Rev 2689 | Rev 2705 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log
Rev | Author | Line No. | Line |
---|---|---|---|
672 | richard | 1 | #!/bin/bash |
2454 | tom.houday | 2 | # $Id: alcasar.sh 2693 2019-01-28 16:43:48Z franck $ |
1 | root | 3 | |
4 | # alcasar.sh |
||
2466 | richard | 5 | # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
6 | # This script is distributed under the Gnu General Public License (GPL) |
||
7 | # team@alcasar.net |
||
959 | franck | 8 | |
2454 | tom.houday | 9 | # ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
1157 | stephane | 10 | # Ce programme est un logiciel libre ; This software is free and open source |
2454 | tom.houday | 11 | # elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
12 | # Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
||
13 | # sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
||
14 | # Voir la Licence Publique Générale GNU pour plus de détails. |
||
959 | franck | 15 | |
672 | richard | 16 | # Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
1007 | richard | 17 | # ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
1 | root | 18 | # Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
2454 | tom.houday | 19 | # ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
2466 | richard | 20 | |
2688 | lucas.echa | 21 | # Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
1 | root | 22 | |
23 | # Options : |
||
376 | franck | 24 | # -i or --install |
25 | # -u or --uninstall |
||
1 | root | 26 | |
376 | franck | 27 | # Functions : |
1378 | richard | 28 | # testing : connectivity tests, free space test and mageia version test |
1221 | richard | 29 | # init : Installation of RPM and scripts |
30 | # network : Network parameters |
||
2552 | rexy | 31 | # ACC : ALCASAR Control Center installation |
32 | # CA : Certification Authority initialization |
||
1837 | richard | 33 | # time_server : NTPd configuration |
1221 | richard | 34 | # init_db : Initilization of radius database managed with MariaDB |
2421 | richard | 35 | # freeradius : FreeRadius initialisation |
1389 | richard | 36 | # chilli : coovachilli initialisation (+authentication page) |
2521 | armand.ito | 37 | # e2guardian : E2Guardian filtering HTTP proxy configuration |
1221 | richard | 38 | # antivirus : HAVP + libclamav configuration |
1485 | richard | 39 | # tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
1389 | richard | 40 | # ulogd : log system in userland (match NFLOG target of iptables) |
2454 | tom.houday | 41 | # nfsen : Configuration of Nfsen Netflow grapher |
2688 | lucas.echa | 42 | # unbound : Name server configuration |
43 | # dnsmasq : Name server configuration (for whitelist ipset support) |
||
1541 | richard | 44 | # vnstat : little network stat daemon |
2688 | lucas.echa | 45 | # BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
1266 | richard | 46 | # cron : Logs export + watchdog + connexion statistics |
1389 | richard | 47 | # fail2ban : Fail2ban IDS installation and configuration |
48 | # gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
||
2202 | richard | 49 | # msec : Mandriva security package configuration |
2304 | tom.houday | 50 | # letsencrypt : Let's Encrypt client |
2552 | rexy | 51 | # post_install : Security, log rotation, etc. |
1 | root | 52 | |
2499 | tom.houday | 53 | DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
1 | root | 54 | DATE=`date '+%d %B %Y - %Hh%M'` |
55 | DATE_SHORT=`date '+%d/%m/%Y'` |
||
595 | richard | 56 | Lang=`echo $LANG|cut -c 1-2` |
1362 | richard | 57 | mode="install" |
1 | root | 58 | # ******* Files parameters - paramètres fichiers ********* |
2552 | rexy | 59 | DIR_INSTALL=`pwd` # current directory |
1015 | richard | 60 | DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
61 | DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
||
2552 | rexy | 62 | DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
63 | DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
||
64 | DIR_WEB="/var/www/html" # directory of Lighttpd |
||
65 | DIR_DG="/etc/e2guardian" # directory of E2Guardian |
||
66 | DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
||
1015 | richard | 67 | DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
68 | DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
||
2688 | lucas.echa | 69 | DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance) |
2552 | rexy | 70 | CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
1015 | richard | 71 | PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets |
1 | root | 72 | # ******* DBMS parameters - paramètres SGBD ******** |
2552 | rexy | 73 | DB_RADIUS="radius" # database name used by FreeRadius server |
74 | DB_USER="radius" # user name allows to request the users database |
||
75 | DB_GAMMU="gammu" # database name used by Gammu-smsd |
||
1 | root | 76 | # ******* Network parameters - paramètres réseau ******* |
2552 | rexy | 77 | HOSTNAME="alcasar" # default hostname |
78 | DOMAIN="localdomain" # default local domain |
||
2669 | tom.houday | 79 | EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI) |
80 | INTIF='' # INTIF is connected to the consultation network |
||
1148 | crox53 | 81 | MTU="1500" |
1243 | richard | 82 | DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address |
1 | root | 83 | # ****** Paths - chemin des commandes ******* |
84 | SED="/bin/sed -i" |
||
85 | # ****************** End of global parameters ********************* |
||
86 | |||
959 | franck | 87 | license () |
88 | { |
||
89 | if [ $Lang == "fr" ] |
||
1538 | richard | 90 | then |
91 | cat $DIR_INSTALL/gpl-warning.fr.txt | more |
||
92 | else |
||
93 | cat $DIR_INSTALL/gpl-warning.txt | more |
||
959 | franck | 94 | fi |
1538 | richard | 95 | response=0 |
96 | PTN='^[oOyYnN]$' |
||
97 | until [[ $(expr $response : $PTN) -gt 0 ]] |
||
98 | do |
||
99 | if [ $Lang == "fr" ] |
||
1563 | franck | 100 | then echo -n "Acceptez-vous les termes de cette licence (O/n)? : " |
1538 | richard | 101 | else echo -n "Do you accept the terms of this license (Y/n)? : " |
102 | fi |
||
103 | read response |
||
104 | done |
||
105 | if [ "$response" = "n" ] || [ "$response" = "N" ] |
||
106 | then |
||
107 | exit 1 |
||
108 | fi |
||
959 | franck | 109 | } |
110 | |||
1 | root | 111 | header_install () |
112 | { |
||
113 | clear |
||
114 | echo "-----------------------------------------------------------------------------" |
||
460 | richard | 115 | echo " ALCASAR V$VERSION Installation" |
1 | root | 116 | echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau" |
117 | echo "-----------------------------------------------------------------------------" |
||
1389 | richard | 118 | } |
1 | root | 119 | |
2552 | rexy | 120 | ######################################################## |
121 | ## Function "testing" ## |
||
122 | ## - Test Mageia version ## |
||
123 | ## - Test ALCASAR version (if already installed) ## |
||
124 | ## - Test free space on /var (>10G) ## |
||
125 | ## - Test Internet access ## |
||
126 | ######################################################## |
||
29 | richard | 127 | testing () |
128 | { |
||
1529 | richard | 129 | # Test of Mageia version |
130 | # extract the current Mageia version and hardware architecture (i586 ou X64) |
||
131 | fic=`cat /etc/product.id` |
||
132 | unknown_os=0 |
||
133 | old="$IFS" |
||
134 | IFS="," |
||
135 | set $fic |
||
2688 | lucas.echa | 136 | for i in "$@" |
1529 | richard | 137 | do |
138 | if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
||
2454 | tom.houday | 139 | then |
1529 | richard | 140 | DISTRIBUTION=`echo $i|cut -d"=" -f2` |
141 | unknown_os=`expr $unknown_os + 1` |
||
142 | fi |
||
143 | if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
||
2454 | tom.houday | 144 | then |
1529 | richard | 145 | CURRENT_VERSION=`echo $i|cut -d"=" -f2` |
146 | unknown_os=`expr $unknown_os + 1` |
||
147 | fi |
||
148 | if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
||
2454 | tom.houday | 149 | then |
1529 | richard | 150 | ARCH=`echo $i|cut -d"=" -f2` |
151 | unknown_os=`expr $unknown_os + 1` |
||
152 | fi |
||
153 | done |
||
2669 | tom.houday | 154 | if [ "$ARCH" != "x86_64" ] |
2149 | richard | 155 | then |
156 | if [ $Lang == "fr" ] |
||
2669 | tom.houday | 157 | then echo "Votre architecture matérielle doit être en 64bits" |
158 | else echo "You hardware architecture must be 64bits" |
||
2149 | richard | 159 | fi |
2482 | lucas.echa | 160 | exit 1 |
2149 | richard | 161 | fi |
1529 | richard | 162 | IFS="$old" |
2669 | tom.houday | 163 | if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]] |
2688 | lucas.echa | 164 | then |
2669 | tom.houday | 165 | if [ -e /var/tmp/alcasar-conf.tar.gz ] # update |
166 | then |
||
167 | echo |
||
168 | if [ $Lang == "fr" ] |
||
169 | then |
||
170 | echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée." |
||
171 | echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC" |
||
172 | echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)" |
||
173 | echo "3 - Importez votre base des usagers" |
||
174 | else |
||
175 | echo "The automatic update of ALCASAR can't be performed." |
||
176 | echo "1 - Save your traceability files and the user database" |
||
177 | echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)" |
||
178 | echo "3 - Import your users database" |
||
179 | fi |
||
180 | else |
||
181 | if [ $Lang == "fr" ] |
||
182 | then echo "L'installation d'ALCASAR ne peut pas être réalisée." |
||
183 | else echo "The installation of ALCASAR can't be performed." |
||
184 | fi |
||
185 | fi |
||
186 | echo |
||
187 | if [ $Lang == "fr" ] |
||
188 | then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)" |
||
189 | else echo "The OS must be replaced (Mageia6-64bits)" |
||
190 | fi |
||
2688 | lucas.echa | 191 | exit 1 |
2669 | tom.houday | 192 | fi |
193 | |||
1362 | richard | 194 | # Test if ALCASAR is already installed |
195 | if [ -e $CONF_FILE ] |
||
196 | then |
||
2396 | tom.houday | 197 | current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2` |
1342 | richard | 198 | if [ $Lang == "fr" ] |
2669 | tom.houday | 199 | then echo "La version $current_version d'ALCASAR est déjà installée" |
200 | else echo "ALCASAR version $current_version is already installed" |
||
1342 | richard | 201 | fi |
1362 | richard | 202 | response=0 |
2458 | richard | 203 | PTN='^[12]$' |
1362 | richard | 204 | until [[ $(expr $response : $PTN) -gt 0 ]] |
205 | do |
||
206 | if [ $Lang == "fr" ] |
||
2669 | tom.houday | 207 | then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : " |
208 | else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : " |
||
2499 | tom.houday | 209 | fi |
1362 | richard | 210 | read response |
211 | done |
||
2458 | richard | 212 | if [ "$response" = "2" ] |
1362 | richard | 213 | then |
2560 | rexy | 214 | rm -f /var/tmp/alcasar-conf* |
1362 | richard | 215 | else |
1684 | richard | 216 | # Retrieve former NICname |
2549 | tom.houday | 217 | EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-` # EXTernal InterFace |
218 | INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-` # INTernal InterFace |
||
2688 | lucas.echa | 219 | [ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network." |
220 | [ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network." |
||
1564 | richard | 221 | # Create the current conf file |
1362 | richard | 222 | $DIR_SCRIPTS/alcasar-conf.sh --create |
223 | mode="update" |
||
224 | fi |
||
1529 | richard | 225 | fi |
2669 | tom.houday | 226 | # Test free space on /var |
1529 | richard | 227 | if [ ! -d /var/log/netflow/porttracker ] |
228 | then |
||
2688 | lucas.echa | 229 | free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'` |
1529 | richard | 230 | if [ $free_space -lt 10 ] |
231 | then |
||
232 | if [ $Lang == "fr" ] |
||
233 | then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)" |
||
234 | else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)" |
||
235 | fi |
||
236 | exit 0 |
||
237 | fi |
||
238 | fi |
||
2669 | tom.houday | 239 | |
240 | # Detect external/internal interfaces |
||
241 | if [ -z "$EXTIF" ]; then |
||
242 | EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}') |
||
243 | if [ -z "$EXTIF" ]; then |
||
244 | if [ "$Lang" == 'fr' ] |
||
245 | then echo -n "Aucune passerelle par défaut configurée" |
||
246 | else echo -n "No default gateway configured" |
||
247 | fi |
||
248 | exit 1 |
||
249 | fi |
||
250 | fi |
||
251 | if [ "$Lang" == 'fr' ] |
||
252 | then echo "Interface externe (Internet) utilisée : $EXTIF" |
||
253 | else echo "External interface (Internet) used: $EXTIF" |
||
254 | fi |
||
255 | |||
256 | if [ -z "$INTIF" ]; then |
||
257 | interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$") |
||
258 | interfacesCount=$(echo "$interfacesList" | wc -l) |
||
259 | if [ $interfacesCount -eq 0 ]; then |
||
260 | if [ "$Lang" == 'fr' ] |
||
261 | then echo "Aucune interface de disponible pour le réseau interne" |
||
262 | else echo "No interface available for the internal network" |
||
263 | fi |
||
264 | exit 1 |
||
265 | elif [ $interfacesCount -eq 1 ]; then |
||
266 | INTIF="$interfacesList" |
||
267 | else |
||
268 | interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1) |
||
269 | interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1) |
||
270 | |||
271 | if [ "$Lang" == 'fr' ] |
||
272 | then echo 'Liste des interfaces disponible :' |
||
273 | else echo 'List of available interfaces:' |
||
274 | fi |
||
275 | echo "$interfacesSorted" |
||
276 | response='' |
||
277 | while true; do |
||
278 | if [ "$Lang" == 'fr' ] |
||
279 | then echo -n "Choix de l'interface interne ? [$interfacePreferred] " |
||
280 | else echo -n "Choice of internal interface ? [$interfacePreferred] " |
||
281 | fi |
||
282 | read response |
||
283 | |||
284 | [ -z "$response" ] && response="$interfacePreferred" |
||
285 | |||
286 | # Check if interface exist |
||
2688 | lucas.echa | 287 | if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then |
2669 | tom.houday | 288 | INTIF="$response" |
289 | break |
||
290 | else |
||
291 | if [ "$Lang" == 'fr' ] |
||
292 | then echo "Interface \"$response\" introuvable" |
||
293 | else echo "Interface \"$response\" not found" |
||
294 | fi |
||
295 | fi |
||
296 | done |
||
297 | fi |
||
298 | fi |
||
299 | if [ "$Lang" == 'fr' ] |
||
300 | then echo "Interface interne utilisée : $INTIF" |
||
301 | else echo "Internal interface used: $INTIF" |
||
302 | fi |
||
303 | |||
2290 | richard | 304 | if [ $Lang == "fr" ] |
305 | then echo -n "Tests des paramètres réseau : " |
||
2549 | tom.houday | 306 | else echo -n "Network parameters tests: " |
2290 | richard | 307 | fi |
308 | # Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles) |
||
2688 | lucas.echa | 309 | cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; } |
2290 | richard | 310 | IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
2282 | richard | 311 | for i in $IF_INTERFACES |
312 | do |
||
2688 | lucas.echa | 313 | if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then |
2282 | richard | 314 | rm -f ifcfg-$i |
2454 | tom.houday | 315 | |
2282 | richard | 316 | if [ $Lang == "fr" ] |
317 | then echo "Suppression : ifcfg-$i" |
||
2549 | tom.houday | 318 | else echo "Deleting: ifcfg-$i" |
2282 | richard | 319 | fi |
320 | fi |
||
321 | done |
||
2688 | lucas.echa | 322 | cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
2290 | richard | 323 | echo -n "." |
2454 | tom.houday | 324 | # Test Ethernet NIC links state |
2669 | tom.houday | 325 | interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1) |
326 | if [ ! -z "$interfacesDown" ]; then |
||
327 | for i in $interfacesDown; do |
||
328 | if [ $Lang == "fr" ] |
||
329 | then |
||
330 | echo -e "\nÉchec" |
||
331 | echo "Le lien réseau de la carte $i n'est pas actif." |
||
332 | echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)" |
||
333 | else |
||
334 | echo -e "\nFailed" |
||
335 | echo "The link state of $i interface is down." |
||
336 | echo "Make sure that this network card is connected to a switch or an A.P." |
||
337 | fi |
||
338 | done |
||
339 | exit 1 |
||
340 | fi |
||
1471 | richard | 341 | echo -n "." |
342 | # Test EXTIF config files |
||
2681 | tom.houday | 343 | PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'` |
344 | PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1` |
||
2673 | tom.houday | 345 | PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'` |
2688 | lucas.echa | 346 | if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ] |
1471 | richard | 347 | then |
784 | richard | 348 | if [ $Lang == "fr" ] |
2454 | tom.houday | 349 | then |
2669 | tom.houday | 350 | echo -e "\nÉchec" |
784 | richard | 351 | echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée." |
352 | echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
||
1362 | richard | 353 | echo "Appliquez les changements : 'systemctl restart network'" |
784 | richard | 354 | else |
2669 | tom.houday | 355 | echo -e "\nFailed" |
784 | richard | 356 | echo "The Internet connected network card ($EXTIF) isn't well configured." |
357 | echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
||
2669 | tom.houday | 358 | echo "Apply the new configuration: 'systemctl restart network'" |
784 | richard | 359 | fi |
830 | richard | 360 | echo "DEVICE=$EXTIF" |
784 | richard | 361 | echo "IPADDR=" |
362 | echo "NETMASK=" |
||
363 | echo "GATEWAY=" |
||
364 | echo "DNS1=" |
||
365 | echo "DNS2=" |
||
830 | richard | 366 | echo "ONBOOT=yes" |
2669 | tom.houday | 367 | exit 1 |
784 | richard | 368 | fi |
369 | echo -n "." |
||
2290 | richard | 370 | # Test if default GW is set on EXTIF (router or ISP provider equipment) |
2688 | lucas.echa | 371 | if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then |
595 | richard | 372 | if [ $Lang == "fr" ] |
2454 | tom.houday | 373 | then |
2669 | tom.houday | 374 | echo -e "\nÉchec" |
595 | richard | 375 | echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte." |
376 | echo "Réglez ce problème puis relancez ce script." |
||
377 | else |
||
2669 | tom.houday | 378 | echo -e "\nFailed" |
595 | richard | 379 | echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card" |
380 | echo "Resolv this problem, then restart this script." |
||
381 | fi |
||
2669 | tom.houday | 382 | exit 1 |
29 | richard | 383 | fi |
308 | richard | 384 | echo -n "." |
2290 | richard | 385 | # Test if default GW is alive |
1499 | richard | 386 | arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
2688 | lucas.echa | 387 | if [ "$(expr $arp_reply)" -eq 0 ] |
2454 | tom.houday | 388 | then |
595 | richard | 389 | if [ $Lang == "fr" ] |
2454 | tom.houday | 390 | then |
2669 | tom.houday | 391 | echo -e "\nÉchec" |
2290 | richard | 392 | echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas." |
595 | richard | 393 | echo "Réglez ce problème puis relancez ce script." |
394 | else |
||
2669 | tom.houday | 395 | echo -e "\nFailed" |
2290 | richard | 396 | echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered." |
595 | richard | 397 | echo "Resolv this problem, then restart this script." |
398 | fi |
||
2669 | tom.houday | 399 | exit 1 |
308 | richard | 400 | fi |
401 | echo -n "." |
||
2290 | richard | 402 | # Test Internet connectivity |
2669 | tom.houday | 403 | domainTested='www.google.com' |
404 | /usr/bin/curl -s --head "$domainTested" &>/dev/null |
||
405 | if [ $? -ne 0 ]; then |
||
595 | richard | 406 | if [ $Lang == "fr" ] |
2454 | tom.houday | 407 | then |
2669 | tom.houday | 408 | echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)." |
595 | richard | 409 | echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI." |
410 | echo "Vérifiez la validité des adresses IP des DNS." |
||
411 | else |
||
2669 | tom.houday | 412 | echo -e "\nThe Internet connection try failed ($domainTested)." |
595 | richard | 413 | echo "Please, verify that the $EXTIF card is connected with the Internet gateway." |
414 | echo "Verify the DNS IP addresses" |
||
415 | fi |
||
2669 | tom.houday | 416 | exit 1 |
29 | richard | 417 | fi |
308 | richard | 418 | echo ". : ok" |
1389 | richard | 419 | } # end of testing () |
302 | richard | 420 | |
2552 | rexy | 421 | ####################################################################### |
422 | ## Function "init" ## |
||
423 | ## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
||
424 | ## - Creation of random password for GRUB, mariadb (admin and user) ## |
||
425 | ####################################################################### |
||
302 | richard | 426 | init () |
427 | { |
||
527 | richard | 428 | if [ "$mode" != "update" ] |
302 | richard | 429 | then |
430 | # On affecte le nom d'organisme |
||
597 | richard | 431 | header_install |
302 | richard | 432 | ORGANISME=! |
433 | PTN='^[a-zA-Z0-9-]*$' |
||
580 | richard | 434 | until [[ $(expr $ORGANISME : $PTN) -gt 0 ]] |
2454 | tom.houday | 435 | do |
595 | richard | 436 | if [ $Lang == "fr" ] |
2454 | tom.houday | 437 | then echo -n "Entrez le nom de votre organisme : " |
597 | richard | 438 | else echo -n "Enter the name of your organism : " |
595 | richard | 439 | fi |
330 | franck | 440 | read ORGANISME |
613 | richard | 441 | if [ "$ORGANISME" == "" ] |
2688 | lucas.echa | 442 | then |
330 | franck | 443 | ORGANISME=! |
444 | fi |
||
445 | done |
||
302 | richard | 446 | fi |
1 | root | 447 | # On crée aléatoirement les mots de passe et les secrets partagés |
2419 | richard | 448 | # We create random passwords and shared secrets |
628 | richard | 449 | rm -f $PASSWD_FILE |
2419 | richard | 450 | echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
2688 | lucas.echa | 451 | grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8` |
2454 | tom.houday | 452 | pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
453 | LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
||
454 | grep -v '[eE]nter password:' | \ |
||
455 | sed -e "s/PBKDF2 hash of your password is //"` |
||
456 | echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
||
457 | [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
||
458 | cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
||
459 | chmod 0600 /boot/grub2/user.cfg |
||
2419 | richard | 460 | echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
2454 | tom.houday | 461 | echo "GRUB2_user=root" >> $PASSWD_FILE |
462 | echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
||
2688 | lucas.echa | 463 | mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
2419 | richard | 464 | echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
2412 | tom.houday | 465 | echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
2688 | lucas.echa | 466 | radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
2419 | richard | 467 | echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE |
2421 | richard | 468 | echo "db_user=$DB_USER" >> $PASSWD_FILE |
469 | echo "db_password=$radiuspwd" >> $PASSWD_FILE |
||
2688 | lucas.echa | 470 | secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
2412 | tom.houday | 471 | echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE |
472 | echo "secret_uam=$secretuam" >> $PASSWD_FILE |
||
2688 | lucas.echa | 473 | secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
2412 | tom.houday | 474 | echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE |
475 | echo "secret_radius=$secretradius" >> $PASSWD_FILE |
||
628 | richard | 476 | chmod 640 $PASSWD_FILE |
1828 | richard | 477 | # copy scripts in in /usr/local/bin |
2664 | tom.houday | 478 | cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar* |
1828 | richard | 479 | # copy conf files in /usr/local/etc |
1954 | richard | 480 | cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar* |
1828 | richard | 481 | $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh |
628 | richard | 482 | # generate central conf file |
483 | cat <<EOF > $CONF_FILE |
||
612 | richard | 484 | ########################################## |
485 | ## ## |
||
486 | ## ALCASAR Parameters ## |
||
487 | ## ## |
||
488 | ########################################## |
||
1 | root | 489 | |
612 | richard | 490 | INSTALL_DATE=$DATE |
491 | VERSION=$VERSION |
||
492 | ORGANISM=$ORGANISME |
||
1748 | richard | 493 | HOSTNAME=$HOSTNAME |
923 | franck | 494 | DOMAIN=$DOMAIN |
612 | richard | 495 | EOF |
628 | richard | 496 | chmod o-rwx $CONF_FILE |
1 | root | 497 | } # End of init () |
498 | |||
2552 | rexy | 499 | ######################################################### |
500 | ## Function "network" ## |
||
501 | ## - Define the several network address ## |
||
502 | ## - Define the DNS naming ## |
||
503 | ## - INTIF parameters (consultation network) ## |
||
504 | ## - Write "/etc/hosts" file ## |
||
505 | ## - write "hosts.allow" & "hosts.deny" files ## |
||
506 | ######################################################### |
||
1 | root | 507 | network () |
508 | { |
||
509 | header_install |
||
636 | richard | 510 | if [ "$mode" != "update" ] |
511 | then |
||
512 | if [ $Lang == "fr" ] |
||
513 | then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK" |
||
514 | else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK" |
||
515 | fi |
||
516 | response=0 |
||
517 | PTN='^[oOyYnN]$' |
||
518 | until [[ $(expr $response : $PTN) -gt 0 ]] |
||
1 | root | 519 | do |
595 | richard | 520 | if [ $Lang == "fr" ] |
659 | richard | 521 | then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : " |
618 | richard | 522 | else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : " |
595 | richard | 523 | fi |
1 | root | 524 | read response |
525 | done |
||
636 | richard | 526 | if [ "$response" = "n" ] || [ "$response" = "N" ] |
527 | then |
||
528 | PRIVATE_IP_MASK="0" |
||
529 | PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$' |
||
530 | until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]] |
||
1 | root | 531 | do |
595 | richard | 532 | if [ $Lang == "fr" ] |
597 | richard | 533 | then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : " |
534 | else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : " |
||
595 | richard | 535 | fi |
597 | richard | 536 | read PRIVATE_IP_MASK |
1 | root | 537 | done |
636 | richard | 538 | else |
2688 | lucas.echa | 539 | PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
636 | richard | 540 | fi |
595 | richard | 541 | else |
2454 | tom.houday | 542 | PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
637 | richard | 543 | rm -rf conf/etc/alcasar.conf |
1 | root | 544 | fi |
861 | richard | 545 | # Define LAN side global parameters |
1740 | richard | 546 | hostnamectl set-hostname $HOSTNAME.$DOMAIN |
977 | richard | 547 | PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0) |
1499 | richard | 548 | private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4` # last octet of LAN address |
977 | richard | 549 | PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0) |
1499 | richard | 550 | PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24) |
977 | richard | 551 | PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
1499 | richard | 552 | if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
2688 | lucas.echa | 553 | then |
2454 | tom.houday | 554 | PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
1499 | richard | 555 | PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
2454 | tom.houday | 556 | fi |
1499 | richard | 557 | private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
558 | PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
||
977 | richard | 559 | PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
1499 | richard | 560 | classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C |
977 | richard | 561 | PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.) |
1828 | richard | 562 | PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
841 | richard | 563 | # Define Internet parameters |
2464 | richard | 564 | if [ "$mode" != "update" ] |
2457 | richard | 565 | then |
2464 | richard | 566 | DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2` # 1st DNS server |
567 | DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2` # 2nd DNS server |
||
568 | else |
||
569 | DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2` # 1st DNS server |
||
570 | DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2` # 2nd DNS server |
||
571 | fi |
||
2693 | franck | 572 | DNS1=${DNS1:=208.67.220.220} |
70 | franck | 573 | DNS2=${DNS2:=208.67.222.222} |
2693 | franck | 574 | # if [ "$DNS1" == "" ] |
575 | # then |
||
576 | # if [ $Lang == "fr" ] |
||
577 | # then |
||
578 | # echo "L'adresse IP des serveurs DNS ne sont pas corrects" |
||
579 | # echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)" |
||
580 | # else |
||
581 | # echo "The IP address of DNS servers are not set correctly" |
||
582 | # echo "Check the extern network card configuration ($EXTIF)" |
||
583 | # fi |
||
584 | # exit 0 |
||
585 | # fi |
||
1499 | richard | 586 | PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
1052 | richard | 587 | PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2` |
1069 | richard | 588 | PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2` |
2552 | rexy | 589 | # Write network parameters in the conf file |
1469 | richard | 590 | echo "EXTIF=$EXTIF" >> $CONF_FILE |
591 | echo "INTIF=$INTIF" >> $CONF_FILE |
||
2282 | richard | 592 | ######## Récupération des interfaces du ou des réseaux de consultation supplémentaires ################# |
593 | INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"` |
||
594 | for i in $INTERFACES |
||
595 | do |
||
596 | SUB=`echo ${i:0:2}` |
||
597 | if [ $SUB = "wl" ] |
||
598 | then WIFIF=$i |
||
2454 | tom.houday | 599 | elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
2282 | richard | 600 | then LANIF=$i |
601 | fi |
||
602 | done |
||
603 | if [ -n "$WIFIF" ] |
||
604 | then echo "WIFIF=$WIFIF" >> $CONF_FILE |
||
605 | elif [ -n "$LANIF" ] |
||
606 | then echo "LANIF=$LANIF" >> $CONF_FILE |
||
607 | fi |
||
2454 | tom.houday | 608 | ######################################################################################################### |
2552 | rexy | 609 | IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic |
1499 | richard | 610 | if [ $IP_SETTING == "dhcp" ] |
2688 | lucas.echa | 611 | then |
1499 | richard | 612 | echo "PUBLIC_IP=dhcp" >> $CONF_FILE |
1585 | richard | 613 | echo "GW=dhcp" >> $CONF_FILE |
1499 | richard | 614 | else |
615 | echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE |
||
1585 | richard | 616 | echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE |
1499 | richard | 617 | fi |
1587 | richard | 618 | echo "DNS1=$DNS1" >> $CONF_FILE |
619 | echo "DNS2=$DNS2" >> $CONF_FILE |
||
994 | franck | 620 | echo "PUBLIC_MTU=$MTU" >> $CONF_FILE |
628 | richard | 621 | echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE |
1484 | richard | 622 | echo "DHCP=on" >> $CONF_FILE |
914 | franck | 623 | echo "EXT_DHCP_IP=none" >> $CONF_FILE |
624 | echo "RELAY_DHCP_IP=none" >> $CONF_FILE |
||
625 | echo "RELAY_DHCP_PORT=none" >> $CONF_FILE |
||
1610 | franck | 626 | echo "INT_DNS_DOMAIN=none" >> $CONF_FILE |
627 | echo "INT_DNS_IP=none" >> $CONF_FILE |
||
628 | echo "INT_DNS_ACTIVE=off" >> $CONF_FILE |
||
1499 | richard | 629 | # network default |
597 | richard | 630 | [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default |
1 | root | 631 | cat <<EOF > /etc/sysconfig/network |
632 | NETWORKING=yes |
||
633 | FORWARD_IPV4=true |
||
634 | EOF |
||
2552 | rexy | 635 | # write "/etc/hosts" |
1 | root | 636 | [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default |
637 | cat <<EOF > /etc/hosts |
||
503 | richard | 638 | 127.0.0.1 localhost |
2558 | rexy | 639 | $PRIVATE_IP $HOSTNAME |
1 | root | 640 | EOF |
2552 | rexy | 641 | # write EXTIF (Internet) config |
1499 | richard | 642 | [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF |
643 | if [ $IP_SETTING == "dhcp" ] |
||
2688 | lucas.echa | 644 | then |
1499 | richard | 645 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
14 | richard | 646 | DEVICE=$EXTIF |
1585 | richard | 647 | BOOTPROTO=dhcp |
648 | DNS1=127.0.0.1 |
||
649 | PEERDNS=no |
||
650 | RESOLV_MODS=yes |
||
651 | ONBOOT=yes |
||
1613 | franck | 652 | NOZEROCONF=yes |
1585 | richard | 653 | METRIC=10 |
654 | MII_NOT_SUPPORTED=yes |
||
655 | IPV6INIT=no |
||
656 | IPV6TO4INIT=no |
||
657 | ACCOUNTING=no |
||
658 | USERCTL=no |
||
659 | MTU=$MTU |
||
660 | EOF |
||
2688 | lucas.echa | 661 | else |
1585 | richard | 662 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
663 | DEVICE=$EXTIF |
||
14 | richard | 664 | BOOTPROTO=static |
597 | richard | 665 | IPADDR=$PUBLIC_IP |
666 | NETMASK=$PUBLIC_NETMASK |
||
667 | GATEWAY=$PUBLIC_GATEWAY |
||
14 | richard | 668 | DNS1=127.0.0.1 |
1499 | richard | 669 | RESOLV_MODS=yes |
14 | richard | 670 | ONBOOT=yes |
671 | METRIC=10 |
||
1610 | franck | 672 | NOZEROCONF=yes |
14 | richard | 673 | MII_NOT_SUPPORTED=yes |
674 | IPV6INIT=no |
||
675 | IPV6TO4INIT=no |
||
676 | ACCOUNTING=no |
||
677 | USERCTL=no |
||
994 | franck | 678 | MTU=$MTU |
14 | richard | 679 | EOF |
1499 | richard | 680 | fi |
2552 | rexy | 681 | # write INTIF (consultation LAN) in normal mode |
841 | richard | 682 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF |
683 | DEVICE=$INTIF |
||
684 | BOOTPROTO=static |
||
685 | ONBOOT=yes |
||
686 | NOZEROCONF=yes |
||
687 | MII_NOT_SUPPORTED=yes |
||
688 | IPV6INIT=no |
||
689 | IPV6TO4INIT=no |
||
690 | ACCOUNTING=no |
||
691 | USERCTL=no |
||
692 | EOF |
||
1558 | richard | 693 | cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
2552 | rexy | 694 | # write INTIF in bypass mode (see "alcasar-bypass.sh") |
1554 | richard | 695 | cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
1 | root | 696 | DEVICE=$INTIF |
697 | BOOTPROTO=static |
||
698 | IPADDR=$PRIVATE_IP |
||
604 | richard | 699 | NETMASK=$PRIVATE_NETMASK |
1 | root | 700 | ONBOOT=yes |
701 | METRIC=10 |
||
702 | NOZEROCONF=yes |
||
703 | MII_NOT_SUPPORTED=yes |
||
14 | richard | 704 | IPV6INIT=no |
705 | IPV6TO4INIT=no |
||
706 | ACCOUNTING=no |
||
707 | USERCTL=no |
||
1 | root | 708 | EOF |
2282 | richard | 709 | ######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode ################# |
710 | if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ] |
||
711 | then |
||
712 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF |
||
713 | DEVICE=$WIFIF |
||
714 | BOOTPROTO=static |
||
715 | ONBOOT=yes |
||
716 | NOZEROCONF=yes |
||
717 | MII_NOT_SUPPORTED=yes |
||
718 | IPV6INIT=no |
||
719 | IPV6TO4INIT=no |
||
720 | ACCOUNTING=no |
||
721 | USERCTL=no |
||
722 | EOF |
||
723 | elif [ -n "$LANIF" ] |
||
724 | then |
||
725 | cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF |
||
726 | DEVICE=$LANIF |
||
727 | BOOTPROTO=static |
||
728 | ONBOOT=yes |
||
729 | NOZEROCONF=yes |
||
730 | MII_NOT_SUPPORTED=yes |
||
731 | IPV6INIT=no |
||
732 | IPV6TO4INIT=no |
||
733 | ACCOUNTING=no |
||
734 | USERCTL=no |
||
735 | EOF |
||
736 | fi |
||
2454 | tom.houday | 737 | ######################################################################################################### |
2552 | rexy | 738 | # write hosts.allow & hosts.deny |
1 | root | 739 | [ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
740 | cat <<EOF > /etc/hosts.allow |
||
741 | ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
||
604 | richard | 742 | sshd: ALL |
1 | root | 743 | ntpd: $PRIVATE_NETWORK_SHORT |
744 | EOF |
||
745 | [ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default |
||
746 | cat <<EOF > /etc/hosts.deny |
||
747 | ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
||
748 | EOF |
||
790 | richard | 749 | chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
860 | richard | 750 | # create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW) |
1069 | richard | 751 | echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked |
790 | richard | 752 | # load conntrack ftp module |
753 | [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
||
1705 | richard | 754 | echo "nf_conntrack_ftp" >> /etc/modprobe.preload |
1159 | crox53 | 755 | # load ipt_NETFLOW module |
756 | echo "ipt_NETFLOW" >> /etc/modprobe.preload |
||
1513 | richard | 757 | # modify iptables service files (start with "alcasar-iptables.sh" and stop with flush) |
2688 | lucas.echa | 758 | [ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
759 | $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
||
760 | [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
||
761 | $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
||
2454 | tom.houday | 762 | # |
860 | richard | 763 | # the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
1 | root | 764 | } # End of network () |
765 | |||
2552 | rexy | 766 | ################################################### |
767 | ## Function "ACC" ## |
||
768 | ## - copy ALCASAR Control Center (ACC) files ## |
||
769 | ## - configuration of the web server (Lighttpd) ## |
||
770 | ## - creation of the first ACC admin account ## |
||
771 | ## - secure the ACC access ## |
||
772 | ################################################### |
||
1221 | richard | 773 | ACC () |
1 | root | 774 | { |
775 | [ -d $DIR_WEB ] && rm -rf $DIR_WEB |
||
776 | mkdir $DIR_WEB |
||
1833 | richard | 777 | # Copy & adapt ACC files |
316 | richard | 778 | cp -rf $DIR_INSTALL/web/* $DIR_WEB/ |
779 | $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php |
||
780 | $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
||
781 | $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
||
782 | $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
||
783 | chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php |
||
5 | franck | 784 | chown -R apache:apache $DIR_WEB/* |
1833 | richard | 785 | # copy & adapt "freeradius-web" files |
786 | cp -rf $DIR_CONF/freeradius-web/ /etc/ |
||
787 | [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default |
||
788 | $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf |
||
789 | $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf |
||
790 | $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf |
||
791 | cat <<EOF > /etc/freeradius-web/naslist.conf |
||
792 | nas1_name: alcasar-$ORGANISME |
||
793 | nas1_model: Network Access Controler |
||
794 | nas1_ip: $PRIVATE_IP |
||
795 | nas1_port_num: 0 |
||
796 | nas1_community: public |
||
797 | EOF |
||
798 | chown -R apache:apache /etc/freeradius-web/ |
||
799 | # create the log & backup structure : |
||
1489 | richard | 800 | # - base = users database |
801 | # - archive = tarball of "base + http firewall + netflow" |
||
1833 | richard | 802 | # - security = watchdog log |
2138 | richard | 803 | for i in base archive security activity_report; |
1 | root | 804 | do |
805 | [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i |
||
806 | done |
||
5 | franck | 807 | chown -R root:apache $DIR_SAVE |
1833 | richard | 808 | # Configuring & securing php |
71 | richard | 809 | [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default |
534 | richard | 810 | timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2` |
811 | $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini |
||
411 | richard | 812 | $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini |
813 | $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini |
||
2397 | tom.houday | 814 | $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini |
815 | $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini |
||
71 | richard | 816 | $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
817 | $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
||
2397 | tom.houday | 818 | $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini |
2488 | lucas.echa | 819 | # Configuring & securing Lighttpd |
790 | richard | 820 | rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
2488 | lucas.echa | 821 | [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
822 | $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
||
2688 | lucas.echa | 823 | $SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
824 | $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
||
2488 | lucas.echa | 825 | $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
826 | echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
||
2592 | rexy | 827 | |
828 | [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default |
||
2488 | lucas.echa | 829 | $SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf |
830 | $SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf |
||
831 | $SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf |
||
832 | $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf |
||
833 | |||
2592 | rexy | 834 | [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default |
835 | |||
836 | [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default |
||
837 | $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf |
||
838 | $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf |
||
839 | $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf |
||
840 | |||
841 | cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf |
||
842 | |||
843 | [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
||
844 | cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/ |
||
2688 | lucas.echa | 845 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
846 | $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
||
847 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
||
848 | $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
||
2593 | rexy | 849 | ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
2592 | rexy | 850 | |
2588 | rexy | 851 | [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd |
852 | [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log |
||
853 | [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
||
2688 | lucas.echa | 854 | |
2588 | rexy | 855 | chown -R apache:apache /var/log/lighttpd |
2488 | lucas.echa | 856 | /usr/bin/systemctl start lighttpd |
2499 | tom.houday | 857 | /usr/bin/systemctl start php-fpm |
2488 | lucas.echa | 858 | |
2552 | rexy | 859 | # Creation of the first account (in 'admin' profile) |
2293 | tom.houday | 860 | if [ "$mode" = "install" ] |
2688 | lucas.echa | 861 | then |
862 | header_install |
||
1268 | richard | 863 | # Creation of keys file for the admin account ("admin") |
2688 | lucas.echa | 864 | [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
865 | mkdir -p $DIR_DEST_ETC/digest |
||
866 | chmod 755 $DIR_DEST_ETC/digest |
||
867 | until [ -s $DIR_DEST_ETC/digest/key_admin ] |
||
868 | do |
||
869 | $DIR_DEST_BIN/alcasar-profil.sh --add admin |
||
870 | done |
||
2293 | tom.houday | 871 | fi |
2488 | lucas.echa | 872 | |
2561 | rexy | 873 | # Run after coova (in order to wait tun0 to be up) |
2488 | lucas.echa | 874 | $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service |
2293 | tom.houday | 875 | # Log file for ACC access imputability |
876 | [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log |
||
877 | chown root:apache /var/Save/security/acc_access.log |
||
878 | chmod 664 /var/Save/security/acc_access.log |
||
1389 | richard | 879 | } # End of ACC () |
1 | root | 880 | |
2552 | rexy | 881 | ################################################################## |
882 | ## Fonction "CA" ## |
||
883 | ## - Creating the CA and the server certificate (lighttpd) ## |
||
884 | ################################################################## |
||
1221 | richard | 885 | CA () |
1 | root | 886 | { |
510 | richard | 887 | $DIR_DEST_BIN/alcasar-CA.sh |
5 | franck | 888 | chown -R root:apache /etc/pki |
1 | root | 889 | chmod -R 750 /etc/pki |
1389 | richard | 890 | } # End of CA () |
1 | root | 891 | |
2552 | rexy | 892 | ############################################################# |
893 | ## Function "time_server" ## |
||
894 | ## - Configuring NTP server ## |
||
895 | ############################################################# |
||
1837 | richard | 896 | time_server () |
897 | { |
||
898 | # Set the Internet time server |
||
899 | [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default |
||
900 | cat <<EOF > /etc/ntp/step-tickers |
||
901 | 0.fr.pool.ntp.org # adapt to your country |
||
902 | 1.fr.pool.ntp.org |
||
903 | 2.fr.pool.ntp.org |
||
904 | EOF |
||
905 | [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default |
||
906 | cat <<EOF > /etc/ntp.conf |
||
907 | server 0.fr.pool.ntp.org # adapt to your country |
||
908 | server 1.fr.pool.ntp.org |
||
909 | server 2.fr.pool.ntp.org |
||
910 | server 127.127.1.0 # local clock si NTP internet indisponible ... |
||
911 | fudge 127.127.1.0 stratum 10 |
||
912 | restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
||
913 | restrict 127.0.0.1 |
||
914 | driftfile /var/lib/ntp/drift |
||
915 | logfile /var/log/ntp.log |
||
916 | disable monitor |
||
917 | EOF |
||
918 | chown -R ntp:ntp /var/lib/ntp |
||
919 | # Synchronize now |
||
2688 | lucas.echa | 920 | ntpd -4 -q -g & |
1837 | richard | 921 | } # End of time_server () |
922 | |||
2541 | rexy | 923 | ##################################################################### |
924 | ## Function "init_db" ## |
||
925 | ## - Mysql initialization ## |
||
926 | ## - Set admin (root) password ## |
||
927 | ## - Remove unused users & databases ## |
||
928 | ## - Radius database creation ## |
||
929 | ## - Copy of accounting tables (mtotacct, totacct) & userinfo ## |
||
930 | ##################################################################### |
||
1 | root | 931 | init_db () |
932 | { |
||
2688 | lucas.echa | 933 | if [ "`systemctl is-active mysqld`" == "active" ] |
1990 | richard | 934 | then |
935 | systemctl stop mysqld |
||
936 | fi |
||
1355 | richard | 937 | rm -rf /var/lib/mysql # to be sure that there is no former installation |
1 | root | 938 | [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default |
1355 | richard | 939 | $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf |
1979 | richard | 940 | $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only |
1980 | richard | 941 | $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf |
942 | $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed |
||
2591 | rexy | 943 | [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !) |
2416 | richard | 944 | /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1 |
945 | /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking" |
||
946 | /usr/bin/systemctl start mysqld |
||
1963 | richard | 947 | nb_round=1 |
1981 | richard | 948 | while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on |
1963 | richard | 949 | do |
950 | nb_round=`expr $nb_round + 1` |
||
951 | sleep 2 |
||
952 | done |
||
1981 | richard | 953 | if [ ! -S /var/lib/mysql/mysql.sock ] |
1963 | richard | 954 | then |
1981 | richard | 955 | echo "Problème : la base données 'MariaDB' ne s'est pas lancée !" |
1963 | richard | 956 | exit |
1955 | richard | 957 | fi |
1355 | richard | 958 | # Secure the server |
2688 | lucas.echa | 959 | /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
960 | |||
2416 | richard | 961 | MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
2688 | lucas.echa | 962 | $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
963 | $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
||
615 | richard | 964 | # Create 'radius' database |
2688 | lucas.echa | 965 | $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
615 | richard | 966 | # Add an empty radius database structure |
2688 | lucas.echa | 967 | /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
615 | richard | 968 | # modify the start script in order to close accounting connexion when the system is comming down or up |
1357 | richard | 969 | [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
2416 | richard | 970 | $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
971 | $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service |
||
972 | /usr/bin/systemctl unset-environment MYSQLD_OPTS |
||
1574 | richard | 973 | /usr/bin/systemctl daemon-reload |
1389 | richard | 974 | } # End of init_db () |
1 | root | 975 | |
2423 | richard | 976 | ################################################################### |
977 | ## Function "freeradius" ## |
||
978 | ## - Set the configuration files ## |
||
979 | ## - Set the shared secret between coova-chilli and freeradius ## |
||
980 | ## - Adapt the Mysql conf file and counters ## |
||
981 | ################################################################### |
||
2421 | richard | 982 | freeradius () |
1 | root | 983 | { |
1800 | richard | 984 | cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/ |
1 | root | 985 | chown -R radius:radius /etc/raddb |
986 | [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default |
||
2420 | richard | 987 | # Set radius global parameters (radius.conf) |
1 | root | 988 | $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf |
989 | $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf |
||
990 | $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf |
||
2420 | richard | 991 | $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function |
992 | $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function |
||
2419 | richard | 993 | |
2501 | tom.houday | 994 | # Add ALCASAR dictionary |
995 | cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar |
||
2512 | tom.houday | 996 | echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary |
997 | # Add CoovaChilli dictionary |
||
998 | cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli |
||
999 | echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary |
||
2420 | richard | 1000 | # Set "client.conf" to describe radius clients (coova on 127.0.0.1) |
1 | root | 1001 | [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default |
1002 | cat << EOF > /etc/raddb/clients.conf |
||
2438 | richard | 1003 | client localhost { |
1004 | ipaddr = 127.0.0.1 |
||
1 | root | 1005 | secret = $secretradius |
2438 | richard | 1006 | shortname = chilli |
2454 | tom.houday | 1007 | nas_type = other |
1 | root | 1008 | } |
1009 | EOF |
||
2420 | richard | 1010 | # Set Virtual server (remvove all except "alcasar virtual site") |
1011 | rm -f /etc/raddb/sites-enabled/* |
||
2467 | richard | 1012 | cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar |
1013 | cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap |
||
1014 | chown radius:apache /etc/raddb/sites-available/alcasar* |
||
1015 | chmod 660 /etc/raddb/sites-available/alcasar* |
||
2420 | richard | 1016 | ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
2454 | tom.houday | 1017 | # INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
2420 | richard | 1018 | |
2454 | tom.houday | 1019 | # Set modules |
2465 | richard | 1020 | # Add custom LDAP "available module" |
1021 | cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/ |
||
1022 | chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar |
||
2422 | richard | 1023 | # Set only usefull modules for ALCASAR (ldap is enabled only via ACC) |
2454 | tom.houday | 1024 | rm -rf /etc/raddb/mods-enabled/* |
2615 | tom.houday | 1025 | for mods in sql sqlcounter attr_filter expiration logintime pap expr always |
2454 | tom.houday | 1026 | do |
1027 | ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
||
1028 | done |
||
2423 | richard | 1029 | # Configure SQL mod |
2420 | richard | 1030 | [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
2423 | richard | 1031 | $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql |
1032 | $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql |
||
2420 | richard | 1033 | $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql |
2423 | richard | 1034 | $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql |
1035 | $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql |
||
1036 | $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
||
1037 | $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
||
2454 | tom.houday | 1038 | # queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
2420 | richard | 1039 | [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
1040 | cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
||
1041 | chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf |
||
2421 | richard | 1042 | # sqlcounter modifications |
2470 | richard | 1043 | [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default |
1044 | cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter |
||
1045 | chown -R radius:radius /etc/raddb/mods-available/sqlcounter |
||
2421 | richard | 1046 | # make certain that mysql is up before freeradius start |
1358 | richard | 1047 | [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default |
1048 | $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service |
||
1574 | richard | 1049 | /usr/bin/systemctl daemon-reload |
2597 | tom.houday | 1050 | # Allow apache to change some conf files (ie : ldap on/off) |
1051 | chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
||
2421 | richard | 1052 | } # End freeradius () |
1 | root | 1053 | |
2423 | richard | 1054 | ############################################################################# |
2552 | rexy | 1055 | ## Function "chilli" ## |
2423 | richard | 1056 | ## - Creation of the conf file and init file (systemd) for coova-chilli ## |
1057 | ## - Adapt the authentication web page (intercept.php) ## |
||
1058 | ############################################################################# |
||
1389 | richard | 1059 | chilli () |
1 | root | 1060 | { |
1370 | richard | 1061 | # chilli unit for systemd |
2324 | tom.houday | 1062 | cat << EOF > /lib/systemd/system/chilli.service |
1372 | richard | 1063 | # This file is part of systemd. |
1064 | # |
||
1065 | # systemd is free software; you can redistribute it and/or modify it |
||
1066 | # under the terms of the GNU General Public License as published by |
||
1067 | # the Free Software Foundation; either version 2 of the License, or |
||
1068 | # (at your option) any later version. |
||
1370 | richard | 1069 | [Unit] |
1070 | Description=chilli is a captive portal daemon |
||
1071 | After=network.target |
||
1072 | |||
1073 | [Service] |
||
1379 | richard | 1074 | Type=forking |
1370 | richard | 1075 | ExecStart=/usr/libexec/chilli start |
1076 | ExecStop=/usr/libexec/chilli stop |
||
1077 | ExecReload=/usr/libexec/chilli reload |
||
1078 | PIDFile=/var/run/chilli.pid |
||
1079 | |||
1080 | [Install] |
||
1081 | WantedBy=multi-user.target |
||
1082 | EOF |
||
799 | richard | 1083 | # init file creation |
1370 | richard | 1084 | [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default |
1801 | richard | 1085 | cat <<EOF > /etc/init.d/chilli |
799 | richard | 1086 | #!/bin/sh |
1087 | # |
||
1088 | # chilli CoovaChilli init |
||
1089 | # |
||
1090 | # chkconfig: 2345 65 35 |
||
1091 | # description: CoovaChilli |
||
1092 | ### BEGIN INIT INFO |
||
1093 | # Provides: chilli |
||
2454 | tom.houday | 1094 | # Required-Start: network |
1095 | # Should-Start: |
||
799 | richard | 1096 | # Required-Stop: network |
2454 | tom.houday | 1097 | # Should-Stop: |
799 | richard | 1098 | # Default-Start: 2 3 5 |
1099 | # Default-Stop: |
||
1100 | # Description: CoovaChilli access controller |
||
1101 | ### END INIT INFO |
||
1102 | |||
1103 | [ -f /usr/sbin/chilli ] || exit 0 |
||
1104 | . /etc/init.d/functions |
||
1105 | CONFIG=/etc/chilli.conf |
||
1106 | pidfile=/var/run/chilli.pid |
||
1107 | [ -f \$CONFIG ] || { |
||
2394 | tom.houday | 1108 | echo "\$CONFIG Not found" |
1109 | exit 0 |
||
799 | richard | 1110 | } |
2376 | tom.houday | 1111 | current_users_file="/var/tmp/havp/current_users.txt" # file containing active users |
799 | richard | 1112 | RETVAL=0 |
1113 | prog="chilli" |
||
1114 | case \$1 in |
||
2394 | tom.houday | 1115 | start) |
2454 | tom.houday | 1116 | if [ -f \$pidfile ] ; then |
2394 | tom.houday | 1117 | gprintf "chilli is already running" |
1118 | else |
||
1119 | gprintf "Starting \$prog: " |
||
1120 | echo '' > \$current_users_file && chown apache:apache \$current_users_file |
||
1121 | rm -f /var/run/chilli* # cleaning |
||
1122 | /usr/sbin/modprobe tun >/dev/null 2>&1 |
||
1123 | echo 1 > /proc/sys/net/ipv4/ip_forward |
||
1124 | [ -e /dev/net/tun ] || { |
||
2454 | tom.houday | 1125 | (cd /dev; |
1126 | mkdir net; |
||
1127 | cd net; |
||
2394 | tom.houday | 1128 | mknod tun c 10 200) |
1129 | } |
||
1130 | ifconfig $INTIF 0.0.0.0 |
||
1131 | /usr/sbin/ethtool -K $INTIF gro off |
||
1132 | daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile & |
||
1133 | RETVAL=\$? |
||
1134 | fi |
||
1135 | ;; |
||
799 | richard | 1136 | |
2394 | tom.houday | 1137 | reload) |
1138 | killall -HUP chilli |
||
1139 | ;; |
||
799 | richard | 1140 | |
2394 | tom.houday | 1141 | restart) |
1142 | \$0 stop |
||
1143 | sleep 2 |
||
1144 | \$0 start |
||
1145 | ;; |
||
799 | richard | 1146 | |
2394 | tom.houday | 1147 | status) |
1148 | status chilli |
||
1149 | RETVAL=0 |
||
1150 | ;; |
||
1151 | |||
1152 | stop) |
||
2454 | tom.houday | 1153 | if [ -f \$pidfile ] ; then |
2394 | tom.houday | 1154 | gprintf "Shutting down \$prog: " |
1155 | killproc /usr/sbin/chilli |
||
1156 | RETVAL=\$? |
||
1157 | [ \$RETVAL = 0 ] && rm -f \$pidfile |
||
1158 | [ -e \$current_users_file ] && rm -f \$current_users_file |
||
2454 | tom.houday | 1159 | else |
2394 | tom.houday | 1160 | gprintf "chilli is not running" |
1161 | fi |
||
1162 | ;; |
||
1163 | |||
1164 | *) |
||
1165 | echo "Usage: \$0 {start|stop|restart|reload|status}" |
||
1166 | exit 1 |
||
799 | richard | 1167 | esac |
1168 | echo |
||
1169 | EOF |
||
2324 | tom.houday | 1170 | chmod a+x /etc/init.d/chilli |
1171 | ln -s /etc/init.d/chilli /usr/libexec/chilli |
||
799 | richard | 1172 | # conf file creation |
346 | richard | 1173 | [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default |
2016 | raphael.pi | 1174 | #NTP Option configuration for DHCP |
2032 | richard | 1175 | #DHCP Options : rfc2132 |
1176 | #dhcp option value will be convert in hexa. |
||
1177 | #NTP option (or 'option 42') is like : |
||
2454 | tom.houday | 1178 | # |
2032 | richard | 1179 | # Code Len Address 1 Address 2 |
1180 | # +-----+-----+-----+-----+-----+-----+-----+-----+-- |
||
1181 | # | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ... |
||
1182 | # +-----+-----+-----+-----+-----+-----+-----+-----+-- |
||
1183 | # |
||
1184 | #Code : 42 => 2a |
||
1185 | #Len : 4 => 04 |
||
2688 | lucas.echa | 1186 | PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)") |
346 | richard | 1187 | cat <<EOF > /etc/chilli.conf |
1188 | # coova config for ALCASAR |
||
1189 | cmdsocket /var/run/chilli.sock |
||
1336 | richard | 1190 | unixipc chilli.$INTIF.ipc |
1551 | richard | 1191 | pidfile /var/run/chilli.pid |
346 | richard | 1192 | net $PRIVATE_NETWORK_MASK |
595 | richard | 1193 | dhcpif $INTIF |
841 | richard | 1194 | ethers $DIR_DEST_ETC/alcasar-ethers |
861 | richard | 1195 | #nodynip |
865 | richard | 1196 | #statip |
1197 | dynip $PRIVATE_NETWORK_MASK |
||
1249 | richard | 1198 | domain $DOMAIN |
355 | richard | 1199 | dns1 $PRIVATE_IP |
1200 | dns2 $PRIVATE_IP |
||
346 | richard | 1201 | uamlisten $PRIVATE_IP |
503 | richard | 1202 | uamport 3990 |
2370 | tom.houday | 1203 | uamuiport 3991 |
837 | richard | 1204 | macauth |
1205 | macpasswd password |
||
1697 | richard | 1206 | strictmacauth |
1243 | richard | 1207 | locationname $HOSTNAME.$DOMAIN |
346 | richard | 1208 | radiusserver1 127.0.0.1 |
1209 | radiusserver2 127.0.0.1 |
||
1210 | radiussecret $secretradius |
||
1211 | radiusauthport 1812 |
||
1212 | radiusacctport 1813 |
||
1243 | richard | 1213 | uamserver https://$HOSTNAME.$DOMAIN/intercept.php |
2374 | tom.houday | 1214 | redirurl |
1243 | richard | 1215 | radiusnasid $HOSTNAME.$DOMAIN |
346 | richard | 1216 | uamsecret $secretuam |
1249 | richard | 1217 | uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN |
346 | richard | 1218 | coaport 3799 |
1379 | richard | 1219 | conup $DIR_DEST_BIN/alcasar-conup.sh |
1220 | condown $DIR_DEST_BIN/alcasar-condown.sh |
||
2594 | tom.houday | 1221 | macup $DIR_DEST_BIN/alcasar-macup.sh |
503 | richard | 1222 | include $DIR_DEST_ETC/alcasar-uamallowed |
1223 | include $DIR_DEST_ETC/alcasar-uamdomain |
||
2016 | raphael.pi | 1224 | dhcpopt 2a04$PRIVATE_IP_HEXA |
1613 | franck | 1225 | #dhcpgateway none |
1226 | #dhcprelayagent none |
||
1610 | franck | 1227 | #dhcpgatewayport none |
2234 | richard | 1228 | sslkeyfile /etc/pki/tls/private/alcasar.key |
1229 | sslcertfile /etc/pki/tls/certs/alcasar.crt |
||
1230 | redirssl |
||
2370 | tom.houday | 1231 | uamuissl |
346 | richard | 1232 | EOF |
2274 | richard | 1233 | # create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0) |
977 | richard | 1234 | echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers |
2274 | richard | 1235 | echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info |
840 | richard | 1236 | # create files for trusted domains and urls |
1148 | crox53 | 1237 | touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain |
503 | richard | 1238 | chown root:apache $DIR_DEST_ETC/alcasar-* |
1239 | chmod 660 $DIR_DEST_ETC/alcasar-* |
||
847 | richard | 1240 | # Configuration des fichier WEB d'interception (secret partagé avec coova-chilli) |
526 | stephane | 1241 | $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php |
796 | richard | 1242 | # user 'chilli' creation (in order to run conup/off and up/down scripts |
2396 | tom.houday | 1243 | chilli_exist=`grep -c ^chilli: /etc/passwd` |
796 | richard | 1244 | if [ "$chilli_exist" == "1" ] |
1245 | then |
||
2454 | tom.houday | 1246 | userdel -r chilli 2>/dev/null |
796 | richard | 1247 | fi |
1248 | groupadd -f chilli |
||
1249 | useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli |
||
1389 | richard | 1250 | } # End of chilli () |
1349 | richard | 1251 | |
2541 | rexy | 1252 | ################################################################ |
2521 | armand.ito | 1253 | ## Function "e2guardian" ## |
2541 | rexy | 1254 | ## - Set the parameters of this HTML proxy (as controler) ## |
1255 | ################################################################ |
||
2521 | armand.ito | 1256 | e2guardian () |
1 | root | 1257 | { |
2521 | armand.ito | 1258 | mkdir -p /var/e2guardian /var/log/e2guardian |
1259 | chown -R e2guardian /var/e2guardian /var/log/e2guardian |
||
1260 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
||
1261 | $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
||
1262 | [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
||
2454 | tom.houday | 1263 | # By default the filter is off |
2521 | armand.ito | 1264 | $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf |
1293 | richard | 1265 | # French deny HTML page |
2521 | armand.ito | 1266 | $SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf |
1293 | richard | 1267 | # Listen only on LAN side |
2521 | armand.ito | 1268 | $SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
1342 | richard | 1269 | # DG send its flow to HAVP |
2521 | armand.ito | 1270 | $SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
1293 | richard | 1271 | # replace the default deny HTML page |
2521 | armand.ito | 1272 | cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/ |
1273 | cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
||
1293 | richard | 1274 | # Don't log |
2521 | armand.ito | 1275 | $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
2519 | rexy | 1276 | # # Change the default report page |
2521 | armand.ito | 1277 | $SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf |
2519 | rexy | 1278 | # Disable HTML content control |
2521 | armand.ito | 1279 | $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
497 | richard | 1280 | cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
1281 | $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas) |
||
2519 | rexy | 1282 | # Disable URL control with regex |
497 | richard | 1283 | cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
1284 | $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas) |
||
2521 | armand.ito | 1285 | # Configure E2guardian for large site |
1721 | richard | 1286 | # Minimum number of processus to handle connections |
2521 | armand.ito | 1287 | $SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf |
1721 | richard | 1288 | # Maximum number of processus to handle connections |
2521 | armand.ito | 1289 | $SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf |
1721 | richard | 1290 | # Run at least 8 daemons |
2521 | armand.ito | 1291 | $SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf |
1721 | richard | 1292 | # minimum number of processes to spawn |
2521 | armand.ito | 1293 | $SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf |
1721 | richard | 1294 | # maximum age of a child process before it croaks it |
2521 | armand.ito | 1295 | $SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf |
2519 | rexy | 1296 | # Disable download files control |
2521 | armand.ito | 1297 | [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
1298 | $SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf |
||
497 | richard | 1299 | [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default |
1300 | [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default |
||
1301 | touch $DIR_DG/lists/bannedextensionlist |
||
1302 | touch $DIR_DG/lists/bannedmimetypelist |
||
1303 | # 'Safesearch' regex actualisation |
||
498 | richard | 1304 | $SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
497 | richard | 1305 | # empty LAN IP list that won't be WEB filtered |
1306 | [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default |
||
1307 | touch $DIR_DG/lists/exceptioniplist |
||
1308 | # Keep a copy of URL & domain filter configuration files |
||
1309 | [ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default |
||
1310 | [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
||
2521 | armand.ito | 1311 | } # End of e2guardian () |
1 | root | 1312 | |
71 | richard | 1313 | ################################################################## |
2519 | rexy | 1314 | ## Function "antivirus" ## |
1315 | ## - Set the parameters of havp, libclamav and freshclam ## |
||
71 | richard | 1316 | ################################################################## |
2454 | tom.houday | 1317 | antivirus () |
71 | richard | 1318 | { |
1358 | richard | 1319 | # create 'havp' user |
2396 | tom.houday | 1320 | havp_exist=`grep -c ^havp: /etc/passwd` |
307 | richard | 1321 | if [ "$havp_exist" == "1" ] |
288 | richard | 1322 | then |
2454 | tom.houday | 1323 | userdel -r havp 2>/dev/null |
1324 | groupdel havp 2>/dev/null |
||
288 | richard | 1325 | fi |
307 | richard | 1326 | groupadd -f havp |
1486 | richard | 1327 | useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp |
1841 | richard | 1328 | mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav |
1484 | richard | 1329 | chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp |
1841 | richard | 1330 | chown -R clamav:clamav /var/log/clamav /var/lib/clamav |
109 | richard | 1331 | [ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default |
1332 | $SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
||
1484 | richard | 1333 | $SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile |
1334 | $SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode |
||
631 | richard | 1335 | $SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback |
1485 | richard | 1336 | $SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback) |
990 | franck | 1337 | $SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format |
631 | richard | 1338 | $SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV |
1339 | $SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches |
||
659 | richard | 1340 | $SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously |
835 | richard | 1341 | $SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files |
1342 | $SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files |
||
1007 | richard | 1343 | # skip checking of youtube flow (too heavy load / risk too low) |
1344 | [ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default |
||
1345 | echo "# Whitelist youtube flow" >> /etc/havp/whitelist |
||
1346 | echo "*.youtube.com/*" >> /etc/havp/whitelist |
||
1544 | richard | 1347 | # adapt init script and systemd unit |
335 | richard | 1348 | [ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default |
481 | franck | 1349 | cp -f $DIR_CONF/havp-init /etc/init.d/havp |
1547 | richard | 1350 | [ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default |
1351 | $SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service |
||
1544 | richard | 1352 | $SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service |
1358 | richard | 1353 | # replace of the intercept page (template) |
340 | richard | 1354 | cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html |
1355 | cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html |
||
1358 | richard | 1356 | # update virus database every 4 hours (24h/6) |
1357 | richard | 1357 | [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default |
1358 | $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
||
489 | richard | 1359 | $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
1357 | richard | 1360 | $SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
1358 | richard | 1361 | $SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf |
1362 | $SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
||
1385 | richard | 1363 | # update now |
1382 | richard | 1364 | /usr/bin/freshclam --no-warnings |
1389 | richard | 1365 | } # End of antivirus () |
71 | richard | 1366 | |
2519 | rexy | 1367 | ################################################################################ |
1368 | ## Function "tinyproxy" ## |
||
2552 | rexy | 1369 | ## - Set the parameters of tinyproxy (proxy between filtered users and havp) ## |
2519 | rexy | 1370 | ################################################################################ |
2454 | tom.houday | 1371 | tinyproxy () |
1485 | richard | 1372 | { |
2396 | tom.houday | 1373 | tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd` |
1486 | richard | 1374 | if [ "$tinyproxy_exist" == "1" ] |
1375 | then |
||
2454 | tom.houday | 1376 | userdel -r tinyproxy 2>/dev/null |
1377 | groupdel tinyproxy 2>/dev/null |
||
1486 | richard | 1378 | fi |
1379 | groupadd -f tinyproxy |
||
1488 | richard | 1380 | useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy |
1668 | richard | 1381 | mkdir -p /var/run/tinyproxy /var/log/tinyproxy |
1382 | chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy |
||
1486 | richard | 1383 | [ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default |
1384 | $SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
||
1385 | $SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
||
1386 | $SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port |
||
1387 | $SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif) |
||
1508 | richard | 1388 | $SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf |
1518 | richard | 1389 | $SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf |
1486 | richard | 1390 | $SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged |
1391 | $SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP |
||
1392 | $SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode |
||
1544 | richard | 1393 | $SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN |
1509 | richard | 1394 | # Create the systemd unit |
1395 | cat << EOF > /lib/systemd/system/tinyproxy.service |
||
1396 | # This file is part of systemd. |
||
1397 | # |
||
1398 | # systemd is free software; you can redistribute it and/or modify it |
||
1399 | # under the terms of the GNU General Public License as published by |
||
1400 | # the Free Software Foundation; either version 2 of the License, or |
||
1401 | # (at your option) any later version. |
||
1485 | richard | 1402 | |
1509 | richard | 1403 | # This unit launches tinyproxy (a very light proxy). |
1518 | richard | 1404 | # The "sleep 2" is needed because the pid file isn't ready for systemd |
1509 | richard | 1405 | [Unit] |
1406 | Description=Tinyproxy Web Proxy Server |
||
1407 | After=network.target iptables.service |
||
1408 | |||
1409 | [Service] |
||
1410 | Type=forking |
||
1518 | richard | 1411 | ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy |
1412 | ExecStartPre=/bin/sleep 2 |
||
1413 | PIDFile=/var/run/tinyproxy/tinyproxy.pid |
||
1509 | richard | 1414 | ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf |
1415 | |||
1416 | [Install] |
||
1417 | WantedBy=multi-user.target |
||
1418 | EOF |
||
1419 | |||
1485 | richard | 1420 | } # end of tinyproxy |
2519 | rexy | 1421 | ############################################################################## |
1422 | ## function "ulogd" ## |
||
1423 | ## - Ulog config for multi-log files ## |
||
1424 | ############################################################################## |
||
1389 | richard | 1425 | ulogd () |
476 | richard | 1426 | { |
1427 | # Three instances of ulogd (three different logfiles) |
||
1428 | [ -d /var/log/firewall ] || mkdir -p /var/log/firewall |
||
478 | richard | 1429 | nl=1 |
1358 | richard | 1430 | for log_type in traceability ssh ext-access |
478 | richard | 1431 | do |
1365 | richard | 1432 | [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service |
1369 | richard | 1433 | [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log |
1375 | richard | 1434 | cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf |
1704 | richard | 1435 | $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf |
478 | richard | 1436 | cat << EOF >> /etc/ulogd-$log_type.conf |
1452 | richard | 1437 | [emu1] |
478 | richard | 1438 | file="/var/log/firewall/$log_type.log" |
1439 | sync=1 |
||
1440 | EOF |
||
1452 | richard | 1441 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service |
478 | richard | 1442 | nl=`expr $nl + 1` |
1443 | done |
||
476 | richard | 1444 | chown -R root:apache /var/log/firewall |
1445 | chmod 750 /var/log/firewall |
||
1446 | chmod 640 /var/log/firewall/* |
||
1389 | richard | 1447 | } # End of ulogd () |
476 | richard | 1448 | |
1159 | crox53 | 1449 | |
1450 | ########################################################## |
||
2519 | rexy | 1451 | ## Function "nfsen" ## |
1452 | ## - install the nfsen grapher ## |
||
1453 | ## - install the two plugins porttracker & surfmap ## |
||
1159 | crox53 | 1454 | ########################################################## |
1389 | richard | 1455 | nfsen() |
1 | root | 1456 | { |
2330 | tom.houday | 1457 | tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/ |
1365 | richard | 1458 | # Add PortTracker plugin |
1534 | richard | 1459 | for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins |
1395 | richard | 1460 | do |
2330 | tom.houday | 1461 | [ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i |
1395 | richard | 1462 | done |
2330 | tom.houday | 1463 | $SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm |
1365 | richard | 1464 | # use of our conf file and init unit |
2330 | tom.houday | 1465 | cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/ |
1570 | richard | 1466 | # Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version) |
1221 | richard | 1467 | DirTmp=$(pwd) |
2688 | lucas.echa | 1468 | cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; } |
1570 | richard | 1469 | /usr/bin/perl install.pl etc/nfsen.conf |
1470 | /usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable" |
||
1365 | richard | 1471 | # Create RRD DB for porttracker (only in it still doesn't exist) |
1570 | richard | 1472 | cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/ |
1473 | cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/ |
||
1395 | richard | 1474 | if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi |
1475 | chmod -R 770 /var/log/netflow/porttracker |
||
1372 | richard | 1476 | # nfsen unit for systemd |
2330 | tom.houday | 1477 | cat << EOF > /lib/systemd/system/nfsen.service |
1372 | richard | 1478 | # This file is part of systemd. |
1479 | # |
||
1480 | # systemd is free software; you can redistribute it and/or modify it |
||
1481 | # under the terms of the GNU General Public License as published by |
||
1482 | # the Free Software Foundation; either version 2 of the License, or |
||
1483 | # (at your option) any later version. |
||
1484 | |||
1485 | # This unit launches nfsen (a Netflow grapher). |
||
1486 | [Unit] |
||
1487 | Description= NfSen init script |
||
1488 | After=network.target iptables.service |
||
1489 | |||
1490 | [Service] |
||
1491 | Type=oneshot |
||
1492 | RemainAfterExit=yes |
||
1393 | richard | 1493 | PIDFile=/var/run/nfsen/nfsen.pid |
1494 | ExecStartPre=/bin/mkdir -p /var/run/nfsen |
||
1495 | ExecStartPre=/bin/chown apache:apache /var/run/nfsen |
||
2454 | tom.houday | 1496 | ExecStart=/usr/bin/nfsen start |
1372 | richard | 1497 | ExecStop=/usr/bin/nfsen stop |
1393 | richard | 1498 | ExecReload=/usr/bin/nfsen restart |
1372 | richard | 1499 | TimeoutSec=0 |
1500 | |||
1501 | [Install] |
||
1502 | WantedBy=multi-user.target |
||
1503 | EOF |
||
1365 | richard | 1504 | # Add the listen port to collect netflow packet (nfcapd) |
2688 | lucas.echa | 1505 | $SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm |
1365 | richard | 1506 | # expire delay for the profile "live" |
1574 | richard | 1507 | /usr/bin/systemctl start nfsen |
1393 | richard | 1508 | /bin/nfsen -m live -e 62d 2>/dev/null |
2643 | rexy | 1509 | # add SURFmap plugin (waiting for new technical solution) |
1510 | # see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450 |
||
1511 | # cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/ |
||
1512 | # cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/ |
||
1513 | # tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/ |
||
1514 | # cd /tmp/ |
||
2688 | lucas.echa | 1515 | # /usr/bin/sh SURFmap/install.sh |
2643 | rexy | 1516 | # clear the installation |
1517 | # rm -rf /tmp/SURFmap* |
||
2657 | tom.houday | 1518 | rm -rf /tmp/nfsen-* |
2688 | lucas.echa | 1519 | cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; } |
2581 | rexy | 1520 | chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen |
1389 | richard | 1521 | } # End of nfsen () |
1 | root | 1522 | |
2552 | rexy | 1523 | ########################################################### |
1524 | ## Function "vnstat" ## |
||
1525 | ## - Initialization of Vnstat and vnstat phpFrontEnd ## |
||
1526 | ########################################################### |
||
1541 | richard | 1527 | vnstat () |
1528 | { |
||
2330 | tom.houday | 1529 | [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default |
2589 | rexy | 1530 | $SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf |
2688 | lucas.echa | 1531 | $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf |
2330 | tom.houday | 1532 | [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default |
1533 | $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php |
||
1534 | $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php |
||
2589 | rexy | 1535 | /usr/bin/vnstat -i $EXTIF -u --force |
2281 | tom.houday | 1536 | } # End of vnstat |
1537 | |||
2558 | rexy | 1538 | ################################################################## |
1539 | ## Function "dnsmasq" ## |
||
1540 | ## - creation of the conf files of the 4 intances of dnsmasq ## |
||
1541 | ## - creation of the file managing domain name (local & remote) ## |
||
1542 | ################################################################## |
||
1389 | richard | 1543 | dnsmasq () |
219 | jeremy | 1544 | { |
1545 | [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
||
2688 | lucas.echa | 1546 | [ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
1547 | # 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
||
1928 | richard | 1548 | cat << EOF > /etc/dnsmasq-whitelist.conf |
1390 | richard | 1549 | # Configuration file for "dnsmasq with whitelist" |
1873 | richard | 1550 | # ADD Toulouse university whitelist domains |
1472 | richard | 1551 | pid-file=/var/run/dnsmasq-whitelist.pid |
2688 | lucas.echa | 1552 | listen-address=127.0.0.1 |
1356 | richard | 1553 | port=55 |
1472 | richard | 1554 | no-dhcp-interface=lo |
1356 | richard | 1555 | bind-interfaces |
1721 | richard | 1556 | cache-size=1024 |
1356 | richard | 1557 | domain-needed |
1558 | expand-hosts |
||
1559 | bogus-priv |
||
1560 | filterwin2k |
||
2688 | lucas.echa | 1561 | ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules |
1562 | server=$DNS1 |
||
1563 | server=$DNS2 |
||
1356 | richard | 1564 | EOF |
2688 | lucas.echa | 1565 | |
1566 | # Create dnsmasq-whitelist unit |
||
1567 | mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
||
1568 | cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
||
1569 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
||
1570 | $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
||
1571 | } # End dnsmasq |
||
1572 | |||
1573 | ################################################## |
||
1574 | ## Function "unbound" ## |
||
1575 | ################################################## |
||
1576 | unbound () |
||
1577 | { |
||
1578 | [ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d |
||
1579 | [ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common |
||
1580 | [ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward |
||
1581 | [ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns |
||
1582 | [ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward |
||
1583 | [ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist |
||
1584 | [ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist |
||
1585 | [ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole |
||
1586 | [ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; } |
||
1587 | [ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default |
||
1588 | |||
1589 | # Local static DNS configuration |
||
1590 | [ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf |
||
1591 | |||
1592 | # Forward zone configuration file for all unbound dns servers |
||
1593 | cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
||
1594 | forward-zone: |
||
1595 | name: "." |
||
1596 | forward-addr: $DNS1 |
||
1597 | forward-addr: $DNS2 |
||
1472 | richard | 1598 | EOF |
1599 | |||
2688 | lucas.echa | 1600 | # Custom configuration file for manual DNS configuration |
1601 | cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf |
||
1602 | ## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS |
||
1603 | ## Add one block for each domain name managed by an other DNS server |
||
1604 | ## |
||
1605 | ## Example: |
||
1606 | ## |
||
1607 | ## server: |
||
1608 | ## local-zone: "<your_domain>." transparent |
||
1609 | ## forward-zone: |
||
1610 | ## name: "<your_domain>." |
||
1611 | ## forward-addr: <@IP_domain_server> |
||
1612 | ## |
||
2558 | rexy | 1613 | ## INFO : local hostnames are resolved in /etc/hosts file |
1614 | EOF |
||
1615 | |||
2688 | lucas.echa | 1616 | # Configuration file of ALCASAR main domains for $INTIF |
1617 | cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
||
1618 | server: |
||
1619 | local-zone: "$HOSTNAME.$DOMAIN" static |
||
1620 | local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
||
1621 | local-zone: "$HOSTNAME" static |
||
1622 | local-data: "$HOSTNAME A $PRIVATE_IP" |
||
1623 | local-zone: "$DOMAIN." static |
||
1624 | local-data: "$DOMAIN. A" |
||
1625 | EOF |
||
1626 | |||
1627 | # Configuration file for lo of forward unbound |
||
1628 | cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
||
1629 | server: |
||
1630 | interface: 127.0.0.1@53 |
||
1631 | access-control-view: 127.0.0.1/8 lo |
||
1632 | |||
1633 | view: |
||
1634 | name: "lo" |
||
1635 | local-zone: "$HOSTNAME.$DOMAIN" static |
||
1636 | local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
||
1637 | local-zone: "$HOSTNAME" static |
||
1638 | local-data: "$HOSTNAME A 127.0.0.1" |
||
1639 | local-zone: "$DOMAIN." static |
||
1640 | local-data: "$DOMAIN. A" |
||
1641 | view-first: yes |
||
1642 | EOF |
||
1643 | |||
1644 | # Configuration file for $INTIF of forward unbound |
||
1645 | cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
||
1646 | server: |
||
1647 | interface: ${PRIVATE_IP}@53 |
||
1648 | access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
||
1649 | |||
1650 | view: |
||
1651 | name: "$INTIF" |
||
1652 | local-zone: "$HOSTNAME.$DOMAIN" static |
||
1653 | local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
||
1654 | local-zone: "$HOSTNAME" static |
||
1655 | local-data: "$HOSTNAME A $PRIVATE_IP" |
||
1656 | view-first: yes |
||
1657 | EOF |
||
1658 | |||
1659 | # Configuration file for forward unbound |
||
1660 | cat << EOF > /etc/unbound/unbound.conf |
||
1661 | server: |
||
1662 | verbosity: 1 |
||
1663 | hide-version: yes |
||
1664 | hide-identity: yes |
||
1665 | do-ip6: no |
||
1666 | |||
1667 | include: /etc/unbound/conf.d/common/forward-zone.conf |
||
1668 | include: /etc/unbound/conf.d/common/local-forward/* |
||
1669 | include: /etc/unbound/conf.d/common/local-dns/* |
||
1670 | include: /etc/unbound/conf.d/forward/* |
||
1671 | EOF |
||
1672 | |||
1673 | # Configuration file for $INTIF of blacklist unbound |
||
1674 | cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
||
1675 | server: |
||
1676 | interface: ${PRIVATE_IP}@54 |
||
1677 | access-control: $PRIVATE_IP_MASK allow |
||
1678 | access-control-tag: $PRIVATE_IP_MASK "blacklist" |
||
1679 | access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
||
1680 | access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
||
1681 | EOF |
||
1682 | |||
1683 | # Configuration file for blacklist unbound |
||
1684 | cat << EOF > /etc/unbound/unbound-blacklist.conf |
||
1685 | server: |
||
1686 | verbosity: 1 |
||
1687 | hide-version: yes |
||
1688 | hide-identity: yes |
||
1689 | do-ip6: no |
||
1690 | logfile: "/var/log/unbound/unbound-blacklist.log" |
||
1691 | chroot: "" |
||
1692 | define-tag: "blacklist" |
||
1693 | log-local-actions: yes |
||
1694 | |||
1695 | include: /etc/unbound/conf.d/common/forward-zone.conf |
||
1696 | include: /etc/unbound/conf.d/common/local-forward/* |
||
1697 | include: /etc/unbound/conf.d/common/local-dns/* |
||
1698 | include: /etc/unbound/conf.d/blacklist/* |
||
1699 | |||
1700 | include: /usr/local/share/unbound-bl-enabled/* |
||
1701 | EOF |
||
1702 | |||
1703 | # Configuration file for $INTIF of whitelist unbound |
||
1704 | cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
||
1705 | server: |
||
1706 | interface: ${PRIVATE_IP}@55 |
||
1707 | access-control: $PRIVATE_IP_MASK allow |
||
1708 | access-control-tag: $PRIVATE_IP_MASK "whitelist" |
||
1709 | access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
||
1710 | access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
||
1711 | EOF |
||
1712 | |||
1713 | # Configuration file for whitelist unbound |
||
1714 | cat << EOF > /etc/unbound/unbound-whitelist.conf |
||
1715 | server: |
||
1716 | verbosity: 1 |
||
1717 | hide-version: yes |
||
1718 | hide-identity: yes |
||
1719 | do-ip6: no |
||
1720 | do-not-query-localhost: no |
||
1721 | define-tag: "whitelist" |
||
1722 | |||
1723 | local-zone: "." transparent |
||
1724 | local-zone-tag: "." "whitelist" |
||
1725 | |||
1726 | include: /usr/local/share/unbound-wl-enabled/* |
||
1727 | include: /etc/unbound/conf.d/whitelist/* |
||
1728 | include: /etc/unbound/conf.d/common/local-dns/* |
||
1729 | include: /etc/unbound/conf.d/common/local-forward/* |
||
1730 | |||
1731 | forward-zone: |
||
1732 | name: "." |
||
1733 | forward-addr: 127.0.0.1@55 |
||
1734 | EOF |
||
1735 | |||
1736 | # Configuration file for $INTIF of blackhole unbound |
||
1737 | cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
||
1738 | server: |
||
1739 | interface: ${PRIVATE_IP}@56 |
||
1740 | access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
||
1741 | |||
1742 | view: |
||
1743 | name: "$INTIF" |
||
1744 | local-zone: "." redirect |
||
1745 | local-data: ". A $PRIVATE_IP" |
||
1746 | EOF |
||
1747 | |||
1748 | # Configuration file for blackhole unbound |
||
1749 | cat << EOF > /etc/unbound/unbound-blackhole.conf |
||
1750 | server: |
||
1751 | verbosity: 1 |
||
1752 | hide-version: yes |
||
1753 | hide-identity: yes |
||
1754 | do-ip6: no |
||
1755 | |||
1756 | include: /etc/unbound/conf.d/blackhole/* |
||
1757 | include: /etc/unbound/conf.d/common/local-dns/* |
||
1758 | include: /etc/unbound/conf.d/common/local-forward/* |
||
1759 | EOF |
||
1760 | |||
1761 | if [ ! -e /lib/systemd/system/unbound.service.default ] |
||
1762 | then |
||
1763 | cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default |
||
1764 | fi |
||
1765 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service |
||
1766 | $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service |
||
1767 | |||
1768 | for list in blacklist blackhole whitelist |
||
1474 | richard | 1769 | do |
2688 | lucas.echa | 1770 | cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service |
1771 | $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service |
||
1772 | $SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
||
1474 | richard | 1773 | done |
308 | richard | 1774 | |
2688 | lucas.echa | 1775 | $SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service |
1776 | } # End unbound |
||
1777 | |||
2689 | lucas.echa | 1778 | ################################################## |
1779 | ## Function "dhcpd" ## |
||
1780 | ################################################## |
||
1781 | dhcpd () |
||
1782 | { |
||
1783 | [ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default |
||
1784 | |||
1785 | cat <<EOF > /etc/dhcpd.conf |
||
1786 | ddns-update-style none; |
||
1787 | subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK { |
||
1788 | option routers $PRIVATE_IP; |
||
1789 | option subnet-mask $PRIVATE_NETMASK; |
||
1790 | option domain-name-servers $PRIVATE_IP; |
||
1791 | |||
1792 | range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
||
1793 | default-lease-time 21600; |
||
1794 | max-lease-time 43200; |
||
1795 | } |
||
1796 | EOF |
||
1797 | } |
||
1798 | |||
2552 | rexy | 1799 | ########################################################## |
1800 | ## Function "BL" ## |
||
1801 | ## - copy Toulouse BL ## |
||
1802 | ## - adapt this BL to ALCASAR architecture ## |
||
2688 | lucas.echa | 1803 | ## - domain names for unbound-bl & unbound-wl ## |
2552 | rexy | 1804 | ## - URLs for E²guardian ## |
1805 | ## - IPs for NetFilter ## |
||
1806 | ########################################################## |
||
308 | richard | 1807 | BL () |
1808 | { |
||
1930 | richard | 1809 | # copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt) |
648 | richard | 1810 | rm -rf $DIR_DG/lists/blacklists |
1930 | richard | 1811 | mkdir -p /tmp/blacklists |
1938 | richard | 1812 | cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/ |
1383 | richard | 1813 | # creation of file for the rehabilited domains and urls |
648 | richard | 1814 | [ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
673 | richard | 1815 | [ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
648 | richard | 1816 | touch $DIR_DG/lists/exceptionsitelist |
1817 | touch $DIR_DG/lists/exceptionurllist |
||
2521 | armand.ito | 1818 | # On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian |
648 | richard | 1819 | cat <<EOF > $DIR_DG/lists/bannedurllist |
2521 | armand.ito | 1820 | # E2guardian filter config for ALCASAR |
311 | richard | 1821 | EOF |
648 | richard | 1822 | cat <<EOF > $DIR_DG/lists/bannedsitelist |
2521 | armand.ito | 1823 | # E2guardian domain filter config for ALCASAR |
311 | richard | 1824 | # block all sites except those in the exceptionsitelist --> liste blanche (désactivée) |
1825 | #** |
||
1826 | # block all SSL and CONNECT tunnels |
||
1827 | **s |
||
1828 | # block all SSL and CONNECT tunnels specified only as an IP |
||
1829 | *ips |
||
1830 | # block all sites specified only by an IP |
||
1831 | *ip |
||
1832 | EOF |
||
1852 | raphael.pi | 1833 | # Add Bing to the safesearch url regext list (parental control) |
878 | richard | 1834 | cat <<EOF >> $DIR_DG/lists/urlregexplist |
1835 | # Bing - add 'adlt=strict' |
||
1836 | #"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
||
1837 | EOF |
||
1913 | richard | 1838 | # change the google safesearch ("safe=strict" instead of "safe=vss") |
1003 | richard | 1839 | $SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
1925 | richard | 1840 | # creation of the custom BL and WL categorie named "ossi" (for domain names & ip only) |
1957 | richard | 1841 | mkdir -p $DIR_DG/lists/blacklists/ossi-bl |
1842 | touch $DIR_DG/lists/blacklists/ossi-bl/domains |
||
1843 | echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled |
||
1844 | mkdir -p $DIR_DG/lists/blacklists/ossi-wl |
||
1845 | touch $DIR_DG/lists/blacklists/ossi-wl/domains |
||
1846 | echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled |
||
1927 | richard | 1847 | # add custom ALCASAR BL files |
1957 | richard | 1848 | for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist") |
1849 | do |
||
1850 | mkdir $DIR_DG/lists/blacklists/ossi-bl-$x |
||
1851 | cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains |
||
1852 | echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled |
||
1853 | done |
||
2521 | armand.ito | 1854 | chown -R e2guardian:apache $DIR_DG |
1957 | richard | 1855 | chown -R root:apache $DIR_DEST_SHARE |
1856 | chmod -R g+rw $DIR_DG $DIR_DEST_SHARE |
||
1927 | richard | 1857 | # adapt the Toulouse BL to ALCASAR architecture |
1957 | richard | 1858 | $DIR_DEST_BIN/alcasar-bl.sh --adapt |
1925 | richard | 1859 | # enable the default categories |
1957 | richard | 1860 | $DIR_DEST_BIN/alcasar-bl.sh --cat_choice |
2560 | rexy | 1861 | rm -rf /tmp/blacklists |
2314 | richard | 1862 | } # End BL() |
219 | jeremy | 1863 | |
2552 | rexy | 1864 | ####################################################### |
1865 | ## Function "cron" ## |
||
1866 | ## - write all cron & anacron files ## |
||
1867 | ####################################################### |
||
1 | root | 1868 | cron () |
1869 | { |
||
2640 | rexy | 1870 | # 'crontab' with standard cron at midnight instead of 4:0 am (default) |
1 | root | 1871 | [ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default |
1872 | cat <<EOF > /etc/crontab |
||
1828 | richard | 1873 | SHELL=/usr/bin/bash |
2640 | rexy | 1874 | PATH=/sbin:/bin:/usr/sbin:/usr/bin |
1 | root | 1875 | MAILTO=root |
1876 | HOME=/ |
||
1877 | |||
1878 | # run-parts |
||
1879 | 01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly |
||
1880 | 02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily |
||
1881 | 22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly |
||
1882 | 42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly |
||
1883 | EOF |
||
1884 | [ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default |
||
1885 | cat <<EOF >> /etc/anacrontab |
||
2454 | tom.houday | 1886 | 7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql |
1887 | 7 10 cron.logExport nice /etc/cron.d/alcasar-archive |
||
1 | root | 1888 | EOF |
811 | richard | 1889 | cat <<EOF > /etc/cron.d/alcasar-mysql |
2640 | rexy | 1890 | # Verify, repair and export users database (every monday at 4:45 am) |
1828 | richard | 1891 | 45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump |
2640 | rexy | 1892 | # Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am) |
1828 | richard | 1893 | 40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null |
1 | root | 1894 | EOF |
952 | franck | 1895 | cat <<EOF > /etc/cron.d/alcasar-archive |
2640 | rexy | 1896 | # Archiving logs (traceability & users database) (every Monday at 5:35 am) |
952 | franck | 1897 | 35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now |
1898 | EOF |
||
2454 | tom.houday | 1899 | cat <<EOF > /etc/cron.d/alcasar-ticket-clean |
2640 | rexy | 1900 | # Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30') |
1566 | richard | 1901 | 30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh |
168 | franck | 1902 | EOF |
2454 | tom.houday | 1903 | cat <<EOF > /etc/cron.d/alcasar-distrib-updates |
2640 | rexy | 1904 | # Update the system (everyday at 3:30 am) |
762 | franck | 1905 | 30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1 |
722 | franck | 1906 | EOF |
2454 | tom.houday | 1907 | cat <<EOF > /etc/cron.d/alcasar-connections-stats |
1808 | richard | 1908 | # Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin). |
2640 | rexy | 1909 | # 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm) |
1910 | # 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm) |
||
1911 | # 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm) |
||
1912 | # 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm) |
||
1913 | # 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm) |
||
1808 | richard | 1914 | 1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1 |
1915 | 5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1 |
||
1916 | 10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1 |
||
1917 | 15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1 |
||
2009 | raphael.pi | 1918 | 35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1 |
1 | root | 1919 | EOF |
2454 | tom.houday | 1920 | cat <<EOF > /etc/cron.d/alcasar-watchdog |
2640 | rexy | 1921 | # 'alcasar-watchdog.sh' : run the "watchdog" (every 10') |
1922 | # 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am) |
||
1923 | # 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory |
||
2395 | tom.houday | 1924 | */10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1 |
1905 | raphael.pi | 1925 | |
2228 | franck | 1926 | #* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1 |
1 | root | 1927 | EOF |
2454 | tom.houday | 1928 | cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog |
2640 | rexy | 1929 | # start dead daemons (after boot process and every 18') |
1851 | franck | 1930 | @reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1 |
808 | franck | 1931 | */18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1 |
1932 | EOF |
||
2454 | tom.houday | 1933 | cat <<EOF > /etc/cron.d/alcasar-rsync-bl |
2640 | rexy | 1934 | # Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty). |
1905 | raphael.pi | 1935 | |
1874 | raphael.pi | 1936 | EOF |
2304 | tom.houday | 1937 | cat <<EOF > /etc/cron.d/alcasar-letsencrypt |
2640 | rexy | 1938 | # Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily") |
2304 | tom.houday | 1939 | @daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1 |
1940 | EOF |
||
1941 | |||
1808 | richard | 1942 | # removing the users crons |
522 | richard | 1943 | rm -f /var/spool/cron/* |
2314 | richard | 1944 | } # End cron() |
1 | root | 1945 | |
2552 | rexy | 1946 | ###################################################################### |
1947 | ## Fonction "Fail2Ban" ## |
||
1948 | ##- Adapt conf file to ALCASAR ## |
||
1949 | ##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ## |
||
1950 | ###################################################################### |
||
1163 | crox53 | 1951 | fail2ban() |
1952 | { |
||
2243 | tom.houday | 1953 | /usr/bin/sh $DIR_CONF/fail2ban.sh |
1474 | richard | 1954 | # Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp |
1192 | crox53 | 1955 | [ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log |
1489 | richard | 1956 | [ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log |
1165 | crox53 | 1957 | chmod 644 /var/log/fail2ban.log |
1489 | richard | 1958 | chmod 644 /var/Save/security/watchdog.log |
1418 | richard | 1959 | /usr/bin/touch /var/log/auth.log |
1515 | richard | 1960 | # fail2ban unit |
1961 | [ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default |
||
1962 | $SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service |
||
1963 | $SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service |
||
2488 | lucas.echa | 1964 | $SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service |
2314 | richard | 1965 | } # End fail2ban() |
1163 | crox53 | 1966 | |
2552 | rexy | 1967 | ######################################################### |
1968 | ## Fonction "gammu_smsd" ## |
||
1969 | ## - Creating of SMS management database ## |
||
1970 | ## - Write the gammu a gammu_smsd conf files ## |
||
1971 | ######################################################### |
||
1376 | richard | 1972 | gammu_smsd() |
1973 | { |
||
2601 | tom.houday | 1974 | # Create 'gammu' system user |
1975 | groupadd -f gammu_smsd |
||
1976 | useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd |
||
1977 | usermod -a -G dialout gammu_smsd |
||
1978 | |||
1979 | # Create 'gammu' database |
||
1980 | MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
||
2688 | lucas.echa | 1981 | $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;" |
1376 | richard | 1982 | # Add a gammu database structure |
2688 | lucas.echa | 1983 | /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql |
1376 | richard | 1984 | |
2552 | rexy | 1985 | # Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port) |
2601 | tom.houday | 1986 | cat << EOF > /etc/gammurc |
2552 | rexy | 1987 | [gammu] |
1988 | device = /dev/ttyUSB0 |
||
1989 | connection = at115200 |
||
1990 | EOF |
||
1991 | |||
2601 | tom.houday | 1992 | cat << EOF > /etc/gammu_smsd_conf |
1376 | richard | 1993 | [gammu] |
1994 | port = /dev/ttyUSB0 |
||
1995 | connection = at115200 |
||
1996 | |||
1997 | [smsd] |
||
1998 | PIN = 1234 |
||
1999 | logfile = /var/log/gammu-smsd/gammu-smsd.log |
||
2000 | logformat = textall |
||
2001 | debuglevel = 0 |
||
2002 | |||
2003 | service = sql |
||
2004 | driver = native_mysql |
||
2005 | user = $DB_USER |
||
2006 | password = $radiuspwd |
||
2007 | pc = localhost |
||
2008 | database = $DB_GAMMU |
||
2009 | |||
2631 | rexy | 2010 | RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms |
1376 | richard | 2011 | |
2012 | StatusFrequency = 30 |
||
1380 | richard | 2013 | ;LoopSleep = 2 |
1376 | richard | 2014 | |
2015 | ;ResetFrequency = 300 |
||
2016 | ;HardResetFrequency = 120 |
||
2017 | |||
2454 | tom.houday | 2018 | CheckSecurity = 1 |
1376 | richard | 2019 | CheckSignal = 1 |
2020 | CheckBattery = 0 |
||
2021 | EOF |
||
2601 | tom.houday | 2022 | chmod 755 /etc/gammu_smsd_conf /etc/gammurc |
1376 | richard | 2023 | |
2601 | tom.houday | 2024 | # Create the systemd unit |
2025 | cat << EOF > /lib/systemd/system/gammu-smsd.service |
||
2026 | [Unit] |
||
2027 | Description=SMS daemon for Gammu |
||
2028 | Documentation=man:gammu-smsd(1) |
||
2029 | After=network.target mysql.service |
||
1376 | richard | 2030 | |
2601 | tom.houday | 2031 | [Service] |
2032 | Type=forking |
||
2033 | ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon |
||
2034 | ExecReload=/bin/kill -HUP $MAINPID |
||
2035 | ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid |
||
2036 | PIDFile=/var/run/gammu-smsd.pid |
||
2037 | |||
2038 | [Install] |
||
2039 | WantedBy=multi-user.target |
||
2040 | EOF |
||
2041 | |||
2314 | richard | 2042 | # Log folder for gammu-smsd |
2601 | tom.houday | 2043 | [ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd |
2044 | chmod 755 /var/log/gammu-smsd |
||
1376 | richard | 2045 | |
2552 | rexy | 2046 | # Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1) |
2047 | # normally not needed now since modeswitch is managed by udev (see Mageia RPM) |
||
2542 | rexy | 2048 | #cat << EOF > /lib/udev/rules.d/66-huawei.rules |
2049 | #KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode" |
||
2050 | #EOF |
||
2552 | rexy | 2051 | # Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time) |
2052 | # example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/ |
||
2053 | |||
2314 | richard | 2054 | } # End gammu_smsd() |
1376 | richard | 2055 | |
2552 | rexy | 2056 | ############################################################ |
2057 | ## Fonction "msec" ## |
||
2058 | ## - Apply the "fileserver" security level ## |
||
2059 | ## - remove the "system request" for rebboting ## |
||
2060 | ## - Fix several file permissions ## |
||
2061 | ############################################################ |
||
2202 | richard | 2062 | msec() |
2063 | { |
||
2064 | |||
2065 | # Apply fileserver security level |
||
2211 | richard | 2066 | [ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default |
2067 | echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf |
||
2202 | richard | 2068 | |
2203 | richard | 2069 | # Set permissions monitoring and enforcement |
2202 | richard | 2070 | cat <<EOF > /etc/security/msec/perm.local |
2071 | /var/log/firefwall/ root.apache 750 |
||
2072 | /var/log/firewall/* root.apache 640 |
||
2073 | /etc/security/msec/perm.local root.root 640 |
||
2074 | /etc/security/msec/level.local root.root 640 |
||
2075 | /etc/freeradius-web root.apache 750 |
||
2076 | /etc/freeradius-web/admin.conf root.apache 640 |
||
2420 | richard | 2077 | /etc/raddb/client.conf radius.radius 640 |
2078 | /etc/raddb/radius.conf radius.radius 640 |
||
2079 | /etc/raddb/mods-available/ldap radius.apache 660 |
||
2202 | richard | 2080 | /etc/raddb/sites-available/alcasar radius.apache 660 |
2081 | /etc/pki/* root.apache 750 |
||
2211 | richard | 2082 | /var/log/netflow/porttracker root.apache 770 |
2083 | /var/log/netflow/porttracker/* root.apache 660 |
||
2202 | richard | 2084 | EOF |
2454 | tom.houday | 2085 | # apply now hourly & daily checks |
2202 | richard | 2086 | /usr/sbin/msec |
2211 | richard | 2087 | /etc/cron.weekly/msec |
2202 | richard | 2088 | |
2314 | richard | 2089 | } # End msec() |
2202 | richard | 2090 | |
2304 | tom.houday | 2091 | |
2202 | richard | 2092 | ################################################################## |
2552 | rexy | 2093 | ## Fonction "letsencrypt" ## |
2094 | ## - Install Let's Encrypt client ## |
||
2095 | ## - Prepare Let's Encrypt ALCASAR configuration file ## |
||
2304 | tom.houday | 2096 | ################################################################## |
2097 | letsencrypt() |
||
2098 | { |
||
2099 | echo "Installing Let's Encrypt client..." |
||
2100 | |||
2586 | tom.houday | 2101 | # Remove potential old installers |
2102 | rm -rf /tmp/acme.sh-* |
||
2103 | |||
2304 | tom.houday | 2104 | # Extract acme.sh |
2105 | tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/ |
||
2106 | |||
2107 | pwdInstall=$(pwd) |
||
2688 | lucas.echa | 2108 | cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; } |
2304 | tom.houday | 2109 | |
2110 | acmesh_installDir="/opt/acme.sh" |
||
2111 | acmesh_confDir="/usr/local/etc/letsencrypt" |
||
2354 | tom.houday | 2112 | acmesh_userAgent="ALCASAR" |
2304 | tom.houday | 2113 | |
2114 | # Install acme.sh |
||
2115 | ./acme.sh --install \ |
||
2116 | --home $acmesh_installDir \ |
||
2117 | --config-home $acmesh_confDir/data \ |
||
2118 | --certhome $acmesh_confDir/certs \ |
||
2119 | --accountkey $acmesh_confDir/ca/account.key \ |
||
2120 | --accountconf $acmesh_confDir/data/account.conf \ |
||
2121 | --useragent $acmesh_userAgent \ |
||
2308 | tom.houday | 2122 | --nocron \ |
2123 | > /dev/null |
||
2304 | tom.houday | 2124 | |
2125 | if [ $? -ne 0 ]; then |
||
2126 | echo "Error during installation of Let's Encrypt client (acme.sh)." |
||
2127 | fi |
||
2128 | |||
2129 | # Create configuration file |
||
2130 | cat <<EOF > /usr/local/etc/alcasar-letsencrypt |
||
2131 | email= |
||
2132 | dateIssueRequest= |
||
2133 | domainRequest= |
||
2134 | challenge= |
||
2135 | dateIssued= |
||
2136 | dnsapi= |
||
2137 | dateNextRenewal= |
||
2138 | EOF |
||
2139 | |||
2688 | lucas.echa | 2140 | cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; } |
2304 | tom.houday | 2141 | rm -rf /tmp/acme.sh-* |
2142 | |||
2143 | } # END letsencrypt() |
||
2144 | |||
2145 | ################################################################## |
||
2552 | rexy | 2146 | ## Fonction "post_install" ## |
2147 | ## - Modifying banners (locals et ssh) & prompts ## |
||
2148 | ## - SSH config ## |
||
2149 | ## - sudoers config & files security ## |
||
2150 | ## - log rotate & ANSSI security parameters ## |
||
2151 | ## - Apply former conf in case of an update ## |
||
2152 | ################################################################## |
||
1 | root | 2153 | post_install() |
2154 | { |
||
2195 | richard | 2155 | # change the SSH banner |
2156 | cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh |
||
2157 | echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh |
||
5 | franck | 2158 | chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh |
1 | root | 2159 | [ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
2160 | $SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
||
2161 | $SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
||
793 | richard | 2162 | # postfix banner anonymisation |
2688 | lucas.echa | 2163 | $SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
1841 | richard | 2164 | chown -R postfix:postfix /var/lib/postfix |
2195 | richard | 2165 | # sshd liste on EXTIF & INTIF |
1548 | richard | 2166 | $SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\. |