WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1839 2016-04-25 13:43:22Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1534	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
		22	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	23
		24	# Options :
376	franck	25	# -i or --install
		26	# -u or --uninstall
1	root	27
376	franck	28	# Functions :
1378	richard	29	# testing : connectivity tests, free space test and mageia version test
1221	richard	30	# init : Installation of RPM and scripts
		31	# network : Network parameters
		32	# ACC : ALCASAR Control Center installation
		33	# CA : Certification Authority initialization
1837	richard	34	# time_server : NTPd configuration
1221	richard	35	# init_db : Initilization of radius database managed with MariaDB
1389	richard	36	# radius : FreeRadius initialisation
		37	# chilli : coovachilli initialisation (+authentication page)
		38	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	39	# antivirus : HAVP + libclamav configuration
1485	richard	40	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
1541	richard	44	# vnstat : little network stat daemon
1253	richard	45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
1564	richard	59	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
1015	richard	60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		65	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		66	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		67	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	68	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	69	DB_RADIUS="radius" # database name used by FreeRadius server
		70	DB_USER="radius" # user name allows to request the users database
1349	richard	71	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	72	# ***** Network parameters - paramètres réseau *****
1469	richard	73	HOSTNAME="alcasar" # default hostname
1243	richard	74	DOMAIN="localdomain" # default local domain
1828	richard	75	EXTIF=`/usr/sbin/ip route\|grep default\|head -n1\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		76	INTIF=`/usr/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|head -n1\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	MTU="1500"
1243	richard	78	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	79	# **** Paths - chemin des commandes *****
		80	SED="/bin/sed -i"
		81	# **************** End of global parameters *******************
		82
959	franck	83	license ()
		84	{
		85	if [ $Lang == "fr" ]
1538	richard	86	then
		87	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		88	else
		89	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	90	fi
1538	richard	91	response=0
		92	PTN='^[oOyYnN]$'
		93	until [[ $(expr $response : $PTN) -gt 0 ]]
		94	do
		95	if [ $Lang == "fr" ]
1563	franck	96	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	97	else echo -n "Do you accept the terms of this license (Y/n)? : "
		98	fi
		99	read response
		100	done
		101	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		102	then
		103	exit 1
		104	fi
959	franck	105	}
		106
1	root	107	header_install ()
		108	{
		109	clear
		110	echo "-----------------------------------------------------------------------------"
460	richard	111	echo " ALCASAR V$VERSION Installation"
1	root	112	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		113	echo "-----------------------------------------------------------------------------"
1389	richard	114	}
1	root	115
		116	##################################################################
1221	richard	117	## Function "testing" ##
1378	richard	118	## - Test of Mageia version ##
1529	richard	119	## - Test of ALCASAR version (if already installed) ##
1342	richard	120	## - Test of free space on /var (>10G) ##
1005	richard	121	## - Test of Internet access ##
29	richard	122	##################################################################
		123	testing ()
		124	{
1529	richard	125	# Test of Mageia version
		126	# extract the current Mageia version and hardware architecture (i586 ou X64)
		127	fic=`cat /etc/product.id`
		128	unknown_os=0
		129	old="$IFS"
		130	IFS=","
		131	set $fic
		132	for i in $*
		133	do
		134	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		135	then
		136	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		137	unknown_os=`expr $unknown_os + 1`
		138	fi
		139	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		140	then
		141	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		142	unknown_os=`expr $unknown_os + 1`
		143	fi
		144	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		145	then
		146	ARCH=`echo $i\|cut -d"=" -f2`
		147	unknown_os=`expr $unknown_os + 1`
		148	fi
		149	done
		150	IFS="$old"
1362	richard	151	# Test if ALCASAR is already installed
		152	if [ -e $CONF_FILE ]
		153	then
		154	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	155	if [ $Lang == "fr" ]
1362	richard	156	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		157	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	158	fi
1362	richard	159	response=0
		160	PTN='^[oOnNyY]$'
		161	until [[ $(expr $response : $PTN) -gt 0 ]]
		162	do
		163	if [ $Lang == "fr" ]
		164	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		165	else echo -n "Do you want to update (Y/n)?";
		166	fi
		167	read response
		168	done
		169	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		170	then
		171	rm -f /tmp/alcasar-conf*
		172	else
1684	richard	173	# Retrieve former NICname
		174	EXTIF=`grep ^EXTIF= $CONF_FILE\|cut -d"=" -f2` # EXTernal InterFace
		175	INTIF=`grep ^INTIF= $CONF_FILE\|cut -d"=" -f2` # INTernal InterFace
1564	richard	176	# Create the current conf file
1362	richard	177	$DIR_SCRIPTS/alcasar-conf.sh --create
		178	mode="update"
		179	fi
1529	richard	180	fi
1785	richard	181	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "5" ) ]]
1529	richard	182	then
		183	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	184	then
1529	richard	185	echo
1378	richard	186	if [ $Lang == "fr" ]
		187	then
1529	richard	188	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		189	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
1564	richard	190	echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
1529	richard	191	echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
1378	richard	192	else
		193	echo "The automatic update of ALCASAR can't be performed."
1529	richard	194	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
1564	richard	195	echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
1529	richard	196	echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
1378	richard	197	fi
1529	richard	198	else
		199	if [ $Lang == "fr" ]
		200	then
		201	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		202	else
		203	echo "The installation of ALCASAR can't be performed."
1378	richard	204	fi
		205	fi
1529	richard	206	echo
		207	if [ $Lang == "fr" ]
		208	then
1785	richard	209	echo "Le système d'exploitation doit être remplacé (Mageia5)"
1529	richard	210	else
1785	richard	211	echo "The OS must be replaced (Mageia5)"
1529	richard	212	fi
		213	exit 0
1342	richard	214	fi
1529	richard	215	if [ ! -d /var/log/netflow/porttracker ]
		216	then
		217	# Test of free space on /var
		218	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		219	if [ $free_space -lt 10 ]
		220	then
		221	if [ $Lang == "fr" ]
		222	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		223	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		224	fi
		225	exit 0
		226	fi
		227	fi
1378	richard	228	if [ $Lang == "fr" ]
784	richard	229	then echo -n "Tests des paramètres réseau : "
595	richard	230	else echo -n "Network parameters tests : "
		231	fi
1471	richard	232	# Test of Ethernet links state
1828	richard	233	DOWN_IF=`/usr/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
1471	richard	234	for i in $DOWN_IF
		235	do
		236	if [ $Lang == "fr" ]
		237	then
		238	echo "Échec"
		239	echo "Le lien réseau de la carte $i n'est pas actif."
		240	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		241	else
		242	echo "Failed"
		243	echo "The link state of $i interface is down."
		244	echo "Make sure that this network card is connected to a switch or an A.P."
		245	fi
		246	exit 0
		247	done
		248	echo -n "."
		249
		250	# Test EXTIF config files
1499	richard	251	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		252	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
1686	richard	253	PUBLIC_GATEWAY=`ip route list\|grep $EXTIF\|grep ^default\|cut -d" " -f3`
1471	richard	254	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		255	then
784	richard	256	if [ $Lang == "fr" ]
		257	then
		258	echo "Échec"
		259	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		260	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	261	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	262	else
		263	echo "Failed"
		264	echo "The Internet connected network card ($EXTIF) isn't well configured."
		265	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	266	echo "Apply the new configuration 'systemctl restart network'"
784	richard	267	fi
830	richard	268	echo "DEVICE=$EXTIF"
784	richard	269	echo "IPADDR="
		270	echo "NETMASK="
		271	echo "GATEWAY="
		272	echo "DNS1="
		273	echo "DNS2="
830	richard	274	echo "ONBOOT=yes"
784	richard	275	exit 0
		276	fi
		277	echo -n "."
1471	richard	278
		279	# Test if router is alive (Box FAI)
1686	richard	280	if [ `ip route list\|grep $EXTIF\|grep -c ^default` -ne "1" ] ; then
595	richard	281	if [ $Lang == "fr" ]
		282	then
		283	echo "Échec"
		284	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		285	echo "Réglez ce problème puis relancez ce script."
		286	else
		287	echo "Failed"
		288	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		289	echo "Resolv this problem, then restart this script."
		290	fi
29	richard	291	exit 0
		292	fi
308	richard	293	echo -n "."
978	franck	294	# On teste le lien vers le routeur par defaut
1499	richard	295	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	296	if [ $(expr $arp_reply) -eq 0 ]
308	richard	297	then
595	richard	298	if [ $Lang == "fr" ]
		299	then
		300	echo "Échec"
1499	richard	301	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	302	echo "Réglez ce problème puis relancez ce script."
		303	else
		304	echo "Failed"
		305	echo "The Internet gateway doesn't answered"
		306	echo "Resolv this problem, then restart this script."
		307	fi
308	richard	308	exit 0
		309	fi
		310	echo -n "."
421	franck	311	# On teste la connectivité Internet
29	richard	312	rm -rf /tmp/con_ok.html
308	richard	313	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	314	if [ ! -e /tmp/con_ok.html ]
		315	then
595	richard	316	if [ $Lang == "fr" ]
		317	then
		318	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		319	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		320	echo "Vérifiez la validité des adresses IP des DNS."
		321	else
		322	echo "The Internet connection try failed (google.fr)."
		323	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		324	echo "Verify the DNS IP addresses"
		325	fi
29	richard	326	exit 0
		327	fi
		328	rm -rf /tmp/con_ok.html
308	richard	329	echo ". : ok"
1389	richard	330	} # end of testing ()
302	richard	331
		332	##################################################################
1221	richard	333	## Function "init" ##
302	richard	334	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		335	## - Installation et modification des scripts du portail ##
		336	##################################################################
		337	init ()
		338	{
527	richard	339	if [ "$mode" != "update" ]
302	richard	340	then
		341	# On affecte le nom d'organisme
597	richard	342	header_install
302	richard	343	ORGANISME=!
		344	PTN='^[a-zA-Z0-9-]*$'
580	richard	345	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	346	do
595	richard	347	if [ $Lang == "fr" ]
597	richard	348	then echo -n "Entrez le nom de votre organisme : "
		349	else echo -n "Enter the name of your organism : "
595	richard	350	fi
330	franck	351	read ORGANISME
613	richard	352	if [ "$ORGANISME" == "" ]
330	franck	353	then
		354	ORGANISME=!
		355	fi
		356	done
302	richard	357	fi
1	root	358	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	359	rm -f $PASSWD_FILE
1350	richard	360	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		361	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	362	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	363	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	364	$SED "/^password.*/d" /boot/grub/menu.lst
		365	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	366	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	367	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	368	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	369	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	370	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	371	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	372	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	373	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		374	echo "$secretuam" >> $PASSWD_FILE
1350	richard	375	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	376	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		377	echo "$secretradius" >> $PASSWD_FILE
		378	chmod 640 $PASSWD_FILE
1828	richard	379	# copy scripts in in /usr/local/bin
5	franck	380	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
1828	richard	381	# copy conf files in /usr/local/etc
648	richard	382	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1828	richard	383	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
		384	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
		385	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		386	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	387	# generate central conf file
		388	cat <<EOF > $CONF_FILE
612	richard	389	##########################################
		390	## ##
		391	## ALCASAR Parameters ##
		392	## ##
		393	##########################################
1	root	394
612	richard	395	INSTALL_DATE=$DATE
		396	VERSION=$VERSION
		397	ORGANISM=$ORGANISME
1748	richard	398	HOSTNAME=$HOSTNAME
923	franck	399	DOMAIN=$DOMAIN
612	richard	400	EOF
628	richard	401	chmod o-rwx $CONF_FILE
1	root	402	} # End of init ()
		403
		404	##################################################################
1221	richard	405	## Function "network" ##
1	root	406	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	407	## - Nommage DNS du système ##
1336	richard	408	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	409	## - Modification du fichier /etc/hosts ##
		410	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		411	##################################################################
		412	network ()
		413	{
		414	header_install
636	richard	415	if [ "$mode" != "update" ]
		416	then
		417	if [ $Lang == "fr" ]
		418	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		419	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		420	fi
		421	response=0
		422	PTN='^[oOyYnN]$'
		423	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	424	do
595	richard	425	if [ $Lang == "fr" ]
659	richard	426	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	427	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	428	fi
1	root	429	read response
		430	done
636	richard	431	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		432	then
		433	PRIVATE_IP_MASK="0"
		434	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		435	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	436	do
595	richard	437	if [ $Lang == "fr" ]
597	richard	438	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		439	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	440	fi
597	richard	441	read PRIVATE_IP_MASK
1	root	442	done
636	richard	443	else
		444	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		445	fi
595	richard	446	else
637	richard	447	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		448	rm -rf conf/etc/alcasar.conf
1	root	449	fi
861	richard	450	# Define LAN side global parameters
1740	richard	451	hostnamectl set-hostname $HOSTNAME.$DOMAIN
977	richard	452	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	453	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	454	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	455	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	456	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	457	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		458	then
		459	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		460	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		461	fi
		462	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		463	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	464	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	465	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	466	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		467	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	468	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		469	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	470	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1828	richard	471	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	472	# Define Internet parameters
1613	franck	473	DNS1=`grep ^nameserver /etc/resolv.conf\|awk -F" " '{print $2}'\|head -n 1` # 1st DNS server
1499	richard	474	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		475	if [ $nb_dns == 2 ]
		476	then
		477	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		478	fi
70	franck	479	DNS1=${DNS1:=208.67.220.220}
		480	DNS2=${DNS2:=208.67.222.222}
1499	richard	481	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	482	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	483	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	484	# Wrtie the conf file
1469	richard	485	echo "EXTIF=$EXTIF" >> $CONF_FILE
		486	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	487	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		488	if [ $IP_SETTING == "dhcp" ]
		489	then
		490	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	491	echo "GW=dhcp" >> $CONF_FILE
1499	richard	492	else
		493	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	494	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
1499	richard	495	fi
1587	richard	496	echo "DNS1=$DNS1" >> $CONF_FILE
		497	echo "DNS2=$DNS2" >> $CONF_FILE
994	franck	498	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	499	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	500	echo "DHCP=on" >> $CONF_FILE
914	franck	501	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		502	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		503	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	504	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1610	franck	505	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
		506	echo "INT_DNS_IP=none" >> $CONF_FILE
		507	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
1499	richard	508	# network default
597	richard	509	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	510	cat <<EOF > /etc/sysconfig/network
		511	NETWORKING=yes
		512	FORWARD_IPV4=true
		513	EOF
1499	richard	514	# /etc/hosts config
1	root	515	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		516	cat <<EOF > /etc/hosts
503	richard	517	127.0.0.1 localhost
1736	richard	518	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME
1	root	519	EOF
1499	richard	520	# EXTIF (Internet) config
		521	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		522	if [ $IP_SETTING == "dhcp" ]
		523	then
		524	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	525	DEVICE=$EXTIF
1585	richard	526	BOOTPROTO=dhcp
		527	DNS1=127.0.0.1
		528	PEERDNS=no
		529	RESOLV_MODS=yes
		530	ONBOOT=yes
1613	franck	531	NOZEROCONF=yes
1585	richard	532	METRIC=10
		533	MII_NOT_SUPPORTED=yes
		534	IPV6INIT=no
		535	IPV6TO4INIT=no
		536	ACCOUNTING=no
		537	USERCTL=no
		538	MTU=$MTU
		539	EOF
		540	else
		541	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		542	DEVICE=$EXTIF
14	richard	543	BOOTPROTO=static
597	richard	544	IPADDR=$PUBLIC_IP
		545	NETMASK=$PUBLIC_NETMASK
		546	GATEWAY=$PUBLIC_GATEWAY
14	richard	547	DNS1=127.0.0.1
1499	richard	548	RESOLV_MODS=yes
14	richard	549	ONBOOT=yes
		550	METRIC=10
1610	franck	551	NOZEROCONF=yes
14	richard	552	MII_NOT_SUPPORTED=yes
		553	IPV6INIT=no
		554	IPV6TO4INIT=no
		555	ACCOUNTING=no
		556	USERCTL=no
994	franck	557	MTU=$MTU
14	richard	558	EOF
1499	richard	559	fi
1336	richard	560	# Config INTIF (consultation LAN) in normal mode
841	richard	561	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		562	DEVICE=$INTIF
		563	BOOTPROTO=static
		564	ONBOOT=yes
		565	NOZEROCONF=yes
		566	MII_NOT_SUPPORTED=yes
		567	IPV6INIT=no
		568	IPV6TO4INIT=no
		569	ACCOUNTING=no
		570	USERCTL=no
		571	EOF
1558	richard	572	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1336	richard	573	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	574	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	575	DEVICE=$INTIF
		576	BOOTPROTO=static
		577	IPADDR=$PRIVATE_IP
604	richard	578	NETMASK=$PRIVATE_NETMASK
1	root	579	ONBOOT=yes
		580	METRIC=10
		581	NOZEROCONF=yes
		582	MII_NOT_SUPPORTED=yes
14	richard	583	IPV6INIT=no
		584	IPV6TO4INIT=no
		585	ACCOUNTING=no
		586	USERCTL=no
1	root	587	EOF
		588	# Renseignement des fichiers hosts.allow et hosts.deny
		589	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		590	cat <<EOF > /etc/hosts.allow
		591	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	592	sshd: ALL
1	root	593	ntpd: $PRIVATE_NETWORK_SHORT
		594	EOF
		595	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		596	cat <<EOF > /etc/hosts.deny
		597	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		598	EOF
790	richard	599	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	600	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	601	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	602	# load conntrack ftp module
		603	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
1705	richard	604	echo "nf_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	605	# load ipt_NETFLOW module
		606	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	607	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		608	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		609	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		610	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1833	richard	611	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
1157	stephane	612	#
860	richard	613	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	614	} # End of network ()
		615
		616	##################################################################
1221	richard	617	## Function "ACC" ##
		618	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	619	## - configuration du serveur web (Apache) ##
		620	## - définition du 1er comptes de gestion ##
		621	## - sécurisation des accès ##
		622	##################################################################
1221	richard	623	ACC ()
1	root	624	{
		625	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		626	mkdir $DIR_WEB
1833	richard	627	# Copy & adapt ACC files
316	richard	628	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	629	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	630	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		631	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		632	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		633	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		634	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	635	chown -R apache:apache $DIR_WEB/*
1833	richard	636	# copy & adapt "freeradius-web" files
		637	cp -rf $DIR_CONF/freeradius-web/ /etc/
		638	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
		639	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
		640	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		641	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		642	cat <<EOF > /etc/freeradius-web/naslist.conf
		643	nas1_name: alcasar-$ORGANISME
		644	nas1_model: Network Access Controler
		645	nas1_ip: $PRIVATE_IP
		646	nas1_port_num: 0
		647	nas1_community: public
		648	EOF
		649	chown -R apache:apache /etc/freeradius-web/
		650	# create the log & backup structure :
1489	richard	651	# - base = users database
		652	# - archive = tarball of "base + http firewall + netflow"
1833	richard	653	# - security = watchdog log
1564	richard	654	for i in base archive security;
1	root	655	do
		656	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		657	done
5	franck	658	chown -R root:apache $DIR_SAVE
1833	richard	659	# Configuring & securing php
71	richard	660	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	661	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		662	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	663	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		664	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	665	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		666	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
1833	richard	667	# Configuring & sécuring Apache
790	richard	668	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	669	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	670	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	671	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1532	richard	672	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
		673	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
		674	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
		675	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] \|\| cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
		676	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
		677	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
		678	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
		679	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
		680	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
		681	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
1359	richard	682	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
1702	richard	683	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		684	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf # exclude vulnerable protocols
		685	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
		686	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
		687	echo "SSLPassPhraseDialog builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
		688	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
		689	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
1532	richard	690	# Error page management
1534	richard	691	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] \|\| cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
		692	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
1532	richard	693	Alias /error/ "/var/www/html/"
		694	<Directory "/usr/share/httpd/error">
		695	AllowOverride None
		696	Options IncludesNoExec
		697	AddOutputFilter Includes html
		698	AddHandler type-map var
		699	Require all granted
		700	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		701	ForceLanguagePriority Prefer Fallback
		702	</Directory>
		703	ErrorDocument 400 /error/error.php?error=400
		704	ErrorDocument 401 /error/error.php?error=401
		705	ErrorDocument 403 /error/error.php?error=403
		706	ErrorDocument 404 /error/error.php?error=404
		707	ErrorDocument 405 /error/error.php?error=405
		708	ErrorDocument 408 /error/error.php?error=408
		709	ErrorDocument 410 /error/error.php?error=410
		710	ErrorDocument 411 /error/error.php?error=411
		711	ErrorDocument 412 /error/error.php?error=412
		712	ErrorDocument 413 /error/error.php?error=413
		713	ErrorDocument 414 /error/error.php?error=414
		714	ErrorDocument 415 /error/error.php?error=415
		715	ErrorDocument 500 /error/error.php?error=500
		716	ErrorDocument 501 /error/error.php?error=501
		717	ErrorDocument 502 /error/error.php?error=502
		718	ErrorDocument 503 /error/error.php?error=503
		719	ErrorDocument 506 /error/error.php?error=506
		720	EOF
1359	richard	721	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		722	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		723	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		724	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	725	</body>
		726	</html>
		727	EOF
		728	# Définition du premier compte lié au profil 'admin'
1833	richard	729	if [ "$mode" = "install" ]
		730	then
1676	richard	731	header_install
613	richard	732	admin_portal=!
		733	PTN='^[a-zA-Z0-9-]*$'
		734	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		735	do
		736	header_install
		737	if [ $Lang == "fr" ]
		738	then
		739	echo ""
		740	echo "Définissez un premier compte d'administration du portail :"
		741	echo
		742	echo -n "Nom : "
		743	else
		744	echo ""
		745	echo "Define the first account allow to administrate the portal :"
		746	echo
		747	echo -n "Account : "
		748	fi
		749	read admin_portal
		750	if [ "$admin_portal" == "" ]
		751	then
		752	admin_portal=!
		753	fi
		754	done
1268	richard	755	# Creation of keys file for the admin account ("admin")
510	richard	756	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		757	mkdir -p $DIR_DEST_ETC/digest
		758	chmod 755 $DIR_DEST_ETC/digest
		759	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		760	do
1748	richard	761	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
510	richard	762	done
1828	richard	763	$DIR_DEST_BIN/alcasar-profil.sh --list
1833	richard	764	fi
		765	# ACC partitioning
988	franck	766	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	767	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	768	<Directory $DIR_ACC>
1	root	769	SSLRequireSSL
		770	AllowOverride None
		771	Order deny,allow
		772	Deny from all
		773	Allow from 127.0.0.1
		774	Allow from $PRIVATE_NETWORK_MASK
		775	require valid-user
		776	AuthType digest
1748	richard	777	AuthName "ALCASAR Control Center (ACC)"
1747	richard	778	AuthDigestDomain $HOSTNAME.$DOMAIN
1	root	779	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	780	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	781	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	782	</Directory>
316	richard	783	<Directory $DIR_ACC/admin>
1	root	784	SSLRequireSSL
		785	AllowOverride None
		786	Order deny,allow
		787	Deny from all
		788	Allow from 127.0.0.1
		789	Allow from $PRIVATE_NETWORK_MASK
		790	require valid-user
		791	AuthType digest
1748	richard	792	AuthName "ALCASAR Control Center (ACC)"
1747	richard	793	AuthDigestDomain $HOSTNAME.$DOMAIN
1	root	794	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	795	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	796	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	797	</Directory>
344	richard	798	<Directory $DIR_ACC/manager>
1	root	799	SSLRequireSSL
		800	AllowOverride None
		801	Order deny,allow
		802	Deny from all
		803	Allow from 127.0.0.1
		804	Allow from $PRIVATE_NETWORK_MASK
		805	require valid-user
		806	AuthType digest
1748	richard	807	AuthName "ALCASAR Control Center (ACC)"
1747	richard	808	AuthDigestDomain $HOSTNAME.$DOMAIN
1	root	809	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	810	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	811	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	812	</Directory>
316	richard	813	<Directory $DIR_ACC/backup>
		814	SSLRequireSSL
		815	AllowOverride None
		816	Order deny,allow
		817	Deny from all
		818	Allow from 127.0.0.1
		819	Allow from $PRIVATE_NETWORK_MASK
		820	require valid-user
		821	AuthType digest
1748	richard	822	AuthName "ALCASAR Control Center (ACC)"
1747	richard	823	AuthDigestDomain $HOSTNAME.$DOMAIN
316	richard	824	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	825	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	826	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	827	</Directory>
811	richard	828	Alias /save/ "$DIR_SAVE/"
		829	<Directory $DIR_SAVE>
		830	SSLRequireSSL
		831	Options Indexes
		832	Order deny,allow
		833	Deny from all
		834	Allow from 127.0.0.1
		835	Allow from $PRIVATE_NETWORK_MASK
		836	require valid-user
		837	AuthType digest
1748	richard	838	AuthName "ALCASAR Control Center (ACC)"
1747	richard	839	AuthDigestDomain $HOSTNAME.$DOMAIN
811	richard	840	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	841	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	842	</Directory>
1833	richard	843	<Directory $DIR_WEB/pass>
		844	SSLRequireSSL
		845	AllowOverride None
		846	Order deny,allow
		847	Deny from all
		848	Allow from 127.0.0.1
		849	Allow from $PRIVATE_NETWORK_MASK
		850	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
		851	</Directory>
1	root	852	EOF
1833	richard	853	# Launch after coova (in order to wait tun0 to be up)
1378	richard	854	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1389	richard	855	} # End of ACC ()
1	root	856
		857	##########################################################################################
1221	richard	858	## Fonction "CA" ##
1	root	859	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		860	##########################################################################################
1221	richard	861	CA ()
1	root	862	{
510	richard	863	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	864	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	865	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	866	cat <<EOF > $FIC_VIRTUAL_SSL
		867	# default SSL virtual host, used for all HTTPS requests that do not
		868	# match a ServerName or ServerAlias in any <VirtualHost> block.
		869
		870	<VirtualHost _default_:443>
		871	# general configuration
		872	ServerAdmin root@localhost
1748	richard	873	ServerName $HOSTNAME.$DOMAIN
1410	richard	874
		875	# SSL configuration
		876	SSLEngine on
		877	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		878	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		879	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		880	CustomLog logs/ssl_request_log \
		881	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		882	ErrorLog logs/ssl_error_log
		883	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		884	</VirtualHost>
		885	EOF
5	franck	886	chown -R root:apache /etc/pki
1	root	887	chmod -R 750 /etc/pki
1389	richard	888	} # End of CA ()
1	root	889
1837	richard	890	##################################################################
		891	## Function "time_server" ##
		892	## - Configuring NTP server ##
		893	##################################################################
		894	time_server ()
		895	{
		896	# Set the Internet time server
		897	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		898	cat <<EOF > /etc/ntp/step-tickers
		899	0.fr.pool.ntp.org # adapt to your country
		900	1.fr.pool.ntp.org
		901	2.fr.pool.ntp.org
		902	EOF
		903	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		904	cat <<EOF > /etc/ntp.conf
		905	server 0.fr.pool.ntp.org # adapt to your country
		906	server 1.fr.pool.ntp.org
		907	server 2.fr.pool.ntp.org
		908	server 127.127.1.0 # local clock si NTP internet indisponible ...
		909	fudge 127.127.1.0 stratum 10
		910	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
		911	restrict 127.0.0.1
		912	driftfile /var/lib/ntp/drift
		913	logfile /var/log/ntp.log
		914	disable monitor
		915	EOF
		916	chown -R ntp:ntp /var/lib/ntp
		917	# Synchronize now
		918	ntpd -q -g &
		919	} # End of time_server ()
		920
1	root	921	##########################################################################################
1221	richard	922	## Fonction "init_db" ##
1	root	923	## - Initialisation de la base Mysql ##
		924	## - Affectation du mot de passe de l'administrateur (root) ##
		925	## - Suppression des bases et des utilisateurs superflus ##
		926	## - Création de la base 'radius' ##
		927	## - Installation du schéma de cette base ##
		928	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		929	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		930	##########################################################################################
		931	init_db ()
		932	{
1355	richard	933	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	934	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		935	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	936	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1574	richard	937	/usr/bin/systemctl start mysqld.service
1	root	938	sleep 4
		939	mysqladmin -u root password $mysqlpwd
		940	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	941	# Secure the server
		942	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		943	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	944	# Create 'radius' database
1317	richard	945	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	946	# Add an empty radius database structure
1800	richard	947	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
615	richard	948	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	949	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1828	richard	950	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		951	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1574	richard	952	/usr/bin/systemctl daemon-reload
1389	richard	953	} # End of init_db ()
1	root	954
		955	##########################################################################
1389	richard	956	## Fonction "radius" ##
1	root	957	## - Paramètrage des fichiers de configuration FreeRadius ##
		958	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		959	## - Modification de fichier de conf pour l'accès à Mysql ##
		960	##########################################################################
1389	richard	961	radius ()
1	root	962	{
1800	richard	963	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1	root	964	chown -R radius:radius /etc/raddb
		965	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	966	# Set radius.conf parameters
1	root	967	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		968	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		969	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	970	# remove the proxy function
1	root	971	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		972	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	973	# remove EAP module
654	richard	974	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	975	# listen on loopback (should be modified later if EAP enabled)
1	root	976	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	977	# enable the SQL module (and SQL counter)
1	root	978	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		979	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		980	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	981	# only include modules for ALCASAR needs
		982	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		983	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		984	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		985	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		986	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		987	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	988	# remvove virtual server and copy our conf file
1	root	989	rm -f /etc/raddb/sites-enabled/*
1278	richard	990	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	991	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		992	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		993	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		994	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	995	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	996	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	997	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	998	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		999	cat << EOF > /etc/raddb/clients.conf
		1000	client 127.0.0.1 {
		1001	secret = $secretradius
		1002	shortname = localhost
		1003	}
		1004	EOF
1278	richard	1005	# sql.conf modification
1	root	1006	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		1007	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		1008	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		1009	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		1010	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	1011	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	1012	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	1013	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		1014	# counter.conf modification (change the Max-All-Session-Time counter)
		1015	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		1016	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		1017	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	1018	# make certain that mysql is up before radius start
		1019	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		1020	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	1021	/usr/bin/systemctl daemon-reload
1389	richard	1022	} # End radius ()
1	root	1023
799	richard	1024	##################################################################################
1389	richard	1025	## Fonction "chilli" ##
799	richard	1026	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1027	## - Paramètrage de la page d'authentification (intercept.php) ##
		1028	##################################################################################
1389	richard	1029	chilli ()
1	root	1030	{
1370	richard	1031	# chilli unit for systemd
		1032	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1033	# This file is part of systemd.
		1034	#
		1035	# systemd is free software; you can redistribute it and/or modify it
		1036	# under the terms of the GNU General Public License as published by
		1037	# the Free Software Foundation; either version 2 of the License, or
		1038	# (at your option) any later version.
1370	richard	1039	[Unit]
		1040	Description=chilli is a captive portal daemon
		1041	After=network.target
		1042
		1043	[Service]
1379	richard	1044	Type=forking
1370	richard	1045	ExecStart=/usr/libexec/chilli start
		1046	ExecStop=/usr/libexec/chilli stop
		1047	ExecReload=/usr/libexec/chilli reload
		1048	PIDFile=/var/run/chilli.pid
		1049
		1050	[Install]
		1051	WantedBy=multi-user.target
		1052	EOF
799	richard	1053	# init file creation
1370	richard	1054	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
1801	richard	1055	cat <<EOF > /etc/init.d/chilli
799	richard	1056	#!/bin/sh
		1057	#
		1058	# chilli CoovaChilli init
		1059	#
		1060	# chkconfig: 2345 65 35
		1061	# description: CoovaChilli
		1062	### BEGIN INIT INFO
		1063	# Provides: chilli
		1064	# Required-Start: network
		1065	# Should-Start:
		1066	# Required-Stop: network
		1067	# Should-Stop:
		1068	# Default-Start: 2 3 5
		1069	# Default-Stop:
		1070	# Description: CoovaChilli access controller
		1071	### END INIT INFO
		1072
		1073	[ -f /usr/sbin/chilli ] \|\| exit 0
		1074	. /etc/init.d/functions
		1075	CONFIG=/etc/chilli.conf
		1076	pidfile=/var/run/chilli.pid
		1077	[ -f \$CONFIG ] \|\| {
		1078	echo "\$CONFIG Not found"
		1079	exit 0
		1080	}
		1081	RETVAL=0
		1082	prog="chilli"
		1083	case \$1 in
		1084	start)
		1085	if [ -f \$pidfile ] ; then
		1086	gprintf "chilli is already running"
		1087	else
		1088	gprintf "Starting \$prog: "
		1089	rm -f /var/run/chilli* # cleaning
1828	richard	1090	/usr/sbin/modprobe tun >/dev/null 2>&1
799	richard	1091	echo 1 > /proc/sys/net/ipv4/ip_forward
		1092	[ -e /dev/net/tun ] \|\| {
		1093	(cd /dev;
		1094	mkdir net;
		1095	cd net;
		1096	mknod tun c 10 200)
		1097	}
1336	richard	1098	ifconfig $INTIF 0.0.0.0
1576	richard	1099	/usr/sbin/ethtool -K $INTIF gro off
799	richard	1100	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1101	RETVAL=$?
		1102	fi
		1103	;;
		1104
		1105	reload)
		1106	killall -HUP chilli
		1107	;;
		1108
		1109	restart)
		1110	\$0 stop
		1111	sleep 2
		1112	\$0 start
		1113	;;
		1114
		1115	status)
		1116	status chilli
		1117	RETVAL=0
		1118	;;
		1119
		1120	stop)
		1121	if [ -f \$pidfile ] ; then
		1122	gprintf "Shutting down \$prog: "
		1123	killproc /usr/sbin/chilli
		1124	RETVAL=\$?
		1125	[ \$RETVAL = 0 ] && rm -f $pidfile
		1126	else
		1127	gprintf "chilli is not running"
		1128	fi
		1129	;;
		1130
		1131	*)
		1132	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1133	exit 1
		1134	esac
		1135	echo
		1136	EOF
1801	richard	1137	chmod a+x /etc/init.d/chilli
		1138	ln -s /etc/init.d/chilli /usr/libexec/chilli
799	richard	1139	# conf file creation
346	richard	1140	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1141	cat <<EOF > /etc/chilli.conf
		1142	# coova config for ALCASAR
		1143	cmdsocket /var/run/chilli.sock
1336	richard	1144	unixipc chilli.$INTIF.ipc
1551	richard	1145	pidfile /var/run/chilli.pid
346	richard	1146	net $PRIVATE_NETWORK_MASK
595	richard	1147	dhcpif $INTIF
841	richard	1148	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1149	#nodynip
865	richard	1150	#statip
		1151	dynip $PRIVATE_NETWORK_MASK
1249	richard	1152	domain $DOMAIN
355	richard	1153	dns1 $PRIVATE_IP
		1154	dns2 $PRIVATE_IP
346	richard	1155	uamlisten $PRIVATE_IP
503	richard	1156	uamport 3990
837	richard	1157	macauth
		1158	macpasswd password
1697	richard	1159	strictmacauth
1243	richard	1160	locationname $HOSTNAME.$DOMAIN
346	richard	1161	radiusserver1 127.0.0.1
		1162	radiusserver2 127.0.0.1
		1163	radiussecret $secretradius
		1164	radiusauthport 1812
		1165	radiusacctport 1813
1243	richard	1166	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1167	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1168	uamsecret $secretuam
1249	richard	1169	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1170	coaport 3799
1379	richard	1171	conup $DIR_DEST_BIN/alcasar-conup.sh
		1172	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1173	include $DIR_DEST_ETC/alcasar-uamallowed
		1174	include $DIR_DEST_ETC/alcasar-uamdomain
1613	franck	1175	#dhcpgateway none
		1176	#dhcprelayagent none
1610	franck	1177	#dhcpgatewayport none
346	richard	1178	EOF
1336	richard	1179	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1180	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1181	# create files for trusted domains and urls
1148	crox53	1182	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1183	chown root:apache $DIR_DEST_ETC/alcasar-*
		1184	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1185	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1186	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1187	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1188	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1189	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1190	if [ "$chilli_exist" == "1" ]
		1191	then
		1192	userdel -r chilli 2>/dev/null
		1193	fi
		1194	groupadd -f chilli
		1195	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1196	} # End of chilli ()
1349	richard	1197
1	root	1198	##################################################################
1389	richard	1199	## Fonction "dansguardian" ##
1	root	1200	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1201	##################################################################
1389	richard	1202	dansguardian ()
1	root	1203	{
		1204	mkdir /var/dansguardian
		1205	chown dansguardian /var/dansguardian
1375	richard	1206	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1207	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1208	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1209	# By default the filter is off
1556	richard	1210	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1293	richard	1211	# French deny HTML page
497	richard	1212	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1213	# Listen only on LAN side
497	richard	1214	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1215	# DG send its flow to HAVP
		1216	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1217	# replace the default deny HTML page
1	root	1218	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1219	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1220	# Don't log
		1221	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1	root	1222	# on désactive par défaut le controle de contenu des pages html
497	richard	1223	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1224	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1225	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1226	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1227	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1228	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1721	richard	1229
		1230	# Configure Dansguardian for large site
		1231	# Minimum number of processus to handle connections
		1232	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
		1233	# Maximum number of processus to handle connections
		1234	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
		1235	# Run at least 8 daemons
		1236	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
		1237	# minimum number of processes to spawn
		1238	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
		1239	# maximum age of a child process before it croaks it
		1240	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
		1241
1	root	1242	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1243	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1244	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1245	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1246	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1247	touch $DIR_DG/lists/bannedextensionlist
		1248	touch $DIR_DG/lists/bannedmimetypelist
		1249	# 'Safesearch' regex actualisation
498	richard	1250	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1251	# empty LAN IP list that won't be WEB filtered
		1252	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1253	touch $DIR_DG/lists/exceptioniplist
		1254	# Keep a copy of URL & domain filter configuration files
		1255	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1256	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1257	} # End of dansguardian ()
1	root	1258
71	richard	1259	##################################################################
1221	richard	1260	## Fonction "antivirus" ##
1357	richard	1261	## - configuration of havp, libclamav and freshclam ##
71	richard	1262	##################################################################
		1263	antivirus ()
		1264	{
1358	richard	1265	# create 'havp' user
288	richard	1266	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1267	if [ "$havp_exist" == "1" ]
288	richard	1268	then
478	richard	1269	userdel -r havp 2>/dev/null
894	richard	1270	groupdel havp 2>/dev/null
288	richard	1271	fi
307	richard	1272	groupadd -f havp
1486	richard	1273	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1274	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1275	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1276	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1277	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1278	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1279	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1280	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1281	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1282	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1283	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1284	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1285	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1286	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1287	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1288	# skip checking of youtube flow (too heavy load / risk too low)
		1289	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1290	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1291	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1292	# adapt init script and systemd unit
335	richard	1293	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1294	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1295	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1296	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1297	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1298	# replace of the intercept page (template)
340	richard	1299	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1300	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1301	# update virus database every 4 hours (24h/6)
1357	richard	1302	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1303	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1304	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1305	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1306	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1307	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1308	# update now
1382	richard	1309	/usr/bin/freshclam --no-warnings
1389	richard	1310	} # End of antivirus ()
71	richard	1311
1486	richard	1312	##########################################################################
		1313	## Fonction "tinyproxy" ##
		1314	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1315	##########################################################################
1485	richard	1316	tinyproxy ()
		1317	{
1486	richard	1318	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1319	if [ "$tinyproxy_exist" == "1" ]
		1320	then
		1321	userdel -r tinyproxy 2>/dev/null
		1322	groupdel tinyproxy 2>/dev/null
		1323	fi
		1324	groupadd -f tinyproxy
1488	richard	1325	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1668	richard	1326	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
		1327	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1486	richard	1328	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1329	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1330	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1331	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1332	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1333	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1334	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1335	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1336	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1337	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1338	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1339	# Create the systemd unit
		1340	cat << EOF > /lib/systemd/system/tinyproxy.service
		1341	# This file is part of systemd.
		1342	#
		1343	# systemd is free software; you can redistribute it and/or modify it
		1344	# under the terms of the GNU General Public License as published by
		1345	# the Free Software Foundation; either version 2 of the License, or
		1346	# (at your option) any later version.
1485	richard	1347
1509	richard	1348	# This unit launches tinyproxy (a very light proxy).
1518	richard	1349	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1350	[Unit]
		1351	Description=Tinyproxy Web Proxy Server
		1352	After=network.target iptables.service
		1353
		1354	[Service]
		1355	Type=forking
1518	richard	1356	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1357	ExecStartPre=/bin/sleep 2
		1358	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1359	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1360
		1361	[Install]
		1362	WantedBy=multi-user.target
		1363	EOF
		1364
1485	richard	1365	} # end of tinyproxy
1	root	1366	##################################################################################
1389	richard	1367	## function "ulogd" ##
476	richard	1368	## - Ulog config for multi-log files ##
		1369	##################################################################################
1389	richard	1370	ulogd ()
476	richard	1371	{
		1372	# Three instances of ulogd (three different logfiles)
		1373	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1374	nl=1
1358	richard	1375	for log_type in traceability ssh ext-access
478	richard	1376	do
1365	richard	1377	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1378	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1379	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1704	richard	1380	$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1554	richard	1381	if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
478	richard	1382	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1383	[emu1]
478	richard	1384	file="/var/log/firewall/$log_type.log"
		1385	sync=1
		1386	EOF
1452	richard	1387	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1388	nl=`expr $nl + 1`
		1389	done
476	richard	1390	chown -R root:apache /var/log/firewall
		1391	chmod 750 /var/log/firewall
		1392	chmod 640 /var/log/firewall/*
1389	richard	1393	} # End of ulogd ()
476	richard	1394
1159	crox53	1395
		1396	##########################################################
1389	richard	1397	## Function "nfsen" ##
1567	richard	1398	## - install the nfsen grapher ##
		1399	## - install the two plugins porttracker & surfmap ##
1159	crox53	1400	##########################################################
1389	richard	1401	nfsen()
1	root	1402	{
1569	richard	1403	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1365	richard	1404	# Add PortTracker plugin
1534	richard	1405	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1406	do
1536	richard	1407	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1408	done
1569	richard	1409	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1365	richard	1410	# use of our conf file and init unit
1569	richard	1411	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1570	richard	1412	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1413	DirTmp=$(pwd)
1569	richard	1414	cd /tmp/nfsen-1.3.7/
1570	richard	1415	/usr/bin/perl install.pl etc/nfsen.conf
		1416	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1417	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1418	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1419	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1420	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1421	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1422	# nfsen unit for systemd
		1423	cat << EOF > /lib/systemd/system/nfsen.service
		1424	# This file is part of systemd.
		1425	#
		1426	# systemd is free software; you can redistribute it and/or modify it
		1427	# under the terms of the GNU General Public License as published by
		1428	# the Free Software Foundation; either version 2 of the License, or
		1429	# (at your option) any later version.
		1430
		1431	# This unit launches nfsen (a Netflow grapher).
		1432	[Unit]
		1433	Description= NfSen init script
		1434	After=network.target iptables.service
		1435
		1436	[Service]
		1437	Type=oneshot
		1438	RemainAfterExit=yes
1393	richard	1439	PIDFile=/var/run/nfsen/nfsen.pid
		1440	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1441	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1442	ExecStart=/usr/bin/nfsen start
		1443	ExecStop=/usr/bin/nfsen stop
1393	richard	1444	ExecReload=/usr/bin/nfsen restart
1372	richard	1445	TimeoutSec=0
		1446
		1447	[Install]
		1448	WantedBy=multi-user.target
		1449	EOF
1365	richard	1450	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1451	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1452	# expire delay for the profile "live"
1574	richard	1453	/usr/bin/systemctl start nfsen
1393	richard	1454	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1455	# add SURFmap plugin
1509	richard	1456	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1457	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1458	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1459	cd /tmp/
		1460	/usr/bin/sh SURFmap/install.sh
1544	richard	1461	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1462	# clear the installation
1221	richard	1463	cd $DirTmp
1509	richard	1464	rm -rf /tmp/nfsen*
		1465	rm -rf /tmp/SURFmap*
1389	richard	1466	} # End of nfsen ()
1	root	1467
1390	richard	1468	##################################################
1541	richard	1469	## Function "vnstat" ##
		1470	## Initialization of Vnstat and vnstat phpFE ##
		1471	##################################################
		1472	vnstat ()
		1473	{
		1474	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1475	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1476	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1477	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
		1478	/usr/bin/vnstat -u -i $EXTIF
		1479	} # End of vnstat
		1480	##################################################
1389	richard	1481	## Function "dnsmasq" ##
1390	richard	1482	##################################################
1389	richard	1483	dnsmasq ()
219	jeremy	1484	{
		1485	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1486	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1487	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1488	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1489	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1490	cat << EOF > /etc/dnsmasq.conf
520	richard	1491	# Configuration file for "dnsmasq in forward mode"
1387	richard	1492	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1493	listen-address=$PRIVATE_IP
1390	richard	1494	pid-file=/var/run/dnsmasq.pid
259	richard	1495	listen-address=127.0.0.1
286	richard	1496	no-dhcp-interface=$INTIF
1387	richard	1497	no-dhcp-interface=tun0
		1498	no-dhcp-interface=lo
259	richard	1499	bind-interfaces
1721	richard	1500	cache-size=2048
259	richard	1501	domain=$DOMAIN
		1502	domain-needed
		1503	expand-hosts
		1504	bogus-priv
		1505	filterwin2k
		1506	server=$DNS1
		1507	server=$DNS2
1387	richard	1508	# DHCP service is configured. It will be enabled in "bypass" mode
1610	franck	1509	#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
		1510	#dhcp-option=option:router,$PRIVATE_IP
		1511	#dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1512
1387	richard	1513	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1514	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1515	EOF
1356	richard	1516	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1517	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1518	# Configuration file for "dnsmasq with blacklist"
1387	richard	1519	# Add Toulouse blacklist domains
1472	richard	1520	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1521	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1522	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1523	listen-address=$PRIVATE_IP
		1524	port=54
		1525	no-dhcp-interface=$INTIF
1387	richard	1526	no-dhcp-interface=tun0
1472	richard	1527	no-dhcp-interface=lo
498	richard	1528	bind-interfaces
1721	richard	1529	cache-size=2048
498	richard	1530	domain=$DOMAIN
		1531	domain-needed
		1532	expand-hosts
		1533	bogus-priv
		1534	filterwin2k
		1535	server=$DNS1
		1536	server=$DNS2
		1537	EOF
1379	richard	1538	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1539	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1540	# Configuration file for "dnsmasq with whitelist"
1356	richard	1541	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1542	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1543	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1544	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1545	listen-address=$PRIVATE_IP
		1546	port=55
		1547	no-dhcp-interface=$INTIF
1387	richard	1548	no-dhcp-interface=tun0
1472	richard	1549	no-dhcp-interface=lo
1356	richard	1550	bind-interfaces
1721	richard	1551	cache-size=1024
1356	richard	1552	domain=$DOMAIN
		1553	domain-needed
		1554	expand-hosts
		1555	bogus-priv
		1556	filterwin2k
1792	franck	1557	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1472	richard	1558	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
1356	richard	1559	EOF
1472	richard	1560	# 4th dnsmasq listen on udp 56 ("blackhole")
		1561	cat << EOF > /etc/dnsmasq-blackhole.conf
		1562	# Configuration file for "dnsmasq as a blackhole"
		1563	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1564	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1565	pid-file=/var/run/dnsmasq-blackhole.pid
		1566	listen-address=$PRIVATE_IP
		1567	port=56
		1568	no-dhcp-interface=$INTIF
		1569	no-dhcp-interface=tun0
		1570	no-dhcp-interface=lo
		1571	bind-interfaces
		1572	cache-size=256
		1573	domain=$DOMAIN
		1574	domain-needed
		1575	expand-hosts
		1576	bogus-priv
		1577	filterwin2k
		1578	EOF
		1579
1517	richard	1580	# the main instance should start after network and chilli (which create tun0)
1547	richard	1581	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1582	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1583	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1584	for list in blacklist whitelist blackhole
		1585	do
		1586	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1587	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1588	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1589	done
308	richard	1590	} # End dnsmasq
		1591
		1592	##########################################################
1221	richard	1593	## Fonction "BL" ##
308	richard	1594	##########################################################
		1595	BL ()
		1596	{
1384	richard	1597	# copy and extract toulouse BL
648	richard	1598	rm -rf $DIR_DG/lists/blacklists
		1599	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1600	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1601	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1602	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1603	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1604	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1605	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1606	# creation of file for the rehabilited domains and urls
648	richard	1607	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1608	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1609	touch $DIR_DG/lists/exceptionsitelist
		1610	touch $DIR_DG/lists/exceptionurllist
311	richard	1611	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1612	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1613	# Dansguardian filter config for ALCASAR
		1614	EOF
648	richard	1615	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1616	# Dansguardian domain filter config for ALCASAR
		1617	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1618	#**
		1619	# block all SSL and CONNECT tunnels
		1620	**s
		1621	# block all SSL and CONNECT tunnels specified only as an IP
		1622	*ips
		1623	# block all sites specified only by an IP
		1624	*ip
		1625	EOF
1000	richard	1626	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1627	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1628	# Bing - add 'adlt=strict'
		1629	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1630	# Youtube - add 'edufilter=your_ID'
885	richard	1631	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1632	EOF
1000	richard	1633	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1634	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1635	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1636	if [ "$mode" != "update" ]; then
1828	richard	1637	$DIR_DEST_BIN/alcasar-bl.sh --adapt
		1638	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
654	richard	1639	fi
308	richard	1640	}
219	jeremy	1641
1	root	1642	##########################################################
1221	richard	1643	## Fonction "cron" ##
1	root	1644	## - Mise en place des différents fichiers de cron ##
		1645	##########################################################
		1646	cron ()
		1647	{
		1648	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1649	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1650	cat <<EOF > /etc/crontab
1828	richard	1651	SHELL=/usr/bin/bash
		1652	PATH=/usr/sbin:/usr/bin
1	root	1653	MAILTO=root
		1654	HOME=/
		1655
		1656	# run-parts
		1657	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1658	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1659	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1660	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1661	EOF
		1662	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1663	cat <<EOF >> /etc/anacrontab
667	franck	1664	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1665	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1666	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1667	EOF
1247	crox53	1668
811	richard	1669	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1670	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1828	richard	1671	45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
905	franck	1672	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1828	richard	1673	40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1674	EOF
952	franck	1675	cat <<EOF > /etc/cron.d/alcasar-archive
		1676	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1677	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1678	EOF
1566	richard	1679	cat << EOF > /etc/cron.d/alcasar-ticket-clean
		1680	# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
		1681	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1682	EOF
722	franck	1683	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1684	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1685	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1686	EOF
1159	crox53	1687
1808	richard	1688	# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
		1689	# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
		1690	# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
		1691	# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
		1692	# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1	root	1693	cat << EOF > /etc/cron.d/freeradius-web
1808	richard	1694	1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
		1695	5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
		1696	10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
		1697	15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1	root	1698	EOF
671	franck	1699	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1700	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1701	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1702	EOF
1808	richard	1703	# Enabling the watchdog every 18'
808	franck	1704	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1705	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1706	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1707	EOF
1808	richard	1708	# removing the users crons
522	richard	1709	rm -f /var/spool/cron/*
1	root	1710	} # End cron
		1711
		1712	##################################################################
1221	richard	1713	## Fonction "Fail2Ban" ##
1163	crox53	1714	##- Modification de la configuration de fail2ban ##
		1715	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1716	##################################################################
		1717	fail2ban()
		1718	{
1191	crox53	1719	$DIR_CONF/fail2ban.sh
1474	richard	1720	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1721	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1722	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1723	chmod 644 /var/log/fail2ban.log
1489	richard	1724	chmod 644 /var/Save/security/watchdog.log
1418	richard	1725	/usr/bin/touch /var/log/auth.log
1515	richard	1726	# fail2ban unit
		1727	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1728	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1729	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1730	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1731	} #Fin de fail2ban_install()
		1732
		1733	##################################################################
1376	richard	1734	## Fonction "gammu_smsd" ##
		1735	## - Creation de la base de donnée Gammu ##
		1736	## - Creation du fichier de config: gammu_smsd_conf ##
		1737	## ##
		1738	##################################################################
		1739	gammu_smsd()
		1740	{
		1741	# Create 'gammu' databse
		1742	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1743	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1744	# Add a gammu database structure
1800	richard	1745	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1376	richard	1746
		1747	# config file for the daemon
		1748	cat << EOF > /etc/gammu_smsd_conf
		1749	[gammu]
		1750	port = /dev/ttyUSB0
		1751	connection = at115200
		1752
		1753	;########################################################
		1754
		1755	[smsd]
		1756
		1757	PIN = 1234
		1758
		1759	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1760	logformat = textall
		1761	debuglevel = 0
		1762
		1763	service = sql
		1764	driver = native_mysql
		1765	user = $DB_USER
		1766	password = $radiuspwd
		1767	pc = localhost
		1768	database = $DB_GAMMU
		1769
1828	richard	1770	RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1376	richard	1771
		1772	StatusFrequency = 30
1380	richard	1773	;LoopSleep = 2
1376	richard	1774
		1775	;ResetFrequency = 300
		1776	;HardResetFrequency = 120
		1777
		1778	CheckSecurity = 1
		1779	CheckSignal = 1
		1780	CheckBattery = 0
		1781	EOF
		1782
		1783	chmod 755 /etc/gammu_smsd_conf
		1784
		1785	#Creation dossier de log Gammu-smsd
1382	richard	1786	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1787	chmod 755 /var/log/gammu-smsd
		1788
		1789	#Edition du script sql gammu <-> radius
1452	richard	1790	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1791	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1792
1380	richard	1793	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1794	cat << EOF > /etc/udev/rules.d/66-huawei.rules
1828	richard	1795	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1380	richard	1796	EOF
		1797
1376	richard	1798	} # END gammu_smsd()
		1799
		1800	##################################################################
1221	richard	1801	## Fonction "post_install" ##
1	root	1802	## - Modification des bannières (locales et ssh) et des prompts ##
		1803	## - Installation de la structure de chiffrement pour root ##
		1804	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1805	## - Mise en place du la rotation des logs ##
5	franck	1806	## - Configuration dans le cas d'une mise à jour ##
1	root	1807	##################################################################
		1808	post_install()
		1809	{
		1810	# création de la bannière locale
1007	richard	1811	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1812	cp -f $DIR_CONF/banner /etc/mageia-release
		1813	echo " V$VERSION" >> /etc/mageia-release
1	root	1814	# création de la bannière SSH
1007	richard	1815	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1816	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1817	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1818	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1819	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1820	# postfix banner anonymisation
		1821	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1822	# sshd écoute côté LAN et WAN
1548	richard	1823	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1696	franck	1824	# sshd autorise les connections root par certificat
		1825	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1769	richard	1826	# Put the default values in conf file
1839	richard	1827	echo "SSH=on" >> $CONF_FILE
1631	richard	1828	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
628	richard	1829	echo "LDAP=off" >> $CONF_FILE
786	richard	1830	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1831	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1832	echo "MULTIWAN=off" >> $CONF_FILE
		1833	echo "FAILOVER=30" >> $CONF_FILE
		1834	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1835	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1836	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1837	# Coloration des prompts
		1838	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1839	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1840	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1841	# Droits d'exécution pour utilisateur apache et sysadmin
		1842	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1843	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1844	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1845	# Modify some logrotate files (gammu, ulogd)
1	root	1846	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1847	chmod 644 /etc/logrotate.d/*
714	franck	1848	# rectification sur versions précédentes de la compression des logs
706	franck	1849	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1850	# actualisation des fichiers logs compressés
1342	richard	1851	for dir in firewall dansguardian httpd
706	franck	1852	do
714	franck	1853	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1854	done
1221	richard	1855	# create the alcasar-load_balancing unit
		1856	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1857	# This file is part of systemd.
		1858	#
		1859	# systemd is free software; you can redistribute it and/or modify it
		1860	# under the terms of the GNU General Public License as published by
		1861	# the Free Software Foundation; either version 2 of the License, or
		1862	# (at your option) any later version.
		1863
		1864	# This unit lauches alcasar-load-balancing.sh script.
		1865	[Unit]
		1866	Description=alcasar-load_balancing.sh execution
		1867	After=network.target iptables.service
		1868
		1869	[Service]
		1870	Type=oneshot
		1871	RemainAfterExit=yes
1828	richard	1872	ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
		1873	ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1184	crox53	1874	TimeoutSec=0
		1875	SysVStartPriority=99
		1876
		1877	[Install]
		1878	WantedBy=multi-user.target
1157	stephane	1879	EOF
1221	richard	1880	# processes launched at boot time (Systemctl)
1839	richard	1881	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1221	richard	1882	do
1574	richard	1883	/usr/bin/systemctl -q enable $i.service
1221	richard	1884	done
1452	richard	1885
		1886	# disable processes at boot time (Systemctl)
		1887	for i in ulogd
		1888	do
1574	richard	1889	/usr/bin/systemctl -q disable $i.service
1452	richard	1890	done
		1891
1221	richard	1892	# Apply French Security Agency (ANSSI) rules
1362	richard	1893	# ignore ICMP broadcast (smurf attack)
		1894	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1895	# ignore ICMP errors bogus
		1896	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1897	# remove ICMP redirects responces
		1898	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1899	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1900	# enable SYN Cookies (Syn flood attacks)
		1901	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1902	# enable kernel antispoofing
		1903	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1904	# ignore source routing
		1905	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1906	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1907	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1908	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1909	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1778	richard	1910	# disable iptables_helpers
		1911	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1788	richard	1912	# Switch to the router mode
		1913	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1362	richard	1914	# remove Magic SysReq Keys
1363	richard	1915	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1916	# switch to multi-users runlevel (instead of x11)
1221	richard	1917	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1600	richard	1918	# GRUB modifications (only one time)
1005	richard	1919	# limit wait time to 3s
		1920	# create an alcasar entry instead of linux-nonfb
		1921	# change display to 1024*768 (vga791)
1600	richard	1922	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst\|wc -l`
		1923	if [ $grub_already_modified == 0 ]
		1924	then
		1925	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1926	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1927	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1601	richard	1928	$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1600	richard	1929	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1930	$SED "/^gfxmenu/d" /boot/grub/menu.lst
		1931	fi
1221	richard	1932	# Load and apply the previous conf file
		1933	if [ "$mode" = "update" ]
532	richard	1934	then
1668	richard	1935	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1221	richard	1936	$DIR_DEST_BIN/alcasar-conf.sh --load
		1937	PARENT_SCRIPT=`basename $0`
		1938	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1939	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1940	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1941	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
532	richard	1942	fi
1221	richard	1943	rm -f /tmp/alcasar-conf*
		1944	chown -R root:apache $DIR_DEST_ETC/*
		1945	chmod -R 660 $DIR_DEST_ETC/*
		1946	chmod ug+x $DIR_DEST_ETC/digest
1	root	1947	cd $DIR_INSTALL
5	franck	1948	echo ""
1	root	1949	echo "#############################################################################"
638	richard	1950	if [ $Lang == "fr" ]
		1951	then
		1952	echo "# Fin d'installation d'ALCASAR #"
		1953	echo "# #"
		1954	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1955	echo "# des Accès au Réseau ( ALCASAR ) #"
		1956	echo "# #"
		1957	echo "#############################################################################"
		1958	echo
		1959	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1960	echo
		1961	echo "- Lisez attentivement la documentation d'exploitation"
		1962	echo
		1963	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1964	echo
		1965	echo " Appuyez sur 'Entrée' pour continuer"
		1966	else
		1967	echo "# Enf of ALCASAR install process #"
		1968	echo "# #"
		1969	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1970	echo "# des Accès au Réseau ( ALCASAR ) #"
		1971	echo "# #"
		1972	echo "#############################################################################"
		1973	echo
		1974	echo "- The system will be rebooted in order to operate ALCASAR"
		1975	echo
		1976	echo "- Read the exploitation documentation"
		1977	echo
		1978	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1979	echo
		1980	echo " Hit 'Enter' to continue"
		1981	fi
1782	franck	1982	sleep 2
815	richard	1983	if [ "$mode" != "update" ]
820	richard	1984	then
815	richard	1985	read a
		1986	fi
774	richard	1987	clear
1	root	1988	reboot
		1989	} # End post_install ()
		1990
		1991	#################################
1005	richard	1992	# Main Install loop #
1	root	1993	#################################
832	richard	1994	dir_exec=`dirname "$0"`
		1995	if [ $dir_exec != "." ]
		1996	then
		1997	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1998	echo "Launch this program from the ALCASAR archive directory"
		1999	exit 0
		2000	fi
		2001	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2002	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2003	nb_args=$#
		2004	args=$1
		2005	if [ $nb_args -eq 0 ]
		2006	then
		2007	nb_args=1
		2008	args="-h"
		2009	fi
1062	richard	2010	chmod -R u+x $DIR_SCRIPTS/*
1	root	2011	case $args in
		2012	-\? \| -h* \| --h*)
		2013	echo "$usage"
		2014	exit 0
		2015	;;
291	franck	2016	-i \| --install)
1538	richard	2017	header_install
959	franck	2018	license
1544	richard	2019	header_install
29	richard	2020	testing
595	richard	2021	# RPMs install
		2022	$DIR_SCRIPTS/alcasar-urpmi.sh
		2023	if [ "$?" != "0" ]
1	root	2024	then
595	richard	2025	exit 0
		2026	fi
1249	richard	2027	if [ -e $CONF_FILE ]
595	richard	2028	then
597	richard	2029	# Uninstall the running version
1828	richard	2030	$DIR_SCRIPTS/alcasar-uninstall.sh
595	richard	2031	fi
636	richard	2032	# Test if manual update
1362	richard	2033	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2034	then
636	richard	2035	header_install
595	richard	2036	if [ $Lang == "fr" ]
636	richard	2037	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2038	else echo "The configuration file of an old version has been found";
595	richard	2039	fi
597	richard	2040	response=0
		2041	PTN='^[oOnNyY]$'
		2042	until [[ $(expr $response : $PTN) -gt 0 ]]
		2043	do
		2044	if [ $Lang == "fr" ]
		2045	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2046	else echo -n "Do you want to use it (Y/n)?";
		2047	fi
		2048	read response
		2049	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2050	then rm -f /tmp/alcasar-conf*
		2051	fi
		2052	done
		2053	fi
636	richard	2054	# Test if update
1057	richard	2055	if [ -e /tmp/alcasar-conf* ]
597	richard	2056	then
		2057	if [ $Lang == "fr" ]
		2058	then echo "#### Installation avec mise à jour ####";
		2059	else echo "#### Installation with update ####";
		2060	fi
636	richard	2061	# Extract the central configuration file
1057	richard	2062	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2063	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2064	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2065	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2066	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2067	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2068	mode="update"
1	root	2069	fi
1837	richard	2070	for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2071	do
		2072	$func
1362	richard	2073	# echo "* 'debug' : end of function $func *"; read a
14	richard	2074	done
5	franck	2075	;;
291	franck	2076	-u \| --uninstall)
1828	richard	2077	if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
1	root	2078	then
597	richard	2079	if [ $Lang == "fr" ]
		2080	then echo "ALCASAR n'est pas installé!";
		2081	else echo "ALCASAR isn't installed!";
		2082	fi
1	root	2083	exit 0
		2084	fi
5	franck	2085	response=0
		2086	PTN='^[oOnN]$'
580	richard	2087	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2088	do
597	richard	2089	if [ $Lang == "fr" ]
		2090	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2091	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2092	fi
5	franck	2093	read response
		2094	done
1103	richard	2095	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2096	then
1103	richard	2097	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2098	else
		2099	rm -f /tmp/alcasar-conf*
1	root	2100	fi
597	richard	2101	# Uninstall the running version
1828	richard	2102	$DIR_SCRIPTS/alcasar-uninstall.sh
1	root	2103	;;
		2104	*)
		2105	echo "Argument inconnu :$1";
460	richard	2106	echo "Unknown argument :$1";
1	root	2107	echo "$usage"
		2108	exit 1
		2109	;;
		2110	esac
10	franck	2111	# end of script
366	franck	2112

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1839