WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1740 2016-01-03 23:10:30Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1534	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
		22	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	23
		24	# Options :
376	franck	25	# -i or --install
		26	# -u or --uninstall
1	root	27
376	franck	28	# Functions :
1378	richard	29	# testing : connectivity tests, free space test and mageia version test
1221	richard	30	# init : Installation of RPM and scripts
		31	# network : Network parameters
		32	# ACC : ALCASAR Control Center installation
		33	# CA : Certification Authority initialization
		34	# init_db : Initilization of radius database managed with MariaDB
1389	richard	35	# radius : FreeRadius initialisation
		36	# radius_web : copy ans modifiy original "freeradius web" in ACC
		37	# chilli : coovachilli initialisation (+authentication page)
		38	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	39	# antivirus : HAVP + libclamav configuration
1485	richard	40	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
1541	richard	44	# vnstat : little network stat daemon
1253	richard	45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
1564	richard	59	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
1015	richard	60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1685	richard	76	EXTIF=`/sbin/ip route\|grep default\|head -n1\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|head -n1\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
1538	richard	87	then
		88	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		89	else
		90	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	91	fi
1538	richard	92	response=0
		93	PTN='^[oOyYnN]$'
		94	until [[ $(expr $response : $PTN) -gt 0 ]]
		95	do
		96	if [ $Lang == "fr" ]
1563	franck	97	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	98	else echo -n "Do you accept the terms of this license (Y/n)? : "
		99	fi
		100	read response
		101	done
		102	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		103	then
		104	exit 1
		105	fi
959	franck	106	}
		107
1	root	108	header_install ()
		109	{
		110	clear
		111	echo "-----------------------------------------------------------------------------"
460	richard	112	echo " ALCASAR V$VERSION Installation"
1	root	113	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		114	echo "-----------------------------------------------------------------------------"
1389	richard	115	}
1	root	116
		117	##################################################################
1221	richard	118	## Function "testing" ##
1378	richard	119	## - Test of Mageia version ##
1529	richard	120	## - Test of ALCASAR version (if already installed) ##
1342	richard	121	## - Test of free space on /var (>10G) ##
1005	richard	122	## - Test of Internet access ##
29	richard	123	##################################################################
		124	testing ()
		125	{
1529	richard	126	# Test of Mageia version
		127	# extract the current Mageia version and hardware architecture (i586 ou X64)
		128	fic=`cat /etc/product.id`
		129	unknown_os=0
		130	old="$IFS"
		131	IFS=","
		132	set $fic
		133	for i in $*
		134	do
		135	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		136	then
		137	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		138	unknown_os=`expr $unknown_os + 1`
		139	fi
		140	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		141	then
		142	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		143	unknown_os=`expr $unknown_os + 1`
		144	fi
		145	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		146	then
		147	ARCH=`echo $i\|cut -d"=" -f2`
		148	unknown_os=`expr $unknown_os + 1`
		149	fi
		150	done
		151	IFS="$old"
1362	richard	152	# Test if ALCASAR is already installed
		153	if [ -e $CONF_FILE ]
		154	then
		155	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	156	if [ $Lang == "fr" ]
1362	richard	157	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		158	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	159	fi
1362	richard	160	response=0
		161	PTN='^[oOnNyY]$'
		162	until [[ $(expr $response : $PTN) -gt 0 ]]
		163	do
		164	if [ $Lang == "fr" ]
		165	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		166	else echo -n "Do you want to update (Y/n)?";
		167	fi
		168	read response
		169	done
		170	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		171	then
		172	rm -f /tmp/alcasar-conf*
		173	else
1684	richard	174	# Retrieve former NICname
		175	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
		176	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
1564	richard	177	# Create the current conf file
1362	richard	178	$DIR_SCRIPTS/alcasar-conf.sh --create
		179	mode="update"
		180	fi
1529	richard	181	fi
1737	richard	182	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "4" ) ]]
1529	richard	183	then
		184	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	185	then
1529	richard	186	echo
1378	richard	187	if [ $Lang == "fr" ]
		188	then
1529	richard	189	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		190	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
1564	richard	191	echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
1529	richard	192	echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
1378	richard	193	else
		194	echo "The automatic update of ALCASAR can't be performed."
1529	richard	195	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
1564	richard	196	echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
1529	richard	197	echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
1378	richard	198	fi
1529	richard	199	else
		200	if [ $Lang == "fr" ]
		201	then
		202	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		203	else
		204	echo "The installation of ALCASAR can't be performed."
1378	richard	205	fi
		206	fi
1529	richard	207	echo
		208	if [ $Lang == "fr" ]
		209	then
		210	echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
		211	else
		212	echo "The OS must be replaced (Mageia4.1)"
		213	fi
		214	exit 0
1342	richard	215	fi
1529	richard	216	if [ ! -d /var/log/netflow/porttracker ]
		217	then
		218	# Test of free space on /var
		219	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		220	if [ $free_space -lt 10 ]
		221	then
		222	if [ $Lang == "fr" ]
		223	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		224	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		225	fi
		226	exit 0
		227	fi
		228	fi
1378	richard	229	if [ $Lang == "fr" ]
784	richard	230	then echo -n "Tests des paramètres réseau : "
595	richard	231	else echo -n "Network parameters tests : "
		232	fi
1471	richard	233	# Test of Ethernet links state
		234	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		235	for i in $DOWN_IF
		236	do
		237	if [ $Lang == "fr" ]
		238	then
		239	echo "Échec"
		240	echo "Le lien réseau de la carte $i n'est pas actif."
		241	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		242	else
		243	echo "Failed"
		244	echo "The link state of $i interface is down."
		245	echo "Make sure that this network card is connected to a switch or an A.P."
		246	fi
		247	exit 0
		248	done
		249	echo -n "."
		250
		251	# Test EXTIF config files
1499	richard	252	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		253	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
1686	richard	254	PUBLIC_GATEWAY=`ip route list\|grep $EXTIF\|grep ^default\|cut -d" " -f3`
1471	richard	255	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		256	then
784	richard	257	if [ $Lang == "fr" ]
		258	then
		259	echo "Échec"
		260	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		261	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	262	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	263	else
		264	echo "Failed"
		265	echo "The Internet connected network card ($EXTIF) isn't well configured."
		266	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	267	echo "Apply the new configuration 'systemctl restart network'"
784	richard	268	fi
830	richard	269	echo "DEVICE=$EXTIF"
784	richard	270	echo "IPADDR="
		271	echo "NETMASK="
		272	echo "GATEWAY="
		273	echo "DNS1="
		274	echo "DNS2="
830	richard	275	echo "ONBOOT=yes"
784	richard	276	exit 0
		277	fi
		278	echo -n "."
1471	richard	279
		280	# Test if router is alive (Box FAI)
1686	richard	281	if [ `ip route list\|grep $EXTIF\|grep -c ^default` -ne "1" ] ; then
595	richard	282	if [ $Lang == "fr" ]
		283	then
		284	echo "Échec"
		285	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		286	echo "Réglez ce problème puis relancez ce script."
		287	else
		288	echo "Failed"
		289	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		290	echo "Resolv this problem, then restart this script."
		291	fi
29	richard	292	exit 0
		293	fi
308	richard	294	echo -n "."
978	franck	295	# On teste le lien vers le routeur par defaut
1499	richard	296	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	297	if [ $(expr $arp_reply) -eq 0 ]
308	richard	298	then
595	richard	299	if [ $Lang == "fr" ]
		300	then
		301	echo "Échec"
1499	richard	302	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	303	echo "Réglez ce problème puis relancez ce script."
		304	else
		305	echo "Failed"
		306	echo "The Internet gateway doesn't answered"
		307	echo "Resolv this problem, then restart this script."
		308	fi
308	richard	309	exit 0
		310	fi
		311	echo -n "."
421	franck	312	# On teste la connectivité Internet
29	richard	313	rm -rf /tmp/con_ok.html
308	richard	314	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	315	if [ ! -e /tmp/con_ok.html ]
		316	then
595	richard	317	if [ $Lang == "fr" ]
		318	then
		319	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		320	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		321	echo "Vérifiez la validité des adresses IP des DNS."
		322	else
		323	echo "The Internet connection try failed (google.fr)."
		324	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		325	echo "Verify the DNS IP addresses"
		326	fi
29	richard	327	exit 0
		328	fi
		329	rm -rf /tmp/con_ok.html
308	richard	330	echo ". : ok"
1389	richard	331	} # end of testing ()
302	richard	332
		333	##################################################################
1221	richard	334	## Function "init" ##
302	richard	335	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		336	## - Installation et modification des scripts du portail ##
		337	##################################################################
		338	init ()
		339	{
527	richard	340	if [ "$mode" != "update" ]
302	richard	341	then
		342	# On affecte le nom d'organisme
597	richard	343	header_install
302	richard	344	ORGANISME=!
		345	PTN='^[a-zA-Z0-9-]*$'
580	richard	346	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	347	do
595	richard	348	if [ $Lang == "fr" ]
597	richard	349	then echo -n "Entrez le nom de votre organisme : "
		350	else echo -n "Enter the name of your organism : "
595	richard	351	fi
330	franck	352	read ORGANISME
613	richard	353	if [ "$ORGANISME" == "" ]
330	franck	354	then
		355	ORGANISME=!
		356	fi
		357	done
302	richard	358	fi
1	root	359	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	360	rm -f $PASSWD_FILE
1350	richard	361	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		362	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	363	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	364	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	365	$SED "/^password.*/d" /boot/grub/menu.lst
		366	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	367	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	368	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	369	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	370	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	371	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	372	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	373	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	374	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		375	echo "$secretuam" >> $PASSWD_FILE
1350	richard	376	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	377	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		378	echo "$secretradius" >> $PASSWD_FILE
		379	chmod 640 $PASSWD_FILE
977	richard	380	# Scripts and conf files copy
		381	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	382	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	383	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	384	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	385	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	386	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	387	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		388	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	389	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		390	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	391	# generate central conf file
		392	cat <<EOF > $CONF_FILE
612	richard	393	##########################################
		394	## ##
		395	## ALCASAR Parameters ##
		396	## ##
		397	##########################################
1	root	398
612	richard	399	INSTALL_DATE=$DATE
		400	VERSION=$VERSION
		401	ORGANISM=$ORGANISME
923	franck	402	DOMAIN=$DOMAIN
612	richard	403	EOF
628	richard	404	chmod o-rwx $CONF_FILE
1	root	405	} # End of init ()
		406
		407	##################################################################
1221	richard	408	## Function "network" ##
1	root	409	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	410	## - Nommage DNS du système ##
1336	richard	411	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	412	## - Modification du fichier /etc/hosts ##
		413	## - Configuration du serveur de temps (NTP) ##
		414	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		415	##################################################################
		416	network ()
		417	{
		418	header_install
636	richard	419	if [ "$mode" != "update" ]
		420	then
		421	if [ $Lang == "fr" ]
		422	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		423	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		424	fi
		425	response=0
		426	PTN='^[oOyYnN]$'
		427	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	428	do
595	richard	429	if [ $Lang == "fr" ]
659	richard	430	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	431	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	432	fi
1	root	433	read response
		434	done
636	richard	435	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		436	then
		437	PRIVATE_IP_MASK="0"
		438	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		439	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	440	do
595	richard	441	if [ $Lang == "fr" ]
597	richard	442	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		443	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	444	fi
597	richard	445	read PRIVATE_IP_MASK
1	root	446	done
636	richard	447	else
		448	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		449	fi
595	richard	450	else
637	richard	451	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		452	rm -rf conf/etc/alcasar.conf
1	root	453	fi
861	richard	454	# Define LAN side global parameters
1740	richard	455	hostnamectl set-hostname $HOSTNAME.$DOMAIN
977	richard	456	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	457	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	458	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	459	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	460	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	461	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		462	then
		463	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		464	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		465	fi
		466	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		467	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	468	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	469	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	470	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		471	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	472	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		473	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	474	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1578	richard	475	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	476	# Define Internet parameters
1613	franck	477	DNS1=`grep ^nameserver /etc/resolv.conf\|awk -F" " '{print $2}'\|head -n 1` # 1st DNS server
1499	richard	478	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		479	if [ $nb_dns == 2 ]
		480	then
		481	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		482	fi
70	franck	483	DNS1=${DNS1:=208.67.220.220}
		484	DNS2=${DNS2:=208.67.222.222}
1499	richard	485	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	486	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	487	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	488	# Wrtie the conf file
1469	richard	489	echo "EXTIF=$EXTIF" >> $CONF_FILE
		490	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	491	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		492	if [ $IP_SETTING == "dhcp" ]
		493	then
		494	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	495	echo "GW=dhcp" >> $CONF_FILE
1499	richard	496	else
		497	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	498	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
1499	richard	499	fi
1587	richard	500	echo "DNS1=$DNS1" >> $CONF_FILE
		501	echo "DNS2=$DNS2" >> $CONF_FILE
994	franck	502	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	503	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	504	echo "DHCP=on" >> $CONF_FILE
914	franck	505	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		506	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		507	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	508	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1610	franck	509	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
		510	echo "INT_DNS_IP=none" >> $CONF_FILE
		511	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
1499	richard	512	# network default
597	richard	513	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	514	cat <<EOF > /etc/sysconfig/network
		515	NETWORKING=yes
		516	FORWARD_IPV4=true
		517	EOF
1499	richard	518	# /etc/hosts config
1	root	519	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		520	cat <<EOF > /etc/hosts
503	richard	521	127.0.0.1 localhost
1736	richard	522	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME
1	root	523	EOF
1499	richard	524	# EXTIF (Internet) config
		525	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		526	if [ $IP_SETTING == "dhcp" ]
		527	then
		528	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	529	DEVICE=$EXTIF
1585	richard	530	BOOTPROTO=dhcp
		531	DNS1=127.0.0.1
		532	PEERDNS=no
		533	RESOLV_MODS=yes
		534	ONBOOT=yes
1613	franck	535	NOZEROCONF=yes
1585	richard	536	METRIC=10
		537	MII_NOT_SUPPORTED=yes
		538	IPV6INIT=no
		539	IPV6TO4INIT=no
		540	ACCOUNTING=no
		541	USERCTL=no
		542	MTU=$MTU
		543	EOF
		544	else
		545	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		546	DEVICE=$EXTIF
14	richard	547	BOOTPROTO=static
597	richard	548	IPADDR=$PUBLIC_IP
		549	NETMASK=$PUBLIC_NETMASK
		550	GATEWAY=$PUBLIC_GATEWAY
14	richard	551	DNS1=127.0.0.1
1499	richard	552	RESOLV_MODS=yes
14	richard	553	ONBOOT=yes
		554	METRIC=10
1610	franck	555	NOZEROCONF=yes
14	richard	556	MII_NOT_SUPPORTED=yes
		557	IPV6INIT=no
		558	IPV6TO4INIT=no
		559	ACCOUNTING=no
		560	USERCTL=no
994	franck	561	MTU=$MTU
14	richard	562	EOF
1499	richard	563	fi
1336	richard	564	# Config INTIF (consultation LAN) in normal mode
841	richard	565	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		566	DEVICE=$INTIF
		567	BOOTPROTO=static
		568	ONBOOT=yes
		569	NOZEROCONF=yes
		570	MII_NOT_SUPPORTED=yes
		571	IPV6INIT=no
		572	IPV6TO4INIT=no
		573	ACCOUNTING=no
		574	USERCTL=no
		575	EOF
1558	richard	576	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1336	richard	577	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	578	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	579	DEVICE=$INTIF
		580	BOOTPROTO=static
		581	IPADDR=$PRIVATE_IP
604	richard	582	NETMASK=$PRIVATE_NETMASK
1	root	583	ONBOOT=yes
		584	METRIC=10
		585	NOZEROCONF=yes
		586	MII_NOT_SUPPORTED=yes
14	richard	587	IPV6INIT=no
		588	IPV6TO4INIT=no
		589	ACCOUNTING=no
		590	USERCTL=no
1	root	591	EOF
440	franck	592	# Mise à l'heure du serveur
		593	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		594	cat <<EOF > /etc/ntp/step-tickers
455	franck	595	0.fr.pool.ntp.org # adapt to your country
		596	1.fr.pool.ntp.org
		597	2.fr.pool.ntp.org
440	franck	598	EOF
		599	# Configuration du serveur de temps (sur lui même)
1	root	600	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		601	cat <<EOF > /etc/ntp.conf
456	franck	602	server 0.fr.pool.ntp.org # adapt to your country
447	franck	603	server 1.fr.pool.ntp.org
		604	server 2.fr.pool.ntp.org
		605	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	606	fudge 127.127.1.0 stratum 10
604	richard	607	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	608	restrict 127.0.0.1
310	richard	609	driftfile /var/lib/ntp/drift
1	root	610	logfile /var/log/ntp.log
1594	richard	611	disable monitor
1	root	612	EOF
440	franck	613
310	richard	614	chown -R ntp:ntp /var/lib/ntp
1	root	615	# Renseignement des fichiers hosts.allow et hosts.deny
		616	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		617	cat <<EOF > /etc/hosts.allow
		618	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	619	sshd: ALL
1	root	620	ntpd: $PRIVATE_NETWORK_SHORT
		621	EOF
		622	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		623	cat <<EOF > /etc/hosts.deny
		624	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		625	EOF
790	richard	626	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	627	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	628	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	629	# load conntrack ftp module
		630	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
1705	richard	631	echo "nf_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	632	# load ipt_NETFLOW module
		633	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	634	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		635	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		636	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		637	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1515	richard	638	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
1157	stephane	639	#
860	richard	640	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	641	} # End of network ()
		642
		643	##################################################################
1221	richard	644	## Function "ACC" ##
		645	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	646	## - configuration du serveur web (Apache) ##
		647	## - définition du 1er comptes de gestion ##
		648	## - sécurisation des accès ##
		649	##################################################################
1221	richard	650	ACC ()
1	root	651	{
		652	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		653	mkdir $DIR_WEB
		654	# Copie et configuration des fichiers du centre de gestion
316	richard	655	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	656	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	657	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		658	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		659	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		660	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		661	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	662	chown -R apache:apache $DIR_WEB/*
1489	richard	663	# create the backup structure :
		664	# - base = users database
		665	# - archive = tarball of "base + http firewall + netflow"
		666	# - security = watchdog disconnection)
1564	richard	667	for i in base archive security;
1	root	668	do
		669	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		670	done
5	franck	671	chown -R root:apache $DIR_SAVE
71	richard	672	# Configuration et sécurisation php
		673	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	674	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		675	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	676	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		677	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	678	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		679	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		680	# Configuration et sécurisation Apache
790	richard	681	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	682	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	683	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	684	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1532	richard	685	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
		686	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
		687	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
		688	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] \|\| cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
		689	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
		690	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
		691	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
		692	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
		693	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
		694	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
1359	richard	695	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
1702	richard	696	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		697	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf # exclude vulnerable protocols
		698	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
		699	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
		700	echo "SSLPassPhraseDialog builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
		701	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
		702	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
1532	richard	703	# Error page management
1534	richard	704	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] \|\| cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
		705	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
1532	richard	706	Alias /error/ "/var/www/html/"
		707	<Directory "/usr/share/httpd/error">
		708	AllowOverride None
		709	Options IncludesNoExec
		710	AddOutputFilter Includes html
		711	AddHandler type-map var
		712	Require all granted
		713	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		714	ForceLanguagePriority Prefer Fallback
		715	</Directory>
		716	ErrorDocument 400 /error/error.php?error=400
		717	ErrorDocument 401 /error/error.php?error=401
		718	ErrorDocument 403 /error/error.php?error=403
		719	ErrorDocument 404 /error/error.php?error=404
		720	ErrorDocument 405 /error/error.php?error=405
		721	ErrorDocument 408 /error/error.php?error=408
		722	ErrorDocument 410 /error/error.php?error=410
		723	ErrorDocument 411 /error/error.php?error=411
		724	ErrorDocument 412 /error/error.php?error=412
		725	ErrorDocument 413 /error/error.php?error=413
		726	ErrorDocument 414 /error/error.php?error=414
		727	ErrorDocument 415 /error/error.php?error=415
		728	ErrorDocument 500 /error/error.php?error=500
		729	ErrorDocument 501 /error/error.php?error=501
		730	ErrorDocument 502 /error/error.php?error=502
		731	ErrorDocument 503 /error/error.php?error=503
		732	ErrorDocument 506 /error/error.php?error=506
		733	EOF
1359	richard	734	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		735	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		736	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		737	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	738	</body>
		739	</html>
		740	EOF
		741	# Définition du premier compte lié au profil 'admin'
510	richard	742	if [ "$mode" = "install" ]
		743	then
1676	richard	744	header_install
613	richard	745	admin_portal=!
		746	PTN='^[a-zA-Z0-9-]*$'
		747	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		748	do
		749	header_install
		750	if [ $Lang == "fr" ]
		751	then
		752	echo ""
		753	echo "Définissez un premier compte d'administration du portail :"
		754	echo
		755	echo -n "Nom : "
		756	else
		757	echo ""
		758	echo "Define the first account allow to administrate the portal :"
		759	echo
		760	echo -n "Account : "
		761	fi
		762	read admin_portal
		763	if [ "$admin_portal" == "" ]
		764	then
		765	admin_portal=!
		766	fi
		767	done
1268	richard	768	# Creation of keys file for the admin account ("admin")
510	richard	769	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		770	mkdir -p $DIR_DEST_ETC/digest
		771	chmod 755 $DIR_DEST_ETC/digest
		772	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		773	do
1350	richard	774	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	775	done
		776	$DIR_DEST_SBIN/alcasar-profil.sh --list
		777	fi
434	richard	778	# synchronisation horaire
		779	ntpd -q -g &
1	root	780	# Sécurisation du centre
988	franck	781	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	782	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	783	<Directory $DIR_ACC>
1	root	784	SSLRequireSSL
		785	AllowOverride None
		786	Order deny,allow
		787	Deny from all
		788	Allow from 127.0.0.1
		789	Allow from $PRIVATE_NETWORK_MASK
		790	require valid-user
		791	AuthType digest
1243	richard	792	AuthName $HOSTNAME.$DOMAIN
1	root	793	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	794	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	795	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	796	</Directory>
316	richard	797	<Directory $DIR_ACC/admin>
1	root	798	SSLRequireSSL
		799	AllowOverride None
		800	Order deny,allow
		801	Deny from all
		802	Allow from 127.0.0.1
		803	Allow from $PRIVATE_NETWORK_MASK
		804	require valid-user
		805	AuthType digest
1243	richard	806	AuthName $HOSTNAME.$DOMAIN
1	root	807	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	808	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	809	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	810	</Directory>
344	richard	811	<Directory $DIR_ACC/manager>
1	root	812	SSLRequireSSL
		813	AllowOverride None
		814	Order deny,allow
		815	Deny from all
		816	Allow from 127.0.0.1
		817	Allow from $PRIVATE_NETWORK_MASK
		818	require valid-user
		819	AuthType digest
1243	richard	820	AuthName $HOSTNAME.$DOMAIN
1	root	821	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	822	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	823	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	824	</Directory>
316	richard	825	<Directory $DIR_ACC/backup>
		826	SSLRequireSSL
		827	AllowOverride None
		828	Order deny,allow
		829	Deny from all
		830	Allow from 127.0.0.1
		831	Allow from $PRIVATE_NETWORK_MASK
		832	require valid-user
		833	AuthType digest
1243	richard	834	AuthName $HOSTNAME.$DOMAIN
316	richard	835	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	836	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	837	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	838	</Directory>
811	richard	839	Alias /save/ "$DIR_SAVE/"
		840	<Directory $DIR_SAVE>
		841	SSLRequireSSL
		842	Options Indexes
		843	Order deny,allow
		844	Deny from all
		845	Allow from 127.0.0.1
		846	Allow from $PRIVATE_NETWORK_MASK
		847	require valid-user
		848	AuthType digest
1243	richard	849	AuthName $HOSTNAME.$DOMAIN
811	richard	850	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	851	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	852	</Directory>
1	root	853	EOF
1378	richard	854	# Launch after coova
		855	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1389	richard	856	} # End of ACC ()
1	root	857
		858	##########################################################################################
1221	richard	859	## Fonction "CA" ##
1	root	860	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		861	##########################################################################################
1221	richard	862	CA ()
1	root	863	{
510	richard	864	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	865	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	866	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	867	cat <<EOF > $FIC_VIRTUAL_SSL
		868	# default SSL virtual host, used for all HTTPS requests that do not
		869	# match a ServerName or ServerAlias in any <VirtualHost> block.
		870
		871	<VirtualHost _default_:443>
		872	# general configuration
		873	ServerAdmin root@localhost
		874	ServerName localhost
		875
		876	# SSL configuration
		877	SSLEngine on
		878	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		879	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		880	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		881	CustomLog logs/ssl_request_log \
		882	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		883	ErrorLog logs/ssl_error_log
		884	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		885	</VirtualHost>
		886	EOF
		887
5	franck	888	chown -R root:apache /etc/pki
1	root	889	chmod -R 750 /etc/pki
1389	richard	890	} # End of CA ()
1	root	891
		892	##########################################################################################
1221	richard	893	## Fonction "init_db" ##
1	root	894	## - Initialisation de la base Mysql ##
		895	## - Affectation du mot de passe de l'administrateur (root) ##
		896	## - Suppression des bases et des utilisateurs superflus ##
		897	## - Création de la base 'radius' ##
		898	## - Installation du schéma de cette base ##
		899	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		900	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		901	##########################################################################################
		902	init_db ()
		903	{
1355	richard	904	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	905	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		906	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	907	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1574	richard	908	/usr/bin/systemctl start mysqld.service
1	root	909	sleep 4
		910	mysqladmin -u root password $mysqlpwd
		911	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	912	# Secure the server
		913	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		914	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	915	# Create 'radius' database
1317	richard	916	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	917	# Add an empty radius database structure
364	franck	918	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	919	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	920	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1515	richard	921	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		922	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1574	richard	923	/usr/bin/systemctl daemon-reload
1389	richard	924	} # End of init_db ()
1	root	925
		926	##########################################################################
1389	richard	927	## Fonction "radius" ##
1	root	928	## - Paramètrage des fichiers de configuration FreeRadius ##
		929	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		930	## - Modification de fichier de conf pour l'accès à Mysql ##
		931	##########################################################################
1389	richard	932	radius ()
1	root	933	{
		934	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		935	chown -R radius:radius /etc/raddb
		936	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	937	# Set radius.conf parameters
1	root	938	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		939	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		940	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	941	# remove the proxy function
1	root	942	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		943	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	944	# remove EAP module
654	richard	945	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	946	# listen on loopback (should be modified later if EAP enabled)
1	root	947	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	948	# enable the SQL module (and SQL counter)
1	root	949	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		950	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		951	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	952	# only include modules for ALCASAR needs
		953	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		954	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		955	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		956	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		957	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		958	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	959	# remvove virtual server and copy our conf file
1	root	960	rm -f /etc/raddb/sites-enabled/*
1278	richard	961	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	962	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		963	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		964	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		965	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	966	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	967	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	968	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	969	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		970	cat << EOF > /etc/raddb/clients.conf
		971	client 127.0.0.1 {
		972	secret = $secretradius
		973	shortname = localhost
		974	}
		975	EOF
1278	richard	976	# sql.conf modification
1	root	977	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		978	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		979	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		980	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		981	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	982	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	983	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	984	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		985	# counter.conf modification (change the Max-All-Session-Time counter)
		986	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		987	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		988	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	989	# make certain that mysql is up before radius start
		990	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		991	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	992	/usr/bin/systemctl daemon-reload
1389	richard	993	} # End radius ()
1	root	994
		995	##########################################################################
1389	richard	996	## Function "radius_web" ##
1	root	997	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		998	## - Création du lien vers la page de changement de mot de passe ##
		999	##########################################################################
1389	richard	1000	radius_web ()
1	root	1001	{
		1002	# copie de l'interface d'origine dans la structure Alcasar
316	richard	1003	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		1004	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		1005	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	1006	# copie des fichiers modifiés
		1007	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	1008	chown -R apache:apache $DIR_ACC/manager/
344	richard	1009	# Modification des fichiers de configuration
1	root	1010	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	1011	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	1012	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		1013	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		1014	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		1015	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		1016	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		1017	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		1018	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	1019	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	1020	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	1021	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	1022	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	1023	nas1_name: alcasar-$ORGANISME
1	root	1024	nas1_model: Portail captif
		1025	nas1_ip: $PRIVATE_IP
		1026	nas1_port_num: 0
		1027	nas1_community: public
		1028	EOF
		1029	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		1030	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	1031	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	1032	# Ajout du mappage des attributs chillispot
		1033	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	1034	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1035	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1036	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1037	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1038	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1039	chown -R apache:apache /etc/freeradius-web
1	root	1040	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1041	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1042	<Directory $DIR_WEB/pass>
1	root	1043	SSLRequireSSL
		1044	AllowOverride None
		1045	Order deny,allow
		1046	Deny from all
		1047	Allow from 127.0.0.1
		1048	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1049	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1050	</Directory>
		1051	EOF
1389	richard	1052	} # End of radius_web ()
1	root	1053
799	richard	1054	##################################################################################
1389	richard	1055	## Fonction "chilli" ##
799	richard	1056	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1057	## - Paramètrage de la page d'authentification (intercept.php) ##
		1058	##################################################################################
1389	richard	1059	chilli ()
1	root	1060	{
1370	richard	1061	# chilli unit for systemd
		1062	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1063	# This file is part of systemd.
		1064	#
		1065	# systemd is free software; you can redistribute it and/or modify it
		1066	# under the terms of the GNU General Public License as published by
		1067	# the Free Software Foundation; either version 2 of the License, or
		1068	# (at your option) any later version.
1370	richard	1069	[Unit]
		1070	Description=chilli is a captive portal daemon
		1071	After=network.target
		1072
		1073	[Service]
1379	richard	1074	Type=forking
1370	richard	1075	ExecStart=/usr/libexec/chilli start
		1076	ExecStop=/usr/libexec/chilli stop
		1077	ExecReload=/usr/libexec/chilli reload
		1078	PIDFile=/var/run/chilli.pid
		1079
		1080	[Install]
		1081	WantedBy=multi-user.target
		1082	EOF
799	richard	1083	# init file creation
1370	richard	1084	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1085	cat <<EOF > /usr/libexec/chilli
799	richard	1086	#!/bin/sh
		1087	#
		1088	# chilli CoovaChilli init
		1089	#
		1090	# chkconfig: 2345 65 35
		1091	# description: CoovaChilli
		1092	### BEGIN INIT INFO
		1093	# Provides: chilli
		1094	# Required-Start: network
		1095	# Should-Start:
		1096	# Required-Stop: network
		1097	# Should-Stop:
		1098	# Default-Start: 2 3 5
		1099	# Default-Stop:
		1100	# Description: CoovaChilli access controller
		1101	### END INIT INFO
		1102
		1103	[ -f /usr/sbin/chilli ] \|\| exit 0
		1104	. /etc/init.d/functions
		1105	CONFIG=/etc/chilli.conf
		1106	pidfile=/var/run/chilli.pid
		1107	[ -f \$CONFIG ] \|\| {
		1108	echo "\$CONFIG Not found"
		1109	exit 0
		1110	}
		1111	RETVAL=0
		1112	prog="chilli"
		1113	case \$1 in
		1114	start)
		1115	if [ -f \$pidfile ] ; then
		1116	gprintf "chilli is already running"
		1117	else
		1118	gprintf "Starting \$prog: "
		1119	rm -f /var/run/chilli* # cleaning
		1120	/sbin/modprobe tun >/dev/null 2>&1
		1121	echo 1 > /proc/sys/net/ipv4/ip_forward
		1122	[ -e /dev/net/tun ] \|\| {
		1123	(cd /dev;
		1124	mkdir net;
		1125	cd net;
		1126	mknod tun c 10 200)
		1127	}
1336	richard	1128	ifconfig $INTIF 0.0.0.0
1576	richard	1129	/usr/sbin/ethtool -K $INTIF gro off
799	richard	1130	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1131	RETVAL=$?
		1132	fi
		1133	;;
		1134
		1135	reload)
		1136	killall -HUP chilli
		1137	;;
		1138
		1139	restart)
		1140	\$0 stop
		1141	sleep 2
		1142	\$0 start
		1143	;;
		1144
		1145	status)
		1146	status chilli
		1147	RETVAL=0
		1148	;;
		1149
		1150	stop)
		1151	if [ -f \$pidfile ] ; then
		1152	gprintf "Shutting down \$prog: "
		1153	killproc /usr/sbin/chilli
		1154	RETVAL=\$?
		1155	[ \$RETVAL = 0 ] && rm -f $pidfile
		1156	else
		1157	gprintf "chilli is not running"
		1158	fi
		1159	;;
		1160
		1161	*)
		1162	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1163	exit 1
		1164	esac
		1165	echo
		1166	EOF
1373	richard	1167	chmod a+x /usr/libexec/chilli
799	richard	1168	# conf file creation
346	richard	1169	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1170	cat <<EOF > /etc/chilli.conf
		1171	# coova config for ALCASAR
		1172	cmdsocket /var/run/chilli.sock
1336	richard	1173	unixipc chilli.$INTIF.ipc
1551	richard	1174	pidfile /var/run/chilli.pid
346	richard	1175	net $PRIVATE_NETWORK_MASK
595	richard	1176	dhcpif $INTIF
841	richard	1177	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1178	#nodynip
865	richard	1179	#statip
		1180	dynip $PRIVATE_NETWORK_MASK
1249	richard	1181	domain $DOMAIN
355	richard	1182	dns1 $PRIVATE_IP
		1183	dns2 $PRIVATE_IP
346	richard	1184	uamlisten $PRIVATE_IP
503	richard	1185	uamport 3990
837	richard	1186	macauth
		1187	macpasswd password
1697	richard	1188	strictmacauth
1243	richard	1189	locationname $HOSTNAME.$DOMAIN
346	richard	1190	radiusserver1 127.0.0.1
		1191	radiusserver2 127.0.0.1
		1192	radiussecret $secretradius
		1193	radiusauthport 1812
		1194	radiusacctport 1813
1243	richard	1195	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1196	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1197	uamsecret $secretuam
1249	richard	1198	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1199	coaport 3799
1379	richard	1200	conup $DIR_DEST_BIN/alcasar-conup.sh
		1201	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1202	include $DIR_DEST_ETC/alcasar-uamallowed
		1203	include $DIR_DEST_ETC/alcasar-uamdomain
1613	franck	1204	#dhcpgateway none
		1205	#dhcprelayagent none
1610	franck	1206	#dhcpgatewayport none
346	richard	1207	EOF
1336	richard	1208	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1209	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1210	# create files for trusted domains and urls
1148	crox53	1211	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1212	chown root:apache $DIR_DEST_ETC/alcasar-*
		1213	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1214	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1215	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1216	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1217	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1218	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1219	if [ "$chilli_exist" == "1" ]
		1220	then
		1221	userdel -r chilli 2>/dev/null
		1222	fi
		1223	groupadd -f chilli
		1224	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1225	} # End of chilli ()
1349	richard	1226
1	root	1227	##################################################################
1389	richard	1228	## Fonction "dansguardian" ##
1	root	1229	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1230	##################################################################
1389	richard	1231	dansguardian ()
1	root	1232	{
		1233	mkdir /var/dansguardian
		1234	chown dansguardian /var/dansguardian
1375	richard	1235	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1236	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1237	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1238	# By default the filter is off
1556	richard	1239	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1293	richard	1240	# French deny HTML page
497	richard	1241	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1242	# Listen only on LAN side
497	richard	1243	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1244	# DG send its flow to HAVP
		1245	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1246	# replace the default deny HTML page
1	root	1247	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1248	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1249	# Don't log
		1250	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1	root	1251	# on désactive par défaut le controle de contenu des pages html
497	richard	1252	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1253	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1254	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1255	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1256	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1257	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1721	richard	1258
		1259	# Configure Dansguardian for large site
		1260	# Minimum number of processus to handle connections
		1261	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
		1262	# Maximum number of processus to handle connections
		1263	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
		1264	# Run at least 8 daemons
		1265	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
		1266	# minimum number of processes to spawn
		1267	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
		1268	# maximum age of a child process before it croaks it
		1269	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
		1270
1	root	1271	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1272	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1273	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1274	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1275	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1276	touch $DIR_DG/lists/bannedextensionlist
		1277	touch $DIR_DG/lists/bannedmimetypelist
		1278	# 'Safesearch' regex actualisation
498	richard	1279	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1280	# empty LAN IP list that won't be WEB filtered
		1281	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1282	touch $DIR_DG/lists/exceptioniplist
		1283	# Keep a copy of URL & domain filter configuration files
		1284	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1285	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1286	} # End of dansguardian ()
1	root	1287
71	richard	1288	##################################################################
1221	richard	1289	## Fonction "antivirus" ##
1357	richard	1290	## - configuration of havp, libclamav and freshclam ##
71	richard	1291	##################################################################
		1292	antivirus ()
		1293	{
1358	richard	1294	# create 'havp' user
288	richard	1295	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1296	if [ "$havp_exist" == "1" ]
288	richard	1297	then
478	richard	1298	userdel -r havp 2>/dev/null
894	richard	1299	groupdel havp 2>/dev/null
288	richard	1300	fi
307	richard	1301	groupadd -f havp
1486	richard	1302	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1303	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1304	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1305	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1306	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1307	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1308	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1309	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1310	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1311	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1312	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1313	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1314	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1315	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1316	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1317	# skip checking of youtube flow (too heavy load / risk too low)
		1318	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1319	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1320	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1321	# adapt init script and systemd unit
335	richard	1322	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1323	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1324	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1325	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1326	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1327	# replace of the intercept page (template)
340	richard	1328	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1329	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1330	# update virus database every 4 hours (24h/6)
1357	richard	1331	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1332	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1333	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1334	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1335	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1336	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1337	# update now
1382	richard	1338	/usr/bin/freshclam --no-warnings
1389	richard	1339	} # End of antivirus ()
71	richard	1340
1486	richard	1341	##########################################################################
		1342	## Fonction "tinyproxy" ##
		1343	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1344	##########################################################################
1485	richard	1345	tinyproxy ()
		1346	{
1486	richard	1347	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1348	if [ "$tinyproxy_exist" == "1" ]
		1349	then
		1350	userdel -r tinyproxy 2>/dev/null
		1351	groupdel tinyproxy 2>/dev/null
		1352	fi
		1353	groupadd -f tinyproxy
1488	richard	1354	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1668	richard	1355	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
		1356	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1486	richard	1357	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1358	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1359	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1360	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1361	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1362	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1363	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1364	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1365	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1366	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1367	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1368	# Create the systemd unit
		1369	cat << EOF > /lib/systemd/system/tinyproxy.service
		1370	# This file is part of systemd.
		1371	#
		1372	# systemd is free software; you can redistribute it and/or modify it
		1373	# under the terms of the GNU General Public License as published by
		1374	# the Free Software Foundation; either version 2 of the License, or
		1375	# (at your option) any later version.
1485	richard	1376
1509	richard	1377	# This unit launches tinyproxy (a very light proxy).
1518	richard	1378	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1379	[Unit]
		1380	Description=Tinyproxy Web Proxy Server
		1381	After=network.target iptables.service
		1382
		1383	[Service]
		1384	Type=forking
1518	richard	1385	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1386	ExecStartPre=/bin/sleep 2
		1387	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1388	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1389
		1390	[Install]
		1391	WantedBy=multi-user.target
		1392	EOF
		1393
1485	richard	1394	} # end of tinyproxy
1	root	1395	##################################################################################
1389	richard	1396	## function "ulogd" ##
476	richard	1397	## - Ulog config for multi-log files ##
		1398	##################################################################################
1389	richard	1399	ulogd ()
476	richard	1400	{
		1401	# Three instances of ulogd (three different logfiles)
		1402	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1403	nl=1
1358	richard	1404	for log_type in traceability ssh ext-access
478	richard	1405	do
1365	richard	1406	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1407	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1408	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1704	richard	1409	$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1554	richard	1410	if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
478	richard	1411	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1412	[emu1]
478	richard	1413	file="/var/log/firewall/$log_type.log"
		1414	sync=1
		1415	EOF
1452	richard	1416	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1417	nl=`expr $nl + 1`
		1418	done
476	richard	1419	chown -R root:apache /var/log/firewall
		1420	chmod 750 /var/log/firewall
		1421	chmod 640 /var/log/firewall/*
1389	richard	1422	} # End of ulogd ()
476	richard	1423
1159	crox53	1424
		1425	##########################################################
1389	richard	1426	## Function "nfsen" ##
1567	richard	1427	## - install the nfsen grapher ##
		1428	## - install the two plugins porttracker & surfmap ##
1159	crox53	1429	##########################################################
1389	richard	1430	nfsen()
1	root	1431	{
1569	richard	1432	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1365	richard	1433	# Add PortTracker plugin
1534	richard	1434	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1435	do
1536	richard	1436	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1437	done
1569	richard	1438	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1365	richard	1439	# use of our conf file and init unit
1569	richard	1440	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1570	richard	1441	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1442	DirTmp=$(pwd)
1569	richard	1443	cd /tmp/nfsen-1.3.7/
1570	richard	1444	/usr/bin/perl install.pl etc/nfsen.conf
		1445	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1446	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1447	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1448	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1449	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1450	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1451	# nfsen unit for systemd
		1452	cat << EOF > /lib/systemd/system/nfsen.service
		1453	# This file is part of systemd.
		1454	#
		1455	# systemd is free software; you can redistribute it and/or modify it
		1456	# under the terms of the GNU General Public License as published by
		1457	# the Free Software Foundation; either version 2 of the License, or
		1458	# (at your option) any later version.
		1459
		1460	# This unit launches nfsen (a Netflow grapher).
		1461	[Unit]
		1462	Description= NfSen init script
		1463	After=network.target iptables.service
		1464
		1465	[Service]
		1466	Type=oneshot
		1467	RemainAfterExit=yes
1393	richard	1468	PIDFile=/var/run/nfsen/nfsen.pid
		1469	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1470	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1471	ExecStart=/usr/bin/nfsen start
		1472	ExecStop=/usr/bin/nfsen stop
1393	richard	1473	ExecReload=/usr/bin/nfsen restart
1372	richard	1474	TimeoutSec=0
		1475
		1476	[Install]
		1477	WantedBy=multi-user.target
		1478	EOF
1365	richard	1479	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1480	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1481	# expire delay for the profile "live"
1574	richard	1482	/usr/bin/systemctl start nfsen
1393	richard	1483	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1484	# add SURFmap plugin
1509	richard	1485	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1486	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1487	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1488	cd /tmp/
		1489	/usr/bin/sh SURFmap/install.sh
1544	richard	1490	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1491	# clear the installation
1221	richard	1492	cd $DirTmp
1509	richard	1493	rm -rf /tmp/nfsen*
		1494	rm -rf /tmp/SURFmap*
1389	richard	1495	} # End of nfsen ()
1	root	1496
1390	richard	1497	##################################################
1541	richard	1498	## Function "vnstat" ##
		1499	## Initialization of Vnstat and vnstat phpFE ##
		1500	##################################################
		1501	vnstat ()
		1502	{
		1503	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1504	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1505	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1506	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
		1507	/usr/bin/vnstat -u -i $EXTIF
		1508	} # End of vnstat
		1509	##################################################
1389	richard	1510	## Function "dnsmasq" ##
1390	richard	1511	##################################################
1389	richard	1512	dnsmasq ()
219	jeremy	1513	{
		1514	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1515	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1516	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1517	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1518	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1519	cat << EOF > /etc/dnsmasq.conf
520	richard	1520	# Configuration file for "dnsmasq in forward mode"
1387	richard	1521	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1522	listen-address=$PRIVATE_IP
1390	richard	1523	pid-file=/var/run/dnsmasq.pid
259	richard	1524	listen-address=127.0.0.1
286	richard	1525	no-dhcp-interface=$INTIF
1387	richard	1526	no-dhcp-interface=tun0
		1527	no-dhcp-interface=lo
259	richard	1528	bind-interfaces
1721	richard	1529	cache-size=2048
259	richard	1530	domain=$DOMAIN
		1531	domain-needed
		1532	expand-hosts
		1533	bogus-priv
		1534	filterwin2k
		1535	server=$DNS1
		1536	server=$DNS2
1387	richard	1537	# DHCP service is configured. It will be enabled in "bypass" mode
1610	franck	1538	#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
		1539	#dhcp-option=option:router,$PRIVATE_IP
		1540	#dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1541
1387	richard	1542	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1543	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1544	EOF
1356	richard	1545	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1546	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1547	# Configuration file for "dnsmasq with blacklist"
1387	richard	1548	# Add Toulouse blacklist domains
1472	richard	1549	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1550	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1551	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1552	listen-address=$PRIVATE_IP
		1553	port=54
		1554	no-dhcp-interface=$INTIF
1387	richard	1555	no-dhcp-interface=tun0
1472	richard	1556	no-dhcp-interface=lo
498	richard	1557	bind-interfaces
1721	richard	1558	cache-size=2048
498	richard	1559	domain=$DOMAIN
		1560	domain-needed
		1561	expand-hosts
		1562	bogus-priv
		1563	filterwin2k
		1564	server=$DNS1
		1565	server=$DNS2
		1566	EOF
1379	richard	1567	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1568	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1569	# Configuration file for "dnsmasq with whitelist"
1356	richard	1570	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1571	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1572	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1573	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1574	listen-address=$PRIVATE_IP
		1575	port=55
		1576	no-dhcp-interface=$INTIF
1387	richard	1577	no-dhcp-interface=tun0
1472	richard	1578	no-dhcp-interface=lo
1356	richard	1579	bind-interfaces
1721	richard	1580	cache-size=1024
1356	richard	1581	domain=$DOMAIN
		1582	domain-needed
		1583	expand-hosts
		1584	bogus-priv
		1585	filterwin2k
1472	richard	1586	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1587	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1588	EOF
1472	richard	1589	# 4th dnsmasq listen on udp 56 ("blackhole")
		1590	cat << EOF > /etc/dnsmasq-blackhole.conf
		1591	# Configuration file for "dnsmasq as a blackhole"
		1592	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1593	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1594	pid-file=/var/run/dnsmasq-blackhole.pid
		1595	listen-address=$PRIVATE_IP
		1596	port=56
		1597	no-dhcp-interface=$INTIF
		1598	no-dhcp-interface=tun0
		1599	no-dhcp-interface=lo
		1600	bind-interfaces
		1601	cache-size=256
		1602	domain=$DOMAIN
		1603	domain-needed
		1604	expand-hosts
		1605	bogus-priv
		1606	filterwin2k
		1607	EOF
		1608
1517	richard	1609	# the main instance should start after network and chilli (which create tun0)
1547	richard	1610	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1611	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1612	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1613	for list in blacklist whitelist blackhole
		1614	do
		1615	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1616	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1617	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1618	done
308	richard	1619	} # End dnsmasq
		1620
		1621	##########################################################
1221	richard	1622	## Fonction "BL" ##
308	richard	1623	##########################################################
		1624	BL ()
		1625	{
1384	richard	1626	# copy and extract toulouse BL
648	richard	1627	rm -rf $DIR_DG/lists/blacklists
		1628	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1629	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1630	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1631	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1632	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1633	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1634	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1635	# creation of file for the rehabilited domains and urls
648	richard	1636	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1637	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1638	touch $DIR_DG/lists/exceptionsitelist
		1639	touch $DIR_DG/lists/exceptionurllist
311	richard	1640	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1641	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1642	# Dansguardian filter config for ALCASAR
		1643	EOF
648	richard	1644	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1645	# Dansguardian domain filter config for ALCASAR
		1646	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1647	#**
		1648	# block all SSL and CONNECT tunnels
		1649	**s
		1650	# block all SSL and CONNECT tunnels specified only as an IP
		1651	*ips
		1652	# block all sites specified only by an IP
		1653	*ip
		1654	EOF
1000	richard	1655	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1656	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1657	# Bing - add 'adlt=strict'
		1658	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1659	# Youtube - add 'edufilter=your_ID'
885	richard	1660	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1661	EOF
1000	richard	1662	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1663	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1664	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1665	if [ "$mode" != "update" ]; then
		1666	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1667	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
654	richard	1668	fi
308	richard	1669	}
219	jeremy	1670
1	root	1671	##########################################################
1221	richard	1672	## Fonction "cron" ##
1	root	1673	## - Mise en place des différents fichiers de cron ##
		1674	##########################################################
		1675	cron ()
		1676	{
		1677	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1678	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1679	cat <<EOF > /etc/crontab
		1680	SHELL=/bin/bash
		1681	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1682	MAILTO=root
		1683	HOME=/
		1684
		1685	# run-parts
		1686	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1687	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1688	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1689	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1690	EOF
		1691	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1692	cat <<EOF >> /etc/anacrontab
667	franck	1693	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1694	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1695	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1696	EOF
1247	crox53	1697
811	richard	1698	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1699	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1700	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1701	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1702	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1703	EOF
952	franck	1704	cat <<EOF > /etc/cron.d/alcasar-archive
		1705	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1706	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1707	EOF
1566	richard	1708	cat << EOF > /etc/cron.d/alcasar-ticket-clean
		1709	# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
		1710	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1711	EOF
722	franck	1712	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1713	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1714	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1715	EOF
1247	crox53	1716	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1717	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1718	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1719	#EOF
1159	crox53	1720
1	root	1721	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1722	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1723	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1724	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1725	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1726	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1727	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1728	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1729	rm -f /etc/cron.daily/freeradius-web
		1730	rm -f /etc/cron.monthly/freeradius-web
		1731	cat << EOF > /etc/cron.d/freeradius-web
		1732	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1733	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1734	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1735	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1736	EOF
671	franck	1737	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1738	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1739	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1740	EOF
808	franck	1741	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1742	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1743	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1744	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1745	EOF
522	richard	1746	# suppression des crons usagers
		1747	rm -f /var/spool/cron/*
1	root	1748	} # End cron
		1749
		1750	##################################################################
1221	richard	1751	## Fonction "Fail2Ban" ##
1163	crox53	1752	##- Modification de la configuration de fail2ban ##
		1753	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1754	##################################################################
		1755	fail2ban()
		1756	{
1191	crox53	1757	$DIR_CONF/fail2ban.sh
1474	richard	1758	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1759	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1760	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1761	chmod 644 /var/log/fail2ban.log
1489	richard	1762	chmod 644 /var/Save/security/watchdog.log
1418	richard	1763	/usr/bin/touch /var/log/auth.log
1515	richard	1764	# fail2ban unit
		1765	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1766	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1767	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1768	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1769	} #Fin de fail2ban_install()
		1770
		1771	##################################################################
1376	richard	1772	## Fonction "gammu_smsd" ##
		1773	## - Creation de la base de donnée Gammu ##
		1774	## - Creation du fichier de config: gammu_smsd_conf ##
		1775	## ##
		1776	##################################################################
		1777	gammu_smsd()
		1778	{
		1779	# Create 'gammu' databse
		1780	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1781	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1782	# Add a gammu database structure
		1783	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1784
		1785	# config file for the daemon
		1786	cat << EOF > /etc/gammu_smsd_conf
		1787	[gammu]
		1788	port = /dev/ttyUSB0
		1789	connection = at115200
		1790
		1791	;########################################################
		1792
		1793	[smsd]
		1794
		1795	PIN = 1234
		1796
		1797	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1798	logformat = textall
		1799	debuglevel = 0
		1800
		1801	service = sql
		1802	driver = native_mysql
		1803	user = $DB_USER
		1804	password = $radiuspwd
		1805	pc = localhost
		1806	database = $DB_GAMMU
		1807
		1808	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1809
		1810	StatusFrequency = 30
1380	richard	1811	;LoopSleep = 2
1376	richard	1812
		1813	;ResetFrequency = 300
		1814	;HardResetFrequency = 120
		1815
		1816	CheckSecurity = 1
		1817	CheckSignal = 1
		1818	CheckBattery = 0
		1819	EOF
		1820
		1821	chmod 755 /etc/gammu_smsd_conf
		1822
		1823	#Creation dossier de log Gammu-smsd
1382	richard	1824	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1825	chmod 755 /var/log/gammu-smsd
		1826
		1827	#Edition du script sql gammu <-> radius
1452	richard	1828	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1829	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1830
1380	richard	1831	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1832	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1833	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1834	EOF
		1835
1376	richard	1836	} # END gammu_smsd()
		1837
		1838	##################################################################
1221	richard	1839	## Fonction "post_install" ##
1	root	1840	## - Modification des bannières (locales et ssh) et des prompts ##
		1841	## - Installation de la structure de chiffrement pour root ##
		1842	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1843	## - Mise en place du la rotation des logs ##
5	franck	1844	## - Configuration dans le cas d'une mise à jour ##
1	root	1845	##################################################################
		1846	post_install()
		1847	{
		1848	# création de la bannière locale
1007	richard	1849	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1850	cp -f $DIR_CONF/banner /etc/mageia-release
		1851	echo " V$VERSION" >> /etc/mageia-release
1	root	1852	# création de la bannière SSH
1007	richard	1853	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1854	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1855	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1856	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1857	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1858	# postfix banner anonymisation
		1859	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1860	# sshd écoute côté LAN et WAN
1548	richard	1861	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1696	franck	1862	# sshd autorise les connections root par certificat
		1863	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
860	richard	1864	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1865	echo "SSH=off" >> $CONF_FILE
1631	richard	1866	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
628	richard	1867	echo "QOS=off" >> $CONF_FILE
		1868	echo "LDAP=off" >> $CONF_FILE
786	richard	1869	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1870	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1871	echo "MULTIWAN=off" >> $CONF_FILE
		1872	echo "FAILOVER=30" >> $CONF_FILE
		1873	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1874	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1875	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1876	# Coloration des prompts
		1877	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1878	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1879	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1880	# Droits d'exécution pour utilisateur apache et sysadmin
		1881	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1882	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1883	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1884	# Modify some logrotate files (gammu, ulogd)
1	root	1885	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1886	chmod 644 /etc/logrotate.d/*
714	franck	1887	# rectification sur versions précédentes de la compression des logs
706	franck	1888	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1889	# actualisation des fichiers logs compressés
1342	richard	1890	for dir in firewall dansguardian httpd
706	franck	1891	do
714	franck	1892	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1893	done
1221	richard	1894	# create the alcasar-load_balancing unit
		1895	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1896	# This file is part of systemd.
		1897	#
		1898	# systemd is free software; you can redistribute it and/or modify it
		1899	# under the terms of the GNU General Public License as published by
		1900	# the Free Software Foundation; either version 2 of the License, or
		1901	# (at your option) any later version.
		1902
		1903	# This unit lauches alcasar-load-balancing.sh script.
		1904	[Unit]
		1905	Description=alcasar-load_balancing.sh execution
		1906	After=network.target iptables.service
		1907
		1908	[Service]
		1909	Type=oneshot
		1910	RemainAfterExit=yes
		1911	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1912	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1913	TimeoutSec=0
		1914	SysVStartPriority=99
		1915
		1916	[Install]
		1917	WantedBy=multi-user.target
1157	stephane	1918	EOF
1221	richard	1919	# processes launched at boot time (Systemctl)
1525	franck	1920	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1221	richard	1921	do
1574	richard	1922	/usr/bin/systemctl -q enable $i.service
1221	richard	1923	done
1452	richard	1924
		1925	# disable processes at boot time (Systemctl)
		1926	for i in ulogd
		1927	do
1574	richard	1928	/usr/bin/systemctl -q disable $i.service
1452	richard	1929	done
		1930
1221	richard	1931	# Apply French Security Agency (ANSSI) rules
1362	richard	1932	# ignore ICMP broadcast (smurf attack)
		1933	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1934	# ignore ICMP errors bogus
		1935	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1936	# remove ICMP redirects responces
		1937	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1938	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1939	# enable SYN Cookies (Syn flood attacks)
		1940	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1941	# enable kernel antispoofing
		1942	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1943	# ignore source routing
		1944	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1945	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1946	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1947	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1948	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1949	# remove Magic SysReq Keys
1363	richard	1950	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1951	# switch to multi-users runlevel (instead of x11)
1221	richard	1952	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1600	richard	1953	# GRUB modifications (only one time)
1005	richard	1954	# limit wait time to 3s
		1955	# create an alcasar entry instead of linux-nonfb
		1956	# change display to 1024*768 (vga791)
1600	richard	1957	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst\|wc -l`
		1958	if [ $grub_already_modified == 0 ]
		1959	then
		1960	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1961	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1962	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1601	richard	1963	$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1600	richard	1964	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1965	$SED "/^gfxmenu/d" /boot/grub/menu.lst
		1966	fi
1003	richard	1967	# Remove unused services and users
1502	richard	1968	for svc in sshd
1221	richard	1969	do
1574	richard	1970	/usr/bin/systemctl -q disable $svc.service
1221	richard	1971	done
		1972	# Load and apply the previous conf file
		1973	if [ "$mode" = "update" ]
532	richard	1974	then
1668	richard	1975	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1221	richard	1976	$DIR_DEST_BIN/alcasar-conf.sh --load
		1977	PARENT_SCRIPT=`basename $0`
		1978	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1979	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1980	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1981	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
532	richard	1982	fi
1221	richard	1983	rm -f /tmp/alcasar-conf*
		1984	chown -R root:apache $DIR_DEST_ETC/*
		1985	chmod -R 660 $DIR_DEST_ETC/*
		1986	chmod ug+x $DIR_DEST_ETC/digest
1	root	1987	cd $DIR_INSTALL
5	franck	1988	echo ""
1	root	1989	echo "#############################################################################"
638	richard	1990	if [ $Lang == "fr" ]
		1991	then
		1992	echo "# Fin d'installation d'ALCASAR #"
		1993	echo "# #"
		1994	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1995	echo "# des Accès au Réseau ( ALCASAR ) #"
		1996	echo "# #"
		1997	echo "#############################################################################"
		1998	echo
		1999	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		2000	echo
		2001	echo "- Lisez attentivement la documentation d'exploitation"
		2002	echo
		2003	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		2004	echo
		2005	echo " Appuyez sur 'Entrée' pour continuer"
		2006	else
		2007	echo "# Enf of ALCASAR install process #"
		2008	echo "# #"
		2009	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		2010	echo "# des Accès au Réseau ( ALCASAR ) #"
		2011	echo "# #"
		2012	echo "#############################################################################"
		2013	echo
		2014	echo "- The system will be rebooted in order to operate ALCASAR"
		2015	echo
		2016	echo "- Read the exploitation documentation"
		2017	echo
		2018	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		2019	echo
		2020	echo " Hit 'Enter' to continue"
		2021	fi
815	richard	2022	sleep 2
		2023	if [ "$mode" != "update" ]
820	richard	2024	then
815	richard	2025	read a
		2026	fi
774	richard	2027	clear
1	root	2028	reboot
		2029	} # End post_install ()
		2030
		2031	#################################
1005	richard	2032	# Main Install loop #
1	root	2033	#################################
832	richard	2034	dir_exec=`dirname "$0"`
		2035	if [ $dir_exec != "." ]
		2036	then
		2037	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		2038	echo "Launch this program from the ALCASAR archive directory"
		2039	exit 0
		2040	fi
		2041	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2042	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2043	nb_args=$#
		2044	args=$1
		2045	if [ $nb_args -eq 0 ]
		2046	then
		2047	nb_args=1
		2048	args="-h"
		2049	fi
1062	richard	2050	chmod -R u+x $DIR_SCRIPTS/*
1	root	2051	case $args in
		2052	-\? \| -h* \| --h*)
		2053	echo "$usage"
		2054	exit 0
		2055	;;
291	franck	2056	-i \| --install)
1538	richard	2057	header_install
959	franck	2058	license
1544	richard	2059	header_install
29	richard	2060	testing
595	richard	2061	# RPMs install
		2062	$DIR_SCRIPTS/alcasar-urpmi.sh
		2063	if [ "$?" != "0" ]
1	root	2064	then
595	richard	2065	exit 0
		2066	fi
1249	richard	2067	if [ -e $CONF_FILE ]
595	richard	2068	then
597	richard	2069	# Uninstall the running version
532	richard	2070	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2071	fi
636	richard	2072	# Test if manual update
1362	richard	2073	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2074	then
636	richard	2075	header_install
595	richard	2076	if [ $Lang == "fr" ]
636	richard	2077	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2078	else echo "The configuration file of an old version has been found";
595	richard	2079	fi
597	richard	2080	response=0
		2081	PTN='^[oOnNyY]$'
		2082	until [[ $(expr $response : $PTN) -gt 0 ]]
		2083	do
		2084	if [ $Lang == "fr" ]
		2085	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2086	else echo -n "Do you want to use it (Y/n)?";
		2087	fi
		2088	read response
		2089	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2090	then rm -f /tmp/alcasar-conf*
		2091	fi
		2092	done
		2093	fi
636	richard	2094	# Test if update
1057	richard	2095	if [ -e /tmp/alcasar-conf* ]
597	richard	2096	then
		2097	if [ $Lang == "fr" ]
		2098	then echo "#### Installation avec mise à jour ####";
		2099	else echo "#### Installation with update ####";
		2100	fi
636	richard	2101	# Extract the central configuration file
1057	richard	2102	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2103	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2104	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2105	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2106	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2107	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2108	mode="update"
1	root	2109	fi
1541	richard	2110	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2111	do
		2112	$func
1362	richard	2113	# echo "* 'debug' : end of function $func *"; read a
14	richard	2114	done
5	franck	2115	;;
291	franck	2116	-u \| --uninstall)
5	franck	2117	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2118	then
597	richard	2119	if [ $Lang == "fr" ]
		2120	then echo "ALCASAR n'est pas installé!";
		2121	else echo "ALCASAR isn't installed!";
		2122	fi
1	root	2123	exit 0
		2124	fi
5	franck	2125	response=0
		2126	PTN='^[oOnN]$'
580	richard	2127	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2128	do
597	richard	2129	if [ $Lang == "fr" ]
		2130	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2131	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2132	fi
5	franck	2133	read response
		2134	done
1103	richard	2135	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2136	then
1103	richard	2137	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2138	else
		2139	rm -f /tmp/alcasar-conf*
1	root	2140	fi
597	richard	2141	# Uninstall the running version
65	richard	2142	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2143	;;
		2144	*)
		2145	echo "Argument inconnu :$1";
460	richard	2146	echo "Unknown argument :$1";
1	root	2147	echo "$usage"
		2148	exit 1
		2149	;;
		2150	esac
10	franck	2151	# end of script
366	franck	2152

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1740