRIPTS/*
1	root	2042	case $args in
		2043	-\? \| -h* \| --h*)
		2044	echo "$usage"
		2045	exit 0
		2046	;;
291	franck	2047	-i \| --install)
1538	richard	2048	header_install
959	franck	2049	license
1544	richard	2050	header_install
29	richard	2051	testing
595	richard	2052	# RPMs install
		2053	$DIR_SCRIPTS/alcasar-urpmi.sh
		2054	if [ "$?" != "0" ]
1	root	2055	then
595	richard	2056	exit 0
		2057	fi
1249	richard	2058	if [ -e $CONF_FILE ]
595	richard	2059	then
597	richard	2060	# Uninstall the running version
532	richard	2061	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2062	fi
636	richard	2063	# Test if manual update
1362	richard	2064	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2065	then
636	richard	2066	header_install
595	richard	2067	if [ $Lang == "fr" ]
636	richard	2068	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2069	else echo "The configuration file of an old version has been found";
595	richard	2070	fi
597	richard	2071	response=0
		2072	PTN='^[oOnNyY]$'
		2073	until [[ $(expr $response : $PTN) -gt 0 ]]
		2074	do
		2075	if [ $Lang == "fr" ]
		2076	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2077	else echo -n "Do you want to use it (Y/n)?";
		2078	fi
		2079	read response
		2080	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2081	then rm -f /tmp/alcasar-conf*
		2082	fi
		2083	done
		2084	fi
636	richard	2085	# Test if update
1057	richard	2086	if [ -e /tmp/alcasar-conf* ]
597	richard	2087	then
		2088	if [ $Lang == "fr" ]
		2089	then echo "#### Installation avec mise à jour ####";
		2090	else echo "#### Installation with update ####";
		2091	fi
636	richard	2092	# Extract the central configuration file
1057	richard	2093	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2094	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2095	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2096	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2097	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2098	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2099	mode="update"
1	root	2100	fi
1541	richard	2101	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2102	do
		2103	$func
1362	richard	2104	# echo "* 'debug' : end of function $func *"; read a
14	richard	2105	done
5	franck	2106	;;
291	franck	2107	-u \| --uninstall)
5	franck	2108	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2109	then
597	richard	2110	if [ $Lang == "fr" ]
		2111	then echo "ALCASAR n'est pas installé!";
		2112	else echo "ALCASAR isn't installed!";
		2113	fi
1	root	2114	exit 0
		2115	fi
5	franck	2116	response=0
		2117	PTN='^[oOnN]$'
580	richard	2118	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2119	do
597	richard	2120	if [ $Lang == "fr" ]
		2121	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2122	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2123	fi
5	franck	2124	read response
		2125	done
1103	richard	2126	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2127	then
1103	richard	2128	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2129	else
		2130	rm -f /tmp/alcasar-conf*
1	root	2131	fi
597	richard	2132	# Uninstall the running version
65	richard	2133	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2134	;;
		2135	*)
		2136	echo "Argument inconnu :$1";
460	richard	2137	echo "Unknown argument :$1";
1	root	2138	echo "$usage"
		2139	exit 1
		2140	;;
		2141	esac
10	franck	2142	# end of script
366	franck	2143

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1684