WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
2454	tom.houday	2	# $Id: alcasar.sh 2552 2018-05-08 22:21:47Z rexy $
1	root	3
		4	# alcasar.sh
2466	richard	5	# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
		6	# This script is distributed under the Gnu General Public License (GPL)
		7	# team@alcasar.net
959	franck	8
2454	tom.houday	9	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
1157	stephane	10	# Ce programme est un logiciel libre ; This software is free and open source
2454	tom.houday	11	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		12	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		13	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		14	# Voir la Licence Publique Générale GNU pour plus de détails.
959	franck	15
672	richard	16	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	17	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	18	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
2454	tom.houday	19	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
2466	richard	20
2521	armand.ito	21	# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	22
		23	# Options :
376	franck	24	# -i or --install
		25	# -u or --uninstall
1	root	26
376	franck	27	# Functions :
1378	richard	28	# testing : connectivity tests, free space test and mageia version test
1221	richard	29	# init : Installation of RPM and scripts
		30	# network : Network parameters
2552	rexy	31	# ACC : ALCASAR Control Center installation
		32	# CA : Certification Authority initialization
1837	richard	33	# time_server : NTPd configuration
1221	richard	34	# init_db : Initilization of radius database managed with MariaDB
2421	richard	35	# freeradius : FreeRadius initialisation
1389	richard	36	# chilli : coovachilli initialisation (+authentication page)
2521	armand.ito	37	# e2guardian : E2Guardian filtering HTTP proxy configuration
1221	richard	38	# antivirus : HAVP + libclamav configuration
1485	richard	39	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	40	# ulogd : log system in userland (match NFLOG target of iptables)
2454	tom.houday	41	# nfsen : Configuration of Nfsen Netflow grapher
1253	richard	42	# dnsmasq : Name server configuration
1541	richard	43	# vnstat : little network stat daemon
2552	rexy	44	# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1389	richard	46	# fail2ban : Fail2ban IDS installation and configuration
		47	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
2202	richard	48	# msec : Mandriva security package configuration
2304	tom.houday	49	# letsencrypt : Let's Encrypt client
2552	rexy	50	# post_install : Security, log rotation, etc.
1	root	51
2499	tom.houday	52	DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
1	root	53	DATE=`date '+%d %B %Y - %Hh%M'`
		54	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	55	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	56	mode="install"
1	root	57	# ***** Files parameters - paramètres fichiers *******
2552	rexy	58	DIR_INSTALL=`pwd` # current directory
1015	richard	59	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		60	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
2552	rexy	61	DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
		62	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
		63	DIR_WEB="/var/www/html" # directory of Lighttpd
		64	DIR_DG="/etc/e2guardian" # directory of E2Guardian
		65	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
1015	richard	66	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		67	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		68	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
2552	rexy	69	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
1015	richard	70	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	71	# ***** DBMS parameters - paramètres SGBD ******
2552	rexy	72	DB_RADIUS="radius" # database name used by FreeRadius server
		73	DB_USER="radius" # user name allows to request the users database
		74	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	75	# ***** Network parameters - paramètres réseau *****
2552	rexy	76	HOSTNAME="alcasar" # default hostname
		77	DOMAIN="localdomain" # default local domain
		78	EXTIF=`/usr/sbin/ip route\|grep default\|head -n1\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1828	richard	79	INTIF=`/usr/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|head -n1\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	80	MTU="1500"
1243	richard	81	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	82	# **** Paths - chemin des commandes *****
		83	SED="/bin/sed -i"
		84	# **************** End of global parameters *******************
		85
959	franck	86	license ()
		87	{
		88	if [ $Lang == "fr" ]
1538	richard	89	then
		90	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		91	else
		92	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	93	fi
1538	richard	94	response=0
		95	PTN='^[oOyYnN]$'
		96	until [[ $(expr $response : $PTN) -gt 0 ]]
		97	do
		98	if [ $Lang == "fr" ]
1563	franck	99	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	100	else echo -n "Do you accept the terms of this license (Y/n)? : "
		101	fi
		102	read response
		103	done
		104	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		105	then
		106	exit 1
		107	fi
959	franck	108	}
		109
1	root	110	header_install ()
		111	{
		112	clear
		113	echo "-----------------------------------------------------------------------------"
460	richard	114	echo " ALCASAR V$VERSION Installation"
1	root	115	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		116	echo "-----------------------------------------------------------------------------"
1389	richard	117	}
1	root	118
2552	rexy	119	########################################################
		120	## Function "testing" ##
		121	## - Test Mageia version ##
		122	## - Test ALCASAR version (if already installed) ##
		123	## - Test free space on /var (>10G) ##
		124	## - Test Internet access ##
		125	########################################################
29	richard	126	testing ()
		127	{
1529	richard	128	# Test of Mageia version
		129	# extract the current Mageia version and hardware architecture (i586 ou X64)
		130	fic=`cat /etc/product.id`
		131	unknown_os=0
		132	old="$IFS"
		133	IFS=","
		134	set $fic
		135	for i in $*
		136	do
		137	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
2454	tom.houday	138	then
1529	richard	139	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		140	unknown_os=`expr $unknown_os + 1`
		141	fi
		142	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
2454	tom.houday	143	then
1529	richard	144	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		145	unknown_os=`expr $unknown_os + 1`
		146	fi
		147	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
2454	tom.houday	148	then
1529	richard	149	ARCH=`echo $i\|cut -d"=" -f2`
		150	unknown_os=`expr $unknown_os + 1`
		151	fi
		152	done
2149	richard	153	if [ "$ARCH" == "i586" ]
		154	then
		155	if [ $Lang == "fr" ]
		156	then echo -n "Votre architecture matérielle doit être en 64bits"
		157	else echo -n "You hardware architecture must be 64bits"
		158	fi
2482	lucas.echa	159	exit 1
2149	richard	160	fi
1529	richard	161	IFS="$old"
1362	richard	162	# Test if ALCASAR is already installed
		163	if [ -e $CONF_FILE ]
		164	then
2396	tom.houday	165	current_version=`grep ^VERSION= $CONF_FILE \| cut -d"=" -f2`
1342	richard	166	if [ $Lang == "fr" ]
1362	richard	167	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		168	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	169	fi
1362	richard	170	response=0
2458	richard	171	PTN='^[12]$'
1362	richard	172	until [[ $(expr $response : $PTN) -gt 0 ]]
		173	do
		174	if [ $Lang == "fr" ]
2458	richard	175	then
2464	richard	176	echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
2458	richard	177	else
2464	richard	178	echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
2499	tom.houday	179	fi
1362	richard	180	read response
		181	done
2458	richard	182	if [ "$response" = "2" ]
1362	richard	183	then
		184	rm -f /tmp/alcasar-conf*
		185	else
1684	richard	186	# Retrieve former NICname
2549	tom.houday	187	EXTIF_saved=`grep ^EXTIF= $CONF_FILE \| cut -d'=' -f2-` # EXTernal InterFace
		188	INTIF_saved=`grep ^INTIF= $CONF_FILE \| cut -d'=' -f2-` # INTernal InterFace
		189	[ $(/usr/sbin/ip link \| grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved \|\| echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
		190	[ $(/usr/sbin/ip link \| grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved \|\| echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
1564	richard	191	# Create the current conf file
1362	richard	192	$DIR_SCRIPTS/alcasar-conf.sh --create
		193	mode="update"
		194	fi
1529	richard	195	fi
2416	richard	196	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "6" ) ]]
1529	richard	197	then
		198	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	199	then
1529	richard	200	echo
1378	richard	201	if [ $Lang == "fr" ]
2454	tom.houday	202	then
1529	richard	203	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
1961	richard	204	echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
2416	richard	205	echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
1961	richard	206	echo "3 - Importez votre base des usagers"
1378	richard	207	else
		208	echo "The automatic update of ALCASAR can't be performed."
1961	richard	209	echo "1 - Save your traceability files and the user database"
2416	richard	210	echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
1961	richard	211	echo "3 - Import your users database"
1378	richard	212	fi
1529	richard	213	else
		214	if [ $Lang == "fr" ]
2454	tom.houday	215	then
1529	richard	216	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		217	else
		218	echo "The installation of ALCASAR can't be performed."
1378	richard	219	fi
		220	fi
1529	richard	221	echo
		222	if [ $Lang == "fr" ]
2454	tom.houday	223	then
2416	richard	224	echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
1529	richard	225	else
2416	richard	226	echo "The OS must be replaced (Mageia6-64bits)"
1529	richard	227	fi
		228	exit 0
1342	richard	229	fi
1529	richard	230	if [ ! -d /var/log/netflow/porttracker ]
		231	then
2290	richard	232	# Test free space on /var
1529	richard	233	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		234	if [ $free_space -lt 10 ]
		235	then
		236	if [ $Lang == "fr" ]
		237	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		238	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		239	fi
		240	exit 0
		241	fi
		242	fi
2290	richard	243	if [ $Lang == "fr" ]
		244	then echo -n "Tests des paramètres réseau : "
2549	tom.houday	245	else echo -n "Network parameters tests: "
2290	richard	246	fi
		247	# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
2282	richard	248	cd /etc/sysconfig/network-scripts/
2290	richard	249	IF_INTERFACES=`ls ifcfg-\|cut -d"-" -f2\|grep -v "^lo"\|cut -d"" -f1`
2282	richard	250	for i in $IF_INTERFACES
		251	do
2549	tom.houday	252	if [ $(/usr/sbin/ip link \| grep -c " $i:") -eq 0 ]; then
2282	richard	253	rm -f ifcfg-$i
2454	tom.houday	254
2282	richard	255	if [ $Lang == "fr" ]
		256	then echo "Suppression : ifcfg-$i"
2549	tom.houday	257	else echo "Deleting: ifcfg-$i"
2282	richard	258	fi
		259	fi
		260	done
		261	cd $DIR_INSTALL
2290	richard	262	echo -n "."
2454	tom.houday	263	# Test Ethernet NIC links state
2290	richard	264	DOWN_IF=`/usr/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "\|grep -v "^w"`
1471	richard	265	for i in $DOWN_IF
		266	do
2290	richard	267	echo $i
1471	richard	268	if [ $Lang == "fr" ]
2454	tom.houday	269	then
1471	richard	270	echo "Échec"
		271	echo "Le lien réseau de la carte $i n'est pas actif."
		272	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		273	else
		274	echo "Failed"
		275	echo "The link state of $i interface is down."
		276	echo "Make sure that this network card is connected to a switch or an A.P."
		277	fi
		278	exit 0
		279	done
		280	echo -n "."
		281	# Test EXTIF config files
1499	richard	282	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		283	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
1686	richard	284	PUBLIC_GATEWAY=`ip route list\|grep $EXTIF\|grep ^default\|cut -d" " -f3`
1471	richard	285	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		286	then
784	richard	287	if [ $Lang == "fr" ]
2454	tom.houday	288	then
784	richard	289	echo "Échec"
		290	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		291	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	292	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	293	else
		294	echo "Failed"
		295	echo "The Internet connected network card ($EXTIF) isn't well configured."
		296	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	297	echo "Apply the new configuration 'systemctl restart network'"
784	richard	298	fi
830	richard	299	echo "DEVICE=$EXTIF"
784	richard	300	echo "IPADDR="
		301	echo "NETMASK="
		302	echo "GATEWAY="
		303	echo "DNS1="
		304	echo "DNS2="
830	richard	305	echo "ONBOOT=yes"
784	richard	306	exit 0
		307	fi
		308	echo -n "."
2290	richard	309	# Test if default GW is set on EXTIF (router or ISP provider equipment)
1686	richard	310	if [ `ip route list\|grep $EXTIF\|grep -c ^default` -ne "1" ] ; then
595	richard	311	if [ $Lang == "fr" ]
2454	tom.houday	312	then
595	richard	313	echo "Échec"
		314	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		315	echo "Réglez ce problème puis relancez ce script."
		316	else
		317	echo "Failed"
		318	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		319	echo "Resolv this problem, then restart this script."
		320	fi
29	richard	321	exit 0
		322	fi
308	richard	323	echo -n "."
2290	richard	324	# Test if default GW is alive
1499	richard	325	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	326	if [ $(expr $arp_reply) -eq 0 ]
2454	tom.houday	327	then
595	richard	328	if [ $Lang == "fr" ]
2454	tom.houday	329	then
595	richard	330	echo "Échec"
2290	richard	331	echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	332	echo "Réglez ce problème puis relancez ce script."
		333	else
		334	echo "Failed"
2290	richard	335	echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
595	richard	336	echo "Resolv this problem, then restart this script."
		337	fi
308	richard	338	exit 0
		339	fi
		340	echo -n "."
2290	richard	341	# Test Internet connectivity
29	richard	342	rm -rf /tmp/con_ok.html
308	richard	343	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	344	if [ ! -e /tmp/con_ok.html ]
		345	then
595	richard	346	if [ $Lang == "fr" ]
2454	tom.houday	347	then
595	richard	348	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		349	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		350	echo "Vérifiez la validité des adresses IP des DNS."
		351	else
		352	echo "The Internet connection try failed (google.fr)."
		353	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		354	echo "Verify the DNS IP addresses"
		355	fi
29	richard	356	exit 0
		357	fi
		358	rm -rf /tmp/con_ok.html
308	richard	359	echo ". : ok"
1389	richard	360	} # end of testing ()
302	richard	361
2552	rexy	362	#######################################################################
		363	## Function "init" ##
		364	## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
		365	## - Creation of random password for GRUB, mariadb (admin and user) ##
		366	#######################################################################
302	richard	367	init ()
		368	{
527	richard	369	if [ "$mode" != "update" ]
302	richard	370	then
		371	# On affecte le nom d'organisme
597	richard	372	header_install
302	richard	373	ORGANISME=!
		374	PTN='^[a-zA-Z0-9-]*$'
580	richard	375	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
2454	tom.houday	376	do
595	richard	377	if [ $Lang == "fr" ]
2454	tom.houday	378	then echo -n "Entrez le nom de votre organisme : "
597	richard	379	else echo -n "Enter the name of your organism : "
595	richard	380	fi
330	franck	381	read ORGANISME
613	richard	382	if [ "$ORGANISME" == "" ]
330	franck	383	then
		384	ORGANISME=!
		385	fi
		386	done
302	richard	387	fi
1	root	388	# On crée aléatoirement les mots de passe et les secrets partagés
2419	richard	389	# We create random passwords and shared secrets
628	richard	390	rm -f $PASSWD_FILE
2419	richard	391	echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
		392	grub2pwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
2454	tom.houday	393	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) \| \
		394	LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 \| \
		395	grep -v '[eE]nter password:' \| \
		396	sed -e "s/PBKDF2 hash of your password is //"`
		397	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
		398	[ -e /root/grub.default ] \|\| cp /etc/grub.d/10_linux /root/grub.default
		399	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
		400	chmod 0600 /boot/grub2/user.cfg
2419	richard	401	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
2454	tom.houday	402	echo "GRUB2_user=root" >> $PASSWD_FILE
		403	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
2399	tom.houday	404	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c16`
2419	richard	405	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
2412	tom.houday	406	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
2399	tom.houday	407	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c16`
2419	richard	408	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
2421	richard	409	echo "db_user=$DB_USER" >> $PASSWD_FILE
		410	echo "db_password=$radiuspwd" >> $PASSWD_FILE
2399	tom.houday	411	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c16`
2412	tom.houday	412	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
		413	echo "secret_uam=$secretuam" >> $PASSWD_FILE
2399	tom.houday	414	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c16`
2412	tom.houday	415	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
		416	echo "secret_radius=$secretradius" >> $PASSWD_FILE
628	richard	417	chmod 640 $PASSWD_FILE
1828	richard	418	# copy scripts in in /usr/local/bin
5	franck	419	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
1828	richard	420	# copy conf files in /usr/local/etc
1954	richard	421	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
1828	richard	422	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
628	richard	423	# generate central conf file
		424	cat <<EOF > $CONF_FILE
612	richard	425	##########################################
		426	## ##
		427	## ALCASAR Parameters ##
		428	## ##
		429	##########################################
1	root	430
612	richard	431	INSTALL_DATE=$DATE
		432	VERSION=$VERSION
		433	ORGANISM=$ORGANISME
1748	richard	434	HOSTNAME=$HOSTNAME
923	franck	435	DOMAIN=$DOMAIN
612	richard	436	EOF
628	richard	437	chmod o-rwx $CONF_FILE
1	root	438	} # End of init ()
		439
2552	rexy	440	#########################################################
		441	## Function "network" ##
		442	## - Define the several network address ##
		443	## - Define the DNS naming ##
		444	## - INTIF parameters (consultation network) ##
		445	## - Write "/etc/hosts" file ##
		446	## - write "hosts.allow" & "hosts.deny" files ##
		447	#########################################################
1	root	448	network ()
		449	{
		450	header_install
636	richard	451	if [ "$mode" != "update" ]
		452	then
		453	if [ $Lang == "fr" ]
		454	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		455	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		456	fi
		457	response=0
		458	PTN='^[oOyYnN]$'
		459	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	460	do
595	richard	461	if [ $Lang == "fr" ]
659	richard	462	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	463	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	464	fi
1	root	465	read response
		466	done
636	richard	467	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		468	then
		469	PRIVATE_IP_MASK="0"
		470	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		471	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	472	do
595	richard	473	if [ $Lang == "fr" ]
597	richard	474	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		475	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	476	fi
597	richard	477	read PRIVATE_IP_MASK
1	root	478	done
636	richard	479	else
2454	tom.houday	480	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
636	richard	481	fi
595	richard	482	else
2454	tom.houday	483	PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf\|cut -d"=" -f2`
637	richard	484	rm -rf conf/etc/alcasar.conf
1	root	485	fi
861	richard	486	# Define LAN side global parameters
1740	richard	487	hostnamectl set-hostname $HOSTNAME.$DOMAIN
977	richard	488	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	489	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	490	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	491	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	492	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	493	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		494	then
2454	tom.houday	495	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
1499	richard	496	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
2454	tom.houday	497	fi
1499	richard	498	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		499	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	500	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	501	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	502	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		503	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	504	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		505	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	506	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1828	richard	507	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	508	# Define Internet parameters
2464	richard	509	if [ "$mode" != "update" ]
2457	richard	510	then
2464	richard	511	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF \| grep '^DNS1='\| cut -d"=" -f2` # 1st DNS server
		512	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF \| grep '^DNS2=' \| cut -d"=" -f2` # 2nd DNS server
		513	else
		514	DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF \| grep '^DNS1=' \| cut -d"=" -f2` # 1st DNS server
		515	DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF \| grep '^DNS2=' \| cut -d"=" -f2` # 2nd DNS server
		516	fi
		517	if [ "$DNS1" == "" ]
		518	then
2457	richard	519	if [ $Lang == "fr" ]
		520	then
2464	richard	521	echo "L'adresse IP des serveurs DNS ne sont pas corrects"
2457	richard	522	echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
		523	else
2464	richard	524	echo "The IP address of DNS servers are not set correctly"
2457	richard	525	echo "Check the extern network card configuration ($EXTIF)"
		526	fi
		527	exit 0
		528	fi
70	franck	529	DNS1=${DNS1:=208.67.220.220}
		530	DNS2=${DNS2:=208.67.222.222}
1499	richard	531	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	532	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	533	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
2552	rexy	534	# Write network parameters in the conf file
1469	richard	535	echo "EXTIF=$EXTIF" >> $CONF_FILE
		536	echo "INTIF=$INTIF" >> $CONF_FILE
2282	richard	537	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
		538	INTERFACES=`/usr/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "^lo\\|$EXTIF\\|tun0"\|cut -d " " -f2\|tr -d ":"`
		539	for i in $INTERFACES
		540	do
		541	SUB=`echo ${i:0:2}`
		542	if [ $SUB = "wl" ]
		543	then WIFIF=$i
2454	tom.houday	544	elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
2282	richard	545	then LANIF=$i
		546	fi
		547	done
		548	if [ -n "$WIFIF" ]
		549	then echo "WIFIF=$WIFIF" >> $CONF_FILE
		550	elif [ -n "$LANIF" ]
		551	then echo "LANIF=$LANIF" >> $CONF_FILE
		552	fi
2454	tom.houday	553	#########################################################################################################
2552	rexy	554	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # test static or dynamic
1499	richard	555	if [ $IP_SETTING == "dhcp" ]
		556	then
		557	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	558	echo "GW=dhcp" >> $CONF_FILE
1499	richard	559	else
		560	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	561	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
1499	richard	562	fi
1587	richard	563	echo "DNS1=$DNS1" >> $CONF_FILE
		564	echo "DNS2=$DNS2" >> $CONF_FILE
994	franck	565	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	566	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	567	echo "DHCP=on" >> $CONF_FILE
914	franck	568	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		569	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		570	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1610	franck	571	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
		572	echo "INT_DNS_IP=none" >> $CONF_FILE
		573	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
1499	richard	574	# network default
597	richard	575	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	576	cat <<EOF > /etc/sysconfig/network
		577	NETWORKING=yes
		578	FORWARD_IPV4=true
		579	EOF
2552	rexy	580	# write "/etc/hosts"
1	root	581	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		582	cat <<EOF > /etc/hosts
503	richard	583	127.0.0.1 localhost
1736	richard	584	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME
1	root	585	EOF
2552	rexy	586	# write EXTIF (Internet) config
1499	richard	587	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		588	if [ $IP_SETTING == "dhcp" ]
		589	then
		590	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	591	DEVICE=$EXTIF
1585	richard	592	BOOTPROTO=dhcp
		593	DNS1=127.0.0.1
		594	PEERDNS=no
		595	RESOLV_MODS=yes
		596	ONBOOT=yes
1613	franck	597	NOZEROCONF=yes
1585	richard	598	METRIC=10
		599	MII_NOT_SUPPORTED=yes
		600	IPV6INIT=no
		601	IPV6TO4INIT=no
		602	ACCOUNTING=no
		603	USERCTL=no
		604	MTU=$MTU
		605	EOF
2454	tom.houday	606	else
1585	richard	607	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		608	DEVICE=$EXTIF
14	richard	609	BOOTPROTO=static
597	richard	610	IPADDR=$PUBLIC_IP
		611	NETMASK=$PUBLIC_NETMASK
		612	GATEWAY=$PUBLIC_GATEWAY
14	richard	613	DNS1=127.0.0.1
1499	richard	614	RESOLV_MODS=yes
14	richard	615	ONBOOT=yes
		616	METRIC=10
1610	franck	617	NOZEROCONF=yes
14	richard	618	MII_NOT_SUPPORTED=yes
		619	IPV6INIT=no
		620	IPV6TO4INIT=no
		621	ACCOUNTING=no
		622	USERCTL=no
994	franck	623	MTU=$MTU
14	richard	624	EOF
1499	richard	625	fi
2552	rexy	626	# write INTIF (consultation LAN) in normal mode
841	richard	627	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		628	DEVICE=$INTIF
		629	BOOTPROTO=static
		630	ONBOOT=yes
		631	NOZEROCONF=yes
		632	MII_NOT_SUPPORTED=yes
		633	IPV6INIT=no
		634	IPV6TO4INIT=no
		635	ACCOUNTING=no
		636	USERCTL=no
		637	EOF
1558	richard	638	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
2552	rexy	639	# write INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	640	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	641	DEVICE=$INTIF
		642	BOOTPROTO=static
		643	IPADDR=$PRIVATE_IP
604	richard	644	NETMASK=$PRIVATE_NETMASK
1	root	645	ONBOOT=yes
		646	METRIC=10
		647	NOZEROCONF=yes
		648	MII_NOT_SUPPORTED=yes
14	richard	649	IPV6INIT=no
		650	IPV6TO4INIT=no
		651	ACCOUNTING=no
		652	USERCTL=no
1	root	653	EOF
2282	richard	654	######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
		655	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
		656	then
		657	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
		658	DEVICE=$WIFIF
		659	BOOTPROTO=static
		660	ONBOOT=yes
		661	NOZEROCONF=yes
		662	MII_NOT_SUPPORTED=yes
		663	IPV6INIT=no
		664	IPV6TO4INIT=no
		665	ACCOUNTING=no
		666	USERCTL=no
		667	EOF
		668	elif [ -n "$LANIF" ]
		669	then
		670	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
		671	DEVICE=$LANIF
		672	BOOTPROTO=static
		673	ONBOOT=yes
		674	NOZEROCONF=yes
		675	MII_NOT_SUPPORTED=yes
		676	IPV6INIT=no
		677	IPV6TO4INIT=no
		678	ACCOUNTING=no
		679	USERCTL=no
		680	EOF
		681	fi
2454	tom.houday	682	#########################################################################################################
2552	rexy	683	# write hosts.allow & hosts.deny
1	root	684	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		685	cat <<EOF > /etc/hosts.allow
		686	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	687	sshd: ALL
1	root	688	ntpd: $PRIVATE_NETWORK_SHORT
		689	EOF
		690	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		691	cat <<EOF > /etc/hosts.deny
		692	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		693	EOF
790	richard	694	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	695	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	696	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	697	# load conntrack ftp module
		698	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
1705	richard	699	echo "nf_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	700	# load ipt_NETFLOW module
		701	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	702	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		703	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		704	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		705	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1833	richard	706	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
2454	tom.houday	707	#
860	richard	708	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	709	} # End of network ()
		710
2552	rexy	711	###################################################
		712	## Function "ACC" ##
		713	## - copy ALCASAR Control Center (ACC) files ##
		714	## - configuration of the web server (Lighttpd) ##
		715	## - creation of the first ACC admin account ##
		716	## - secure the ACC access ##
		717	###################################################
1221	richard	718	ACC ()
1	root	719	{
		720	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		721	mkdir $DIR_WEB
1833	richard	722	# Copy & adapt ACC files
316	richard	723	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
		724	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		725	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		726	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		727	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		728	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	729	chown -R apache:apache $DIR_WEB/*
1833	richard	730	# copy & adapt "freeradius-web" files
		731	cp -rf $DIR_CONF/freeradius-web/ /etc/
		732	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
		733	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
		734	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		735	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		736	cat <<EOF > /etc/freeradius-web/naslist.conf
		737	nas1_name: alcasar-$ORGANISME
		738	nas1_model: Network Access Controler
		739	nas1_ip: $PRIVATE_IP
		740	nas1_port_num: 0
		741	nas1_community: public
		742	EOF
		743	chown -R apache:apache /etc/freeradius-web/
		744	# create the log & backup structure :
1489	richard	745	# - base = users database
		746	# - archive = tarball of "base + http firewall + netflow"
1833	richard	747	# - security = watchdog log
2138	richard	748	for i in base archive security activity_report;
1	root	749	do
		750	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		751	done
5	franck	752	chown -R root:apache $DIR_SAVE
1833	richard	753	# Configuring & securing php
71	richard	754	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	755	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		756	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	757	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		758	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
2397	tom.houday	759	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
		760	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
71	richard	761	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		762	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
2397	tom.houday	763	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
2488	lucas.echa	764	# Configuring & securing Lighttpd
790	richard	765	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
2488	lucas.echa	766	[ -e /etc/lighttpd/lighttpd.conf.default ] \|\| cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
		767	[ -e /etc/lighttpd/modules.conf.default ] \|\| cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
		768	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] \|\| cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
		769	[ -e /etc/php-fpm.conf ] \|\| cp /etc/php-fpm.conf /etc/php-fpm.conf.default
		770	[ -d /etc/lighttpd/vhosts.d ] \|\| mkdir /etc/lighttpd/vhosts.d
		771
		772	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
		773	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
		774
		775	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
		776	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
		777	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
		778
		779	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
		780	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
		781	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
		782	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
		783
		784	$SED "s?^#[ ]\"mod_auth\",.? \"mod_auth\",?g" /etc/lighttpd/modules.conf
		785	$SED "s?^#[ ]\"mod_alias\",.? \"mod_alias\",?g" /etc/lighttpd/modules.conf
		786	$SED "s?^#[ ]\"mod_redirect\",.? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
		787	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
		788
		789	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
		790	$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
		791	$SED "s/^$[\t ]$var.server_name./\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
		792
		793	/usr/bin/systemctl start lighttpd
2499	tom.houday	794	/usr/bin/systemctl start php-fpm
2488	lucas.echa	795
2552	rexy	796	# Creation of the first account (in 'admin' profile)
2293	tom.houday	797	if [ "$mode" = "install" ]
		798	then
613	richard	799	header_install
1268	richard	800	# Creation of keys file for the admin account ("admin")
2293	tom.houday	801	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		802	mkdir -p $DIR_DEST_ETC/digest
		803	chmod 755 $DIR_DEST_ETC/digest
		804	until [ -s $DIR_DEST_ETC/digest/key_admin ]
2488	lucas.echa	805	do
		806	$DIR_DEST_BIN/alcasar-profil.sh --add admin
		807	done
2293	tom.houday	808	fi
2488	lucas.echa	809
2293	tom.houday	810	# Launch after coova (in order to wait tun0 to be up)
2488	lucas.echa	811	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
2293	tom.houday	812	# Log file for ACC access imputability
		813	[ -e /var/Save/security/acc_access.log ] \|\| touch /var/Save/security/acc_access.log
		814	chown root:apache /var/Save/security/acc_access.log
		815	chmod 664 /var/Save/security/acc_access.log
1389	richard	816	} # End of ACC ()
1	root	817
2552	rexy	818	##################################################################
		819	## Fonction "CA" ##
		820	## - Creating the CA and the server certificate (lighttpd) ##
		821	##################################################################
1221	richard	822	CA ()
1	root	823	{
510	richard	824	$DIR_DEST_BIN/alcasar-CA.sh
1410	richard	825
5	franck	826	chown -R root:apache /etc/pki
1	root	827	chmod -R 750 /etc/pki
1389	richard	828	} # End of CA ()
1	root	829
2552	rexy	830	#############################################################
		831	## Function "time_server" ##
		832	## - Configuring NTP server ##
		833	#############################################################
1837	richard	834	time_server ()
		835	{
		836	# Set the Internet time server
		837	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		838	cat <<EOF > /etc/ntp/step-tickers
		839	0.fr.pool.ntp.org # adapt to your country
		840	1.fr.pool.ntp.org
		841	2.fr.pool.ntp.org
		842	EOF
		843	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		844	cat <<EOF > /etc/ntp.conf
		845	server 0.fr.pool.ntp.org # adapt to your country
		846	server 1.fr.pool.ntp.org
		847	server 2.fr.pool.ntp.org
		848	server 127.127.1.0 # local clock si NTP internet indisponible ...
		849	fudge 127.127.1.0 stratum 10
		850	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
		851	restrict 127.0.0.1
		852	driftfile /var/lib/ntp/drift
		853	logfile /var/log/ntp.log
		854	disable monitor
		855	EOF
		856	chown -R ntp:ntp /var/lib/ntp
		857	# Synchronize now
		858	ntpd -q -g &
		859	} # End of time_server ()
		860
2541	rexy	861	#####################################################################
		862	## Function "init_db" ##
		863	## - Mysql initialization ##
		864	## - Set admin (root) password ##
		865	## - Remove unused users & databases ##
		866	## - Radius database creation ##
		867	## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
		868	#####################################################################
1	root	869	init_db ()
		870	{
1990	richard	871	if [ `systemctl is-active mysqld` == "active" ]
		872	then
		873	systemctl stop mysqld
		874	fi
1355	richard	875	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	876	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
1355	richard	877	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1979	richard	878	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
1980	richard	879	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
		880	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
		881	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
2416	richard	882	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
		883	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
		884	/usr/bin/systemctl start mysqld
1963	richard	885	nb_round=1
1981	richard	886	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
1963	richard	887	do
		888	nb_round=`expr $nb_round + 1`
		889	sleep 2
		890	done
1981	richard	891	if [ ! -S /var/lib/mysql/mysql.sock ]
1963	richard	892	then
1981	richard	893	echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
1963	richard	894	exit
1955	richard	895	fi
2416	richard	896	MYSQL="/usr/bin/mysql --execute"
1355	richard	897	# Secure the server
2416	richard	898	$MYSQL="GRANT ALL PRIVILEGES ON . TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
		899	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1355	richard	900	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
2454	tom.houday	901	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	902	# Create 'radius' database
1317	richard	903	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	904	# Add an empty radius database structure
1800	richard	905	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
615	richard	906	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	907	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
2416	richard	908	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		909	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
		910	/usr/bin/systemctl unset-environment MYSQLD_OPTS
1574	richard	911	/usr/bin/systemctl daemon-reload
1389	richard	912	} # End of init_db ()
1	root	913
2423	richard	914	###################################################################
		915	## Function "freeradius" ##
		916	## - Set the configuration files ##
		917	## - Set the shared secret between coova-chilli and freeradius ##
		918	## - Adapt the Mysql conf file and counters ##
		919	###################################################################
2421	richard	920	freeradius ()
1	root	921	{
1800	richard	922	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1	root	923	chown -R radius:radius /etc/raddb
		924	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
2420	richard	925	# Set radius global parameters (radius.conf)
1	root	926	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		927	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		928	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
2420	richard	929	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
		930	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
2419	richard	931
2501	tom.houday	932	# Add ALCASAR dictionary
		933	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
2512	tom.houday	934	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
		935	# Add CoovaChilli dictionary
		936	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
		937	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
2420	richard	938	# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1	root	939	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		940	cat << EOF > /etc/raddb/clients.conf
2438	richard	941	client localhost {
		942	ipaddr = 127.0.0.1
1	root	943	secret = $secretradius
2438	richard	944	shortname = chilli
2454	tom.houday	945	nas_type = other
1	root	946	}
		947	EOF
2420	richard	948	# Set Virtual server (remvove all except "alcasar virtual site")
		949	rm -f /etc/raddb/sites-enabled/*
2467	richard	950	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
		951	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
		952	chown radius:apache /etc/raddb/sites-available/alcasar*
		953	chmod 660 /etc/raddb/sites-available/alcasar*
2420	richard	954	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
2454	tom.houday	955	# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
2420	richard	956
2454	tom.houday	957	# Set modules
2465	richard	958	# Add custom LDAP "available module"
		959	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
		960	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
2422	richard	961	# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
2454	tom.houday	962	rm -rf /etc/raddb/mods-enabled/*
		963	for mods in sql sqlcounter attr_filter expiration logintime pap expr
		964	do
		965	ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
		966	done
2423	richard	967	# Configure SQL mod
2420	richard	968	[ -e /etc/raddb/mods-available/sql.default ] \|\| cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
2423	richard	969	$SED "s?^[\t ]driver =.?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
		970	$SED "s?^[\t ]dialect =.?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
2420	richard	971	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
2423	richard	972	$SED "s?^#[\t ]server =.?server = \"localhost\"?g" /etc/raddb/mods-available/sql
		973	$SED "s?^#[\t ]port =.?port = \"3306\"?g" /etc/raddb/mods-available/sql
		974	$SED "s?^#[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
		975	$SED "s?^#[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
2454	tom.houday	976	# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
2420	richard	977	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] \|\| cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
		978	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
		979	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
2421	richard	980	# sqlcounter modifications
2470	richard	981	[ -e /etc/raddb/mods-available/sqlcounter.default ] \|\| cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
		982	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
		983	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
2421	richard	984	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] \|\| cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
		985	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
2422	richard	986	query = "\
		987	SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
		988	FROM radacct \
		989	WHERE username = '%{\${key}}' \
		990	AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
2421	richard	991	EOF
		992	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] \|\| cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
		993	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
2422	richard	994	query = "\
		995	SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
		996	FROM radacct \
		997	WHERE username='%{\${key}}' \
		998	AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
2421	richard	999	EOF
		1000	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] \|\| cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
		1001	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
2422	richard	1002	query = "\
2510	tom.houday	1003	SELECT IFNULL(SUM(AcctSessionTime),0) \
		1004	FROM radacct \
		1005	WHERE username='%{\${key}}'"
		1006	EOF
		1007	[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] \|\| cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
		1008	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
		1009	query = "\
2422	richard	1010	SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
2421	richard	1011	FROM radacct \
2510	tom.houday	1012	WHERE username='%{\${key}}' \
2421	richard	1013	ORDER BY acctstarttime \
		1014	LIMIT 1),0)"
		1015	EOF
		1016	# make certain that mysql is up before freeradius start
1358	richard	1017	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		1018	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	1019	/usr/bin/systemctl daemon-reload
2420	richard	1020	# Allow apache to change some conf files (ie : ldap on/off)
		1021	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
2454	tom.houday	1022
2421	richard	1023	} # End freeradius ()
1	root	1024
2423	richard	1025	#############################################################################
2552	rexy	1026	## Function "chilli" ##
2423	richard	1027	## - Creation of the conf file and init file (systemd) for coova-chilli ##
		1028	## - Adapt the authentication web page (intercept.php) ##
		1029	#############################################################################
1389	richard	1030	chilli ()
1	root	1031	{
1370	richard	1032	# chilli unit for systemd
2324	tom.houday	1033	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1034	# This file is part of systemd.
		1035	#
		1036	# systemd is free software; you can redistribute it and/or modify it
		1037	# under the terms of the GNU General Public License as published by
		1038	# the Free Software Foundation; either version 2 of the License, or
		1039	# (at your option) any later version.
1370	richard	1040	[Unit]
		1041	Description=chilli is a captive portal daemon
		1042	After=network.target
		1043
		1044	[Service]
1379	richard	1045	Type=forking
1370	richard	1046	ExecStart=/usr/libexec/chilli start
		1047	ExecStop=/usr/libexec/chilli stop
		1048	ExecReload=/usr/libexec/chilli reload
		1049	PIDFile=/var/run/chilli.pid
		1050
		1051	[Install]
		1052	WantedBy=multi-user.target
		1053	EOF
799	richard	1054	# init file creation
1370	richard	1055	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
1801	richard	1056	cat <<EOF > /etc/init.d/chilli
799	richard	1057	#!/bin/sh
		1058	#
		1059	# chilli CoovaChilli init
		1060	#
		1061	# chkconfig: 2345 65 35
		1062	# description: CoovaChilli
		1063	### BEGIN INIT INFO
		1064	# Provides: chilli
2454	tom.houday	1065	# Required-Start: network
		1066	# Should-Start:
799	richard	1067	# Required-Stop: network
2454	tom.houday	1068	# Should-Stop:
799	richard	1069	# Default-Start: 2 3 5
		1070	# Default-Stop:
		1071	# Description: CoovaChilli access controller
		1072	### END INIT INFO
		1073
		1074	[ -f /usr/sbin/chilli ] \|\| exit 0
		1075	. /etc/init.d/functions
		1076	CONFIG=/etc/chilli.conf
		1077	pidfile=/var/run/chilli.pid
		1078	[ -f \$CONFIG ] \|\| {
2394	tom.houday	1079	echo "\$CONFIG Not found"
		1080	exit 0
799	richard	1081	}
2376	tom.houday	1082	current_users_file="/var/tmp/havp/current_users.txt" # file containing active users
799	richard	1083	RETVAL=0
		1084	prog="chilli"
		1085	case \$1 in
2394	tom.houday	1086	start)
2454	tom.houday	1087	if [ -f \$pidfile ] ; then
2394	tom.houday	1088	gprintf "chilli is already running"
		1089	else
		1090	gprintf "Starting \$prog: "
		1091	echo '' > \$current_users_file && chown apache:apache \$current_users_file
		1092	rm -f /var/run/chilli* # cleaning
		1093	/usr/sbin/modprobe tun >/dev/null 2>&1
		1094	echo 1 > /proc/sys/net/ipv4/ip_forward
		1095	[ -e /dev/net/tun ] \|\| {
2454	tom.houday	1096	(cd /dev;
		1097	mkdir net;
		1098	cd net;
2394	tom.houday	1099	mknod tun c 10 200)
		1100	}
		1101	ifconfig $INTIF 0.0.0.0
		1102	/usr/sbin/ethtool -K $INTIF gro off
		1103	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1104	RETVAL=\$?
		1105	fi
		1106	;;
799	richard	1107
2394	tom.houday	1108	reload)
		1109	killall -HUP chilli
		1110	;;
799	richard	1111
2394	tom.houday	1112	restart)
		1113	\$0 stop
		1114	sleep 2
		1115	\$0 start
		1116	;;
799	richard	1117
2394	tom.houday	1118	status)
		1119	status chilli
		1120	RETVAL=0
		1121	;;
		1122
		1123	stop)
2454	tom.houday	1124	if [ -f \$pidfile ] ; then
2394	tom.houday	1125	gprintf "Shutting down \$prog: "
		1126	killproc /usr/sbin/chilli
		1127	RETVAL=\$?
		1128	[ \$RETVAL = 0 ] && rm -f \$pidfile
		1129	[ -e \$current_users_file ] && rm -f \$current_users_file
2454	tom.houday	1130	else
2394	tom.houday	1131	gprintf "chilli is not running"
		1132	fi
		1133	;;
		1134
		1135	*)
		1136	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1137	exit 1
799	richard	1138	esac
		1139	echo
		1140	EOF
2324	tom.houday	1141	chmod a+x /etc/init.d/chilli
		1142	ln -s /etc/init.d/chilli /usr/libexec/chilli
799	richard	1143	# conf file creation
346	richard	1144	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
2016	raphael.pi	1145	#NTP Option configuration for DHCP
2032	richard	1146	#DHCP Options : rfc2132
		1147	#dhcp option value will be convert in hexa.
		1148	#NTP option (or 'option 42') is like :
2454	tom.houday	1149	#
2032	richard	1150	# Code Len Address 1 Address 2
		1151	# +-----+-----+-----+-----+-----+-----+-----+-----+--
		1152	# \| 42 \| n \| a1 \| a2 \| a3 \| a4 \| a1 \| a2 \| ...
		1153	# +-----+-----+-----+-----+-----+-----+-----+-----+--
		1154	#
		1155	#Code : 42 => 2a
		1156	#Len : 4 => 04
2016	raphael.pi	1157	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP \| cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP \| cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP \| cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP \| cut -d'.' -f4))
346	richard	1158	cat <<EOF > /etc/chilli.conf
		1159	# coova config for ALCASAR
		1160	cmdsocket /var/run/chilli.sock
1336	richard	1161	unixipc chilli.$INTIF.ipc
1551	richard	1162	pidfile /var/run/chilli.pid
346	richard	1163	net $PRIVATE_NETWORK_MASK
595	richard	1164	dhcpif $INTIF
841	richard	1165	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1166	#nodynip
865	richard	1167	#statip
		1168	dynip $PRIVATE_NETWORK_MASK
1249	richard	1169	domain $DOMAIN
355	richard	1170	dns1 $PRIVATE_IP
		1171	dns2 $PRIVATE_IP
346	richard	1172	uamlisten $PRIVATE_IP
503	richard	1173	uamport 3990
2370	tom.houday	1174	uamuiport 3991
837	richard	1175	macauth
		1176	macpasswd password
1697	richard	1177	strictmacauth
1243	richard	1178	locationname $HOSTNAME.$DOMAIN
346	richard	1179	radiusserver1 127.0.0.1
		1180	radiusserver2 127.0.0.1
		1181	radiussecret $secretradius
		1182	radiusauthport 1812
		1183	radiusacctport 1813
1243	richard	1184	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
2374	tom.houday	1185	redirurl
1243	richard	1186	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1187	uamsecret $secretuam
1249	richard	1188	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1189	coaport 3799
1379	richard	1190	conup $DIR_DEST_BIN/alcasar-conup.sh
		1191	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1192	include $DIR_DEST_ETC/alcasar-uamallowed
		1193	include $DIR_DEST_ETC/alcasar-uamdomain
2016	raphael.pi	1194	dhcpopt 2a04$PRIVATE_IP_HEXA
1613	franck	1195	#dhcpgateway none
		1196	#dhcprelayagent none
1610	franck	1197	#dhcpgatewayport none
2234	richard	1198	sslkeyfile /etc/pki/tls/private/alcasar.key
		1199	sslcertfile /etc/pki/tls/certs/alcasar.crt
		1200	redirssl
2370	tom.houday	1201	uamuissl
346	richard	1202	EOF
2274	richard	1203	# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1204	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
2274	richard	1205	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
840	richard	1206	# create files for trusted domains and urls
1148	crox53	1207	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1208	chown root:apache $DIR_DEST_ETC/alcasar-*
		1209	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1210	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1211	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
796	richard	1212	# user 'chilli' creation (in order to run conup/off and up/down scripts
2396	tom.houday	1213	chilli_exist=`grep -c ^chilli: /etc/passwd`
796	richard	1214	if [ "$chilli_exist" == "1" ]
		1215	then
2454	tom.houday	1216	userdel -r chilli 2>/dev/null
796	richard	1217	fi
		1218	groupadd -f chilli
		1219	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1220	} # End of chilli ()
1349	richard	1221
2541	rexy	1222	################################################################
2521	armand.ito	1223	## Function "e2guardian" ##
2541	rexy	1224	## - Set the parameters of this HTML proxy (as controler) ##
		1225	################################################################
2521	armand.ito	1226	e2guardian ()
1	root	1227	{
2521	armand.ito	1228	mkdir -p /var/e2guardian /var/log/e2guardian
		1229	chown -R e2guardian /var/e2guardian /var/log/e2guardian
		1230	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
		1231	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
		1232	[ -e $DIR_DG/e2guardian.conf.default ] \|\| cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
2454	tom.houday	1233	# By default the filter is off
2521	armand.ito	1234	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1293	richard	1235	# French deny HTML page
2521	armand.ito	1236	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1293	richard	1237	# Listen only on LAN side
2521	armand.ito	1238	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1342	richard	1239	# DG send its flow to HAVP
2521	armand.ito	1240	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1293	richard	1241	# replace the default deny HTML page
2521	armand.ito	1242	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
		1243	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1293	richard	1244	# Don't log
2521	armand.ito	1245	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
2519	rexy	1246	# # Change the default report page
2521	armand.ito	1247	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
2519	rexy	1248	# Disable HTML content control
2521	armand.ito	1249	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
497	richard	1250	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1251	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
2519	rexy	1252	# Disable URL control with regex
497	richard	1253	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1254	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
2521	armand.ito	1255	# Configure E2guardian for large site
1721	richard	1256	# Minimum number of processus to handle connections
2521	armand.ito	1257	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1721	richard	1258	# Maximum number of processus to handle connections
2521	armand.ito	1259	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1721	richard	1260	# Run at least 8 daemons
2521	armand.ito	1261	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1721	richard	1262	# minimum number of processes to spawn
2521	armand.ito	1263	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1721	richard	1264	# maximum age of a child process before it croaks it
2521	armand.ito	1265	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
2519	rexy	1266	# Disable download files control
2521	armand.ito	1267	[ -e $DIR_DG/e2guardianf1.conf.default ] \|\| cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
		1268	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
497	richard	1269	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1270	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1271	touch $DIR_DG/lists/bannedextensionlist
		1272	touch $DIR_DG/lists/bannedmimetypelist
		1273	# 'Safesearch' regex actualisation
498	richard	1274	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1275	# empty LAN IP list that won't be WEB filtered
		1276	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1277	touch $DIR_DG/lists/exceptioniplist
		1278	# Keep a copy of URL & domain filter configuration files
		1279	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1280	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
2521	armand.ito	1281	} # End of e2guardian ()
1	root	1282
71	richard	1283	##################################################################
2519	rexy	1284	## Function "antivirus" ##
		1285	## - Set the parameters of havp, libclamav and freshclam ##
71	richard	1286	##################################################################
2454	tom.houday	1287	antivirus ()
71	richard	1288	{
1358	richard	1289	# create 'havp' user
2396	tom.houday	1290	havp_exist=`grep -c ^havp: /etc/passwd`
307	richard	1291	if [ "$havp_exist" == "1" ]
288	richard	1292	then
2454	tom.houday	1293	userdel -r havp 2>/dev/null
		1294	groupdel havp 2>/dev/null
288	richard	1295	fi
307	richard	1296	groupadd -f havp
1486	richard	1297	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1841	richard	1298	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1484	richard	1299	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1841	richard	1300	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
109	richard	1301	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1302	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1303	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1304	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1305	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1306	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1307	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1308	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1309	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1310	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1311	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1312	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1313	# skip checking of youtube flow (too heavy load / risk too low)
		1314	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1315	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1316	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1317	# adapt init script and systemd unit
335	richard	1318	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1319	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1320	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1321	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1322	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1323	# replace of the intercept page (template)
340	richard	1324	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1325	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1326	# update virus database every 4 hours (24h/6)
1357	richard	1327	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1328	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1329	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1330	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1331	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1332	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1333	# update now
1382	richard	1334	/usr/bin/freshclam --no-warnings
1389	richard	1335	} # End of antivirus ()
71	richard	1336
2519	rexy	1337	################################################################################
		1338	## Function "tinyproxy" ##
2552	rexy	1339	## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
2519	rexy	1340	################################################################################
2454	tom.houday	1341	tinyproxy ()
1485	richard	1342	{
2396	tom.houday	1343	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1486	richard	1344	if [ "$tinyproxy_exist" == "1" ]
		1345	then
2454	tom.houday	1346	userdel -r tinyproxy 2>/dev/null
		1347	groupdel tinyproxy 2>/dev/null
1486	richard	1348	fi
		1349	groupadd -f tinyproxy
1488	richard	1350	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1668	richard	1351	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
		1352	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1486	richard	1353	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1354	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1355	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1356	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1357	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1358	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1359	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1360	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1361	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1362	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1363	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1364	# Create the systemd unit
		1365	cat << EOF > /lib/systemd/system/tinyproxy.service
		1366	# This file is part of systemd.
		1367	#
		1368	# systemd is free software; you can redistribute it and/or modify it
		1369	# under the terms of the GNU General Public License as published by
		1370	# the Free Software Foundation; either version 2 of the License, or
		1371	# (at your option) any later version.
1485	richard	1372
1509	richard	1373	# This unit launches tinyproxy (a very light proxy).
1518	richard	1374	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1375	[Unit]
		1376	Description=Tinyproxy Web Proxy Server
		1377	After=network.target iptables.service
		1378
		1379	[Service]
		1380	Type=forking
1518	richard	1381	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1382	ExecStartPre=/bin/sleep 2
		1383	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1384	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1385
		1386	[Install]
		1387	WantedBy=multi-user.target
		1388	EOF
		1389
1485	richard	1390	} # end of tinyproxy
2519	rexy	1391	##############################################################################
		1392	## function "ulogd" ##
		1393	## - Ulog config for multi-log files ##
		1394	##############################################################################
1389	richard	1395	ulogd ()
476	richard	1396	{
		1397	# Three instances of ulogd (three different logfiles)
		1398	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1399	nl=1
1358	richard	1400	for log_type in traceability ssh ext-access
478	richard	1401	do
1365	richard	1402	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1403	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1404	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1704	richard	1405	$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
478	richard	1406	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1407	[emu1]
478	richard	1408	file="/var/log/firewall/$log_type.log"
		1409	sync=1
		1410	EOF
1452	richard	1411	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1412	nl=`expr $nl + 1`
		1413	done
476	richard	1414	chown -R root:apache /var/log/firewall
		1415	chmod 750 /var/log/firewall
		1416	chmod 640 /var/log/firewall/*
1389	richard	1417	} # End of ulogd ()
476	richard	1418
1159	crox53	1419
		1420	##########################################################
2519	rexy	1421	## Function "nfsen" ##
		1422	## - install the nfsen grapher ##
		1423	## - install the two plugins porttracker & surfmap ##
1159	crox53	1424	##########################################################
1389	richard	1425	nfsen()
1	root	1426	{
2330	tom.houday	1427	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1365	richard	1428	# Add PortTracker plugin
1534	richard	1429	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1430	do
2330	tom.houday	1431	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1432	done
2330	tom.houday	1433	$SED "s?^my \$PORTSDBDIR =.?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-/contrib/PortTracker/PortTracker.pm
1365	richard	1434	# use of our conf file and init unit
2330	tom.houday	1435	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1570	richard	1436	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1437	DirTmp=$(pwd)
2330	tom.houday	1438	cd /tmp/nfsen-*/
1570	richard	1439	/usr/bin/perl install.pl etc/nfsen.conf
		1440	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1441	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1442	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1443	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1444	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1445	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1446	# nfsen unit for systemd
2330	tom.houday	1447	cat << EOF > /lib/systemd/system/nfsen.service
1372	richard	1448	# This file is part of systemd.
		1449	#
		1450	# systemd is free software; you can redistribute it and/or modify it
		1451	# under the terms of the GNU General Public License as published by
		1452	# the Free Software Foundation; either version 2 of the License, or
		1453	# (at your option) any later version.
		1454
		1455	# This unit launches nfsen (a Netflow grapher).
		1456	[Unit]
		1457	Description= NfSen init script
		1458	After=network.target iptables.service
		1459
		1460	[Service]
		1461	Type=oneshot
		1462	RemainAfterExit=yes
1393	richard	1463	PIDFile=/var/run/nfsen/nfsen.pid
		1464	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1465	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
2454	tom.houday	1466	ExecStart=/usr/bin/nfsen start
1372	richard	1467	ExecStop=/usr/bin/nfsen stop
1393	richard	1468	ExecReload=/usr/bin/nfsen restart
1372	richard	1469	TimeoutSec=0
		1470
		1471	[Install]
		1472	WantedBy=multi-user.target
		1473	EOF
1365	richard	1474	# Add the listen port to collect netflow packet (nfcapd)
2454	tom.houday	1475	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1476	# expire delay for the profile "live"
1574	richard	1477	/usr/bin/systemctl start nfsen
1393	richard	1478	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1479	# add SURFmap plugin
2330	tom.houday	1480	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1512	richard	1481	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
2330	tom.houday	1482	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1512	richard	1483	cd /tmp/
		1484	/usr/bin/sh SURFmap/install.sh
2330	tom.houday	1485	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1486	# clear the installation
1221	richard	1487	cd $DirTmp
2330	tom.houday	1488	rm -rf /tmp/nfsen-*
2331	tom.houday	1489	rm -rf /tmp/SURFmap*
1389	richard	1490	} # End of nfsen ()
1	root	1491
2552	rexy	1492	###########################################################
		1493	## Function "vnstat" ##
		1494	## - Initialization of Vnstat and vnstat phpFrontEnd ##
		1495	###########################################################
1541	richard	1496	vnstat ()
		1497	{
2330	tom.houday	1498	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1499	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1500	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1501	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
		1502	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1541	richard	1503	/usr/bin/vnstat -u -i $EXTIF
2281	tom.houday	1504	} # End of vnstat
		1505
2541	rexy	1506	################################################################
2552	rexy	1507	## Function "dnsmasq" ##
2541	rexy	1508	## - creation of the conf files of the 4 intances of dnsmasq ##
		1509	################################################################
1389	richard	1510	dnsmasq ()
219	jeremy	1511	{
		1512	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1472	richard	1513	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
2454	tom.houday	1514	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
		1515	cat << EOF > /etc/dnsmasq.conf
520	richard	1516	# Configuration file for "dnsmasq in forward mode"
1387	richard	1517	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1518	listen-address=$PRIVATE_IP
1390	richard	1519	pid-file=/var/run/dnsmasq.pid
259	richard	1520	listen-address=127.0.0.1
286	richard	1521	no-dhcp-interface=$INTIF
1387	richard	1522	no-dhcp-interface=tun0
		1523	no-dhcp-interface=lo
259	richard	1524	bind-interfaces
1721	richard	1525	cache-size=2048
259	richard	1526	domain-needed
		1527	expand-hosts
		1528	bogus-priv
		1529	filterwin2k
		1530	server=$DNS1
		1531	server=$DNS2
1387	richard	1532	# DHCP service is configured. It will be enabled in "bypass" mode
1610	franck	1533	#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
		1534	#dhcp-option=option:router,$PRIVATE_IP
		1535	#dhcp-option=option:ntp-server,$PRIVATE_IP
1961	richard	1536	#domain=$DOMAIN
259	richard	1537
1387	richard	1538	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1539	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1540	EOF
1356	richard	1541	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1928	richard	1542	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1543	# Configuration file for "dnsmasq with blacklist"
1873	richard	1544	# Add Toulouse University blacklist domains
1472	richard	1545	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1546	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1547	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1548	listen-address=$PRIVATE_IP
		1549	port=54
		1550	no-dhcp-interface=$INTIF
1387	richard	1551	no-dhcp-interface=tun0
1472	richard	1552	no-dhcp-interface=lo
498	richard	1553	bind-interfaces
1721	richard	1554	cache-size=2048
498	richard	1555	domain-needed
		1556	expand-hosts
		1557	bogus-priv
		1558	filterwin2k
2009	raphael.pi	1559	log-queries
		1560	log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
498	richard	1561	server=$DNS1
		1562	server=$DNS2
		1563	EOF
1379	richard	1564	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1928	richard	1565	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1566	# Configuration file for "dnsmasq with whitelist"
1873	richard	1567	# ADD Toulouse university whitelist domains
1472	richard	1568	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1569	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1570	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1571	listen-address=$PRIVATE_IP
		1572	port=55
		1573	no-dhcp-interface=$INTIF
1387	richard	1574	no-dhcp-interface=tun0
1472	richard	1575	no-dhcp-interface=lo
1356	richard	1576	bind-interfaces
1721	richard	1577	cache-size=1024
1356	richard	1578	domain-needed
		1579	expand-hosts
		1580	bogus-priv
		1581	filterwin2k
1867	raphael.pi	1582	ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
2454	tom.houday	1583	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
1356	richard	1584	EOF
1472	richard	1585	# 4th dnsmasq listen on udp 56 ("blackhole")
1928	richard	1586	cat << EOF > /etc/dnsmasq-blackhole.conf
1472	richard	1587	# Configuration file for "dnsmasq as a blackhole"
		1588	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1589	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1590	pid-file=/var/run/dnsmasq-blackhole.pid
		1591	listen-address=$PRIVATE_IP
		1592	port=56
		1593	no-dhcp-interface=$INTIF
		1594	no-dhcp-interface=tun0
		1595	no-dhcp-interface=lo
		1596	bind-interfaces
		1597	cache-size=256
		1598	domain-needed
		1599	expand-hosts
		1600	bogus-priv
		1601	filterwin2k
		1602	EOF
		1603
1517	richard	1604	# the main instance should start after network and chilli (which create tun0)
1547	richard	1605	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1606	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1607	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1608	for list in blacklist whitelist blackhole
		1609	do
		1610	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1611	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1612	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1613	done
308	richard	1614	} # End dnsmasq
		1615
2552	rexy	1616	##########################################################
		1617	## Function "BL" ##
		1618	## - copy Toulouse BL ##
		1619	## - adapt this BL to ALCASAR architecture ##
		1620	## - domain names for dnsmasq-bl & dnasmasq-wl ##
		1621	## - URLs for E²guardian ##
		1622	## - IPs for NetFilter ##
		1623	##########################################################
308	richard	1624	BL ()
		1625	{
1930	richard	1626	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
648	richard	1627	rm -rf $DIR_DG/lists/blacklists
1930	richard	1628	mkdir -p /tmp/blacklists
1938	richard	1629	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1383	richard	1630	# creation of file for the rehabilited domains and urls
648	richard	1631	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1632	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1633	touch $DIR_DG/lists/exceptionsitelist
		1634	touch $DIR_DG/lists/exceptionurllist
2521	armand.ito	1635	# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
648	richard	1636	cat <<EOF > $DIR_DG/lists/bannedurllist
2521	armand.ito	1637	# E2guardian filter config for ALCASAR
311	richard	1638	EOF
648	richard	1639	cat <<EOF > $DIR_DG/lists/bannedsitelist
2521	armand.ito	1640	# E2guardian domain filter config for ALCASAR
311	richard	1641	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1642	#**
		1643	# block all SSL and CONNECT tunnels
		1644	**s
		1645	# block all SSL and CONNECT tunnels specified only as an IP
		1646	*ips
		1647	# block all sites specified only by an IP
		1648	*ip
		1649	EOF
1852	raphael.pi	1650	# Add Bing to the safesearch url regext list (parental control)
878	richard	1651	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1652	# Bing - add 'adlt=strict'
		1653	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1654	EOF
1913	richard	1655	# change the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1656	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1925	richard	1657	# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1957	richard	1658	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
		1659	touch $DIR_DG/lists/blacklists/ossi-bl/domains
		1660	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
		1661	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
		1662	touch $DIR_DG/lists/blacklists/ossi-wl/domains
		1663	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1927	richard	1664	# add custom ALCASAR BL files
1957	richard	1665	for x in $(ls $DIR_BLACKLIST \| grep -v "^blacklist")
		1666	do
		1667	mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
		1668	cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains
		1669	echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
		1670	done
2521	armand.ito	1671	chown -R e2guardian:apache $DIR_DG
1957	richard	1672	chown -R root:apache $DIR_DEST_SHARE
		1673	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1927	richard	1674	# adapt the Toulouse BL to ALCASAR architecture
1957	richard	1675	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1925	richard	1676	# enable the default categories
1957	richard	1677	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
2314	richard	1678	} # End BL()
219	jeremy	1679
2552	rexy	1680	#######################################################
		1681	## Function "cron" ##
		1682	## - write all cron & anacron files ##
		1683	#######################################################
1	root	1684	cron ()
		1685	{
		1686	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1687	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1688	cat <<EOF > /etc/crontab
1828	richard	1689	SHELL=/usr/bin/bash
		1690	PATH=/usr/sbin:/usr/bin
1	root	1691	MAILTO=root
		1692	HOME=/
		1693
		1694	# run-parts
		1695	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1696	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1697	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1698	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1699	EOF
		1700	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1701	cat <<EOF >> /etc/anacrontab
2454	tom.houday	1702	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1703	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1704	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1705	EOF
1247	crox53	1706
811	richard	1707	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1708	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1828	richard	1709	45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
905	franck	1710	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1828	richard	1711	40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1712	EOF
952	franck	1713	cat <<EOF > /etc/cron.d/alcasar-archive
		1714	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1715	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1716	EOF
2454	tom.houday	1717	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1566	richard	1718	# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
		1719	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1720	EOF
2454	tom.houday	1721	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
722	franck	1722	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1723	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1724	EOF
1159	crox53	1725
2454	tom.houday	1726	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1808	richard	1727	# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
		1728	# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
		1729	# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
		1730	# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
		1731	# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
2009	raphael.pi	1732	# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1808	richard	1733	1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
		1734	5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
		1735	10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
		1736	15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
2009	raphael.pi	1737	35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1	root	1738	EOF
2454	tom.houday	1739	cat <<EOF > /etc/cron.d/alcasar-watchdog
1945	richard	1740	# run the "watchdog" every 3'
		1741	# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
2395	tom.houday	1742	/10 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1905	raphael.pi	1743
2228	franck	1744	#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1	root	1745	EOF
1808	richard	1746	# Enabling the watchdog every 18'
2454	tom.houday	1747	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1945	richard	1748	# activate the daemon-watchdog after boot process
1851	franck	1749	@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1945	richard	1750	# activate the daemon-watchdog every 18'
808	franck	1751	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1752	EOF
1862	raphael.pi	1753
1874	raphael.pi	1754	# Enabling category update from rsync
2454	tom.houday	1755	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
		1756	# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1905	raphael.pi	1757
1874	raphael.pi	1758	EOF
1862	raphael.pi	1759
2304	tom.houday	1760	# Renew the Let's Encrypt certificate
		1761	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
		1762	# Automatic renew of the Let's Encrypt certificate
		1763	@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
		1764	EOF
		1765
1808	richard	1766	# removing the users crons
522	richard	1767	rm -f /var/spool/cron/*
2314	richard	1768	} # End cron()
1	root	1769
2552	rexy	1770	######################################################################
		1771	## Fonction "Fail2Ban" ##
		1772	##- Adapt conf file to ALCASAR ##
		1773	##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
		1774	######################################################################
1163	crox53	1775	fail2ban()
		1776	{
2243	tom.houday	1777	/usr/bin/sh $DIR_CONF/fail2ban.sh
1474	richard	1778	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1779	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1780	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1781	chmod 644 /var/log/fail2ban.log
1489	richard	1782	chmod 644 /var/Save/security/watchdog.log
1418	richard	1783	/usr/bin/touch /var/log/auth.log
1515	richard	1784	# fail2ban unit
		1785	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1786	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1787	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
2488	lucas.echa	1788	$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
2314	richard	1789	} # End fail2ban()
1163	crox53	1790
2552	rexy	1791	#########################################################
		1792	## Fonction "gammu_smsd" ##
		1793	## - Creating of SMS management database ##
		1794	## - Write the gammu a gammu_smsd conf files ##
		1795	#########################################################
1376	richard	1796	gammu_smsd()
		1797	{
		1798	# Create 'gammu' databse
2421	richard	1799	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1376	richard	1800	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1801	# Add a gammu database structure
1800	richard	1802	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1376	richard	1803
2552	rexy	1804	# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
		1805	cat << EOF > /etc/gammurc
		1806	[gammu]
		1807	device = /dev/ttyUSB0
		1808	connection = at115200
		1809	EOF
		1810
1376	richard	1811	cat << EOF > /etc/gammu_smsd_conf
		1812	[gammu]
		1813	port = /dev/ttyUSB0
		1814	connection = at115200
		1815
		1816	[smsd]
		1817	PIN = 1234
		1818	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1819	logformat = textall
		1820	debuglevel = 0
		1821
		1822	service = sql
		1823	driver = native_mysql
		1824	user = $DB_USER
		1825	password = $radiuspwd
		1826	pc = localhost
		1827	database = $DB_GAMMU
		1828
1828	richard	1829	RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1376	richard	1830
		1831	StatusFrequency = 30
1380	richard	1832	;LoopSleep = 2
1376	richard	1833
		1834	;ResetFrequency = 300
		1835	;HardResetFrequency = 120
		1836
2454	tom.houday	1837	CheckSecurity = 1
1376	richard	1838	CheckSignal = 1
		1839	CheckBattery = 0
		1840	EOF
		1841
2552	rexy	1842	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1376	richard	1843
2314	richard	1844	# Log folder for gammu-smsd
1382	richard	1845	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1846	chmod 755 /var/log/gammu-smsd
		1847
2314	richard	1848	# Write radius credentials in the gammu script
1452	richard	1849	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1850	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1851
2552	rexy	1852	# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
		1853	# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2542	rexy	1854	#cat << EOF > /lib/udev/rules.d/66-huawei.rules
		1855	#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
		1856	#EOF
1380	richard	1857
2552	rexy	1858	# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
		1859	# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
		1860
2314	richard	1861	} # End gammu_smsd()
1376	richard	1862
2552	rexy	1863	############################################################
		1864	## Fonction "msec" ##
		1865	## - Apply the "fileserver" security level ##
		1866	## - remove the "system request" for rebboting ##
		1867	## - Fix several file permissions ##
		1868	############################################################
2202	richard	1869	msec()
		1870	{
		1871
		1872	# Apply fileserver security level
2211	richard	1873	[ -e /etc/security/msec/security.conf.default ] \|\| cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
		1874	echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2202	richard	1875
2203	richard	1876	# Set permissions monitoring and enforcement
2202	richard	1877	cat <<EOF > /etc/security/msec/perm.local
		1878	/var/log/firefwall/ root.apache 750
		1879	/var/log/firewall/* root.apache 640
		1880	/etc/security/msec/perm.local root.root 640
		1881	/etc/security/msec/level.local root.root 640
		1882	/etc/freeradius-web root.apache 750
		1883	/etc/freeradius-web/admin.conf root.apache 640
2420	richard	1884	/etc/raddb/client.conf radius.radius 640
		1885	/etc/raddb/radius.conf radius.radius 640
		1886	/etc/raddb/mods-available/ldap radius.apache 660
2202	richard	1887	/etc/raddb/sites-available/alcasar radius.apache 660
		1888	/etc/pki/* root.apache 750
2211	richard	1889	/var/log/netflow/porttracker root.apache 770
		1890	/var/log/netflow/porttracker/* root.apache 660
2202	richard	1891	EOF
2454	tom.houday	1892	# apply now hourly & daily checks
2202	richard	1893	/usr/sbin/msec
2211	richard	1894	/etc/cron.weekly/msec
2202	richard	1895
2314	richard	1896	} # End msec()
2202	richard	1897
2304	tom.houday	1898
2202	richard	1899	##################################################################
2552	rexy	1900	## Fonction "letsencrypt" ##
		1901	## - Install Let's Encrypt client ##
		1902	## - Prepare Let's Encrypt ALCASAR configuration file ##
2304	tom.houday	1903	##################################################################
		1904	letsencrypt()
		1905	{
		1906	echo "Installing Let's Encrypt client..."
		1907
		1908	# Extract acme.sh
		1909	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
		1910
		1911	pwdInstall=$(pwd)
		1912	cd /tmp/acme.sh-*
		1913
		1914	acmesh_installDir="/opt/acme.sh"
		1915	acmesh_confDir="/usr/local/etc/letsencrypt"
2354	tom.houday	1916	acmesh_userAgent="ALCASAR"
2304	tom.houday	1917
		1918	# Install acme.sh
		1919	./acme.sh --install \
		1920	--home $acmesh_installDir \
		1921	--config-home $acmesh_confDir/data \
		1922	--certhome $acmesh_confDir/certs \
		1923	--accountkey $acmesh_confDir/ca/account.key \
		1924	--accountconf $acmesh_confDir/data/account.conf \
		1925	--useragent $acmesh_userAgent \
2308	tom.houday	1926	--nocron \
		1927	> /dev/null
2304	tom.houday	1928
		1929	if [ $? -ne 0 ]; then
		1930	echo "Error during installation of Let's Encrypt client (acme.sh)."
		1931	fi
		1932
		1933	# Create configuration file
		1934	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
		1935	email=
		1936	dateIssueRequest=
		1937	domainRequest=
		1938	challenge=
		1939	dateIssued=
		1940	dnsapi=
		1941	dateNextRenewal=
		1942	EOF
		1943
		1944	cd $pwdInstall
		1945	rm -rf /tmp/acme.sh-*
		1946
		1947	} # END letsencrypt()
		1948
		1949	##################################################################
2552	rexy	1950	## Fonction "post_install" ##
		1951	## - Modifying banners (locals et ssh) & prompts ##
		1952	## - SSH config ##
		1953	## - sudoers config & files security ##
		1954	## - log rotate & ANSSI security parameters ##
		1955	## - Apply former conf in case of an update ##
		1956	##################################################################
1	root	1957	post_install()
		1958	{
2195	richard	1959	# change the SSH banner
		1960	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
		1961	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
5	franck	1962	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1963	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1964	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1965	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1966	# postfix banner anonymisation
		1967	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1841	richard	1968	chown -R postfix:postfix /var/lib/postfix
2195	richard	1969	# sshd liste on EXTIF & INTIF
1548	richard	1970	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2195	richard	1971	# sshd authorized certificate for root login
1696	franck	1972	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2195	richard	1973	# ALCASAR conf file
2327	richard	1974	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2409	tom.houday	1975	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1839	richard	1976	echo "SSH=on" >> $CONF_FILE
1631	richard	1977	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
628	richard	1978	echo "LDAP=off" >> $CONF_FILE
2447	richard	1979	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2461	richard	1980	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2454	tom.houday	1981	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
		1982	echo "LDAP_FILTER=" >> $CONF_FILE
		1983	echo "LDAP_USER=alcasar" >> $CONF_FILE
		1984	echo "LDAP_PASSWORD=" >> $CONF_FILE
		1985	echo "MULTIWAN=off" >> $CONF_FILE
1078	franck	1986	echo "FAILOVER=30" >> $CONF_FILE
		1987	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1988	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1989	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2195	richard	1990	# Prompt customisation (colors)
1	root	1991	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1992	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1993	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2195	richard	1994	# sudoers configuration for "apache" & "sysadmin"
1	root	1995	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1996	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1997	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1998	# Modify some logrotate files (gammu, ulogd)
1	root	1999	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		2000	chmod 644 /etc/logrotate.d/*
2195	richard	2001	# Log compression
706	franck	2002	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		2003	# actualisation des fichiers logs compressés
2521	armand.ito	2004	for dir in firewall e2guardian lighttpd
706	franck	2005	do
2454	tom.houday	2006	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	2007	done
1221	richard	2008	# create the alcasar-load_balancing unit
		2009	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	2010	# This file is part of systemd.
		2011	#
		2012	# systemd is free software; you can redistribute it and/or modify it
		2013	# under the terms of the GNU General Public License as published by
		2014	# the Free Software Foundation; either version 2 of the License, or
		2015	# (at your option) any later version.
		2016
		2017	# This unit lauches alcasar-load-balancing.sh script.
		2018	[Unit]
		2019	Description=alcasar-load_balancing.sh execution
		2020	After=network.target iptables.service
		2021
		2022	[Service]
		2023	Type=oneshot
		2024	RemainAfterExit=yes
1828	richard	2025	ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
		2026	ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1184	crox53	2027	TimeoutSec=0
		2028	SysVStartPriority=99
		2029
		2030	[Install]
		2031	WantedBy=multi-user.target
1157	stephane	2032	EOF
1221	richard	2033	# processes launched at boot time (Systemctl)
2521	armand.ito	2034	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1221	richard	2035	do
1574	richard	2036	/usr/bin/systemctl -q enable $i.service
1221	richard	2037	done
2454	tom.houday	2038
1452	richard	2039	# disable processes at boot time (Systemctl)
2416	richard	2040	for i in ulogd gpm
1452	richard	2041	do
1574	richard	2042	/usr/bin/systemctl -q disable $i.service
1452	richard	2043	done
2454	tom.houday	2044
1221	richard	2045	# Apply French Security Agency (ANSSI) rules
1362	richard	2046	# ignore ICMP broadcast (smurf attack)
		2047	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		2048	# ignore ICMP errors bogus
		2049	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		2050	# remove ICMP redirects responces
		2051	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		2052	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		2053	# enable SYN Cookies (Syn flood attacks)
		2054	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		2055	# enable kernel antispoofing
		2056	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		2057	# ignore source routing
		2058	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		2059	# set conntrack timer to 1h (3600s) instead of 5 weeks
		2060	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2454	tom.houday	2061	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	2062	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1778	richard	2063	# disable iptables_helpers
		2064	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1788	richard	2065	# Switch to the router mode
		2066	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1917	franck	2067	# Remove unused service ipv6
1964	franck	2068	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
		2069	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
		2070	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
		2071	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1003	richard	2072	# switch to multi-users runlevel (instead of x11)
1221	richard	2073	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2432	richard	2074	# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
		2075	[ -e /etc/default/grub.default ] \|\| cp /etc/default/grub /etc/default/grub.default
		2076	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2433	richard	2077	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2432	richard	2078	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		2079	vm_vga=`lsmod \| egrep -c "virtio\|vmwgfx"` # test if in VM
2454	tom.houday	2080	if [ $vm_vga == 0 ] # is not a VM
2432	richard	2081	then
2454	tom.houday	2082	cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
		2083	echo >> /etc/mageia-release
		2084	$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
		2085	fi
		2086	if [ $Lang == "fr" ]
		2087	then
		2088	echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
		2089	echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
		2090	else
		2091	echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
		2092	echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
		2093	fi
		2094	/usr/bin/update-grub2
1221	richard	2095	# Load and apply the previous conf file
		2096	if [ "$mode" = "update" ]
532	richard	2097	then
1668	richard	2098	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1221	richard	2099	$DIR_DEST_BIN/alcasar-conf.sh --load
		2100	PARENT_SCRIPT=`basename $0`
		2101	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		2102	$DIR_DEST_BIN/alcasar-conf.sh --apply
2454	tom.houday	2103	$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
1221	richard	2104	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		2105	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
532	richard	2106	fi
1221	richard	2107	rm -f /tmp/alcasar-conf*
		2108	chown -R root:apache $DIR_DEST_ETC/*
		2109	chmod -R 660 $DIR_DEST_ETC/*
		2110	chmod ug+x $DIR_DEST_ETC/digest
1	root	2111	cd $DIR_INSTALL
5	franck	2112	echo ""
1	root	2113	echo "#############################################################################"
638	richard

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2552