WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
2454	tom.houday	2	# $Id: alcasar.sh 2693 2019-01-28 16:43:48Z franck $
1	root	3
		4	# alcasar.sh
2466	richard	5	# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
		6	# This script is distributed under the Gnu General Public License (GPL)
		7	# team@alcasar.net
959	franck	8
2454	tom.houday	9	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
1157	stephane	10	# Ce programme est un logiciel libre ; This software is free and open source
2454	tom.houday	11	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		12	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		13	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		14	# Voir la Licence Publique Générale GNU pour plus de détails.
959	franck	15
672	richard	16	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	17	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	18	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
2454	tom.houday	19	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
2466	richard	20
2688	lucas.echa	21	# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	22
		23	# Options :
376	franck	24	# -i or --install
		25	# -u or --uninstall
1	root	26
376	franck	27	# Functions :
1378	richard	28	# testing : connectivity tests, free space test and mageia version test
1221	richard	29	# init : Installation of RPM and scripts
		30	# network : Network parameters
2552	rexy	31	# ACC : ALCASAR Control Center installation
		32	# CA : Certification Authority initialization
1837	richard	33	# time_server : NTPd configuration
1221	richard	34	# init_db : Initilization of radius database managed with MariaDB
2421	richard	35	# freeradius : FreeRadius initialisation
1389	richard	36	# chilli : coovachilli initialisation (+authentication page)
2521	armand.ito	37	# e2guardian : E2Guardian filtering HTTP proxy configuration
1221	richard	38	# antivirus : HAVP + libclamav configuration
1485	richard	39	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	40	# ulogd : log system in userland (match NFLOG target of iptables)
2454	tom.houday	41	# nfsen : Configuration of Nfsen Netflow grapher
2688	lucas.echa	42	# unbound : Name server configuration
		43	# dnsmasq : Name server configuration (for whitelist ipset support)
1541	richard	44	# vnstat : little network stat daemon
2688	lucas.echa	45	# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
2202	richard	49	# msec : Mandriva security package configuration
2304	tom.houday	50	# letsencrypt : Let's Encrypt client
2552	rexy	51	# post_install : Security, log rotation, etc.
1	root	52
2499	tom.houday	53	DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
1	root	54	DATE=`date '+%d %B %Y - %Hh%M'`
		55	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	56	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	57	mode="install"
1	root	58	# ***** Files parameters - paramètres fichiers *******
2552	rexy	59	DIR_INSTALL=`pwd` # current directory
1015	richard	60	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		61	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
2552	rexy	62	DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
		63	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
		64	DIR_WEB="/var/www/html" # directory of Lighttpd
		65	DIR_DG="/etc/e2guardian" # directory of E2Guardian
		66	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
1015	richard	67	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		68	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
2688	lucas.echa	69	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance)
2552	rexy	70	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
1015	richard	71	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	72	# ***** DBMS parameters - paramètres SGBD ******
2552	rexy	73	DB_RADIUS="radius" # database name used by FreeRadius server
		74	DB_USER="radius" # user name allows to request the users database
		75	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	76	# ***** Network parameters - paramètres réseau *****
2552	rexy	77	HOSTNAME="alcasar" # default hostname
		78	DOMAIN="localdomain" # default local domain
2669	tom.houday	79	EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		80	INTIF='' # INTIF is connected to the consultation network
1148	crox53	81	MTU="1500"
1243	richard	82	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	83	# **** Paths - chemin des commandes *****
		84	SED="/bin/sed -i"
		85	# **************** End of global parameters *******************
		86
959	franck	87	license ()
		88	{
		89	if [ $Lang == "fr" ]
1538	richard	90	then
		91	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		92	else
		93	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	94	fi
1538	richard	95	response=0
		96	PTN='^[oOyYnN]$'
		97	until [[ $(expr $response : $PTN) -gt 0 ]]
		98	do
		99	if [ $Lang == "fr" ]
1563	franck	100	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	101	else echo -n "Do you accept the terms of this license (Y/n)? : "
		102	fi
		103	read response
		104	done
		105	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		106	then
		107	exit 1
		108	fi
959	franck	109	}
		110
1	root	111	header_install ()
		112	{
		113	clear
		114	echo "-----------------------------------------------------------------------------"
460	richard	115	echo " ALCASAR V$VERSION Installation"
1	root	116	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		117	echo "-----------------------------------------------------------------------------"
1389	richard	118	}
1	root	119
2552	rexy	120	########################################################
		121	## Function "testing" ##
		122	## - Test Mageia version ##
		123	## - Test ALCASAR version (if already installed) ##
		124	## - Test free space on /var (>10G) ##
		125	## - Test Internet access ##
		126	########################################################
29	richard	127	testing ()
		128	{
1529	richard	129	# Test of Mageia version
		130	# extract the current Mageia version and hardware architecture (i586 ou X64)
		131	fic=`cat /etc/product.id`
		132	unknown_os=0
		133	old="$IFS"
		134	IFS=","
		135	set $fic
2688	lucas.echa	136	for i in "$@"
1529	richard	137	do
		138	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
2454	tom.houday	139	then
1529	richard	140	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		141	unknown_os=`expr $unknown_os + 1`
		142	fi
		143	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
2454	tom.houday	144	then
1529	richard	145	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		146	unknown_os=`expr $unknown_os + 1`
		147	fi
		148	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
2454	tom.houday	149	then
1529	richard	150	ARCH=`echo $i\|cut -d"=" -f2`
		151	unknown_os=`expr $unknown_os + 1`
		152	fi
		153	done
2669	tom.houday	154	if [ "$ARCH" != "x86_64" ]
2149	richard	155	then
		156	if [ $Lang == "fr" ]
2669	tom.houday	157	then echo "Votre architecture matérielle doit être en 64bits"
		158	else echo "You hardware architecture must be 64bits"
2149	richard	159	fi
2482	lucas.echa	160	exit 1
2149	richard	161	fi
1529	richard	162	IFS="$old"
2669	tom.houday	163	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "6" ) ]]
2688	lucas.echa	164	then
2669	tom.houday	165	if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
		166	then
		167	echo
		168	if [ $Lang == "fr" ]
		169	then
		170	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		171	echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
		172	echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
		173	echo "3 - Importez votre base des usagers"
		174	else
		175	echo "The automatic update of ALCASAR can't be performed."
		176	echo "1 - Save your traceability files and the user database"
		177	echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
		178	echo "3 - Import your users database"
		179	fi
		180	else
		181	if [ $Lang == "fr" ]
		182	then echo "L'installation d'ALCASAR ne peut pas être réalisée."
		183	else echo "The installation of ALCASAR can't be performed."
		184	fi
		185	fi
		186	echo
		187	if [ $Lang == "fr" ]
		188	then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
		189	else echo "The OS must be replaced (Mageia6-64bits)"
		190	fi
2688	lucas.echa	191	exit 1
2669	tom.houday	192	fi
		193
1362	richard	194	# Test if ALCASAR is already installed
		195	if [ -e $CONF_FILE ]
		196	then
2396	tom.houday	197	current_version=`grep ^VERSION= $CONF_FILE \| cut -d"=" -f2`
1342	richard	198	if [ $Lang == "fr" ]
2669	tom.houday	199	then echo "La version $current_version d'ALCASAR est déjà installée"
		200	else echo "ALCASAR version $current_version is already installed"
1342	richard	201	fi
1362	richard	202	response=0
2458	richard	203	PTN='^[12]$'
1362	richard	204	until [[ $(expr $response : $PTN) -gt 0 ]]
		205	do
		206	if [ $Lang == "fr" ]
2669	tom.houday	207	then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
		208	else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
2499	tom.houday	209	fi
1362	richard	210	read response
		211	done
2458	richard	212	if [ "$response" = "2" ]
1362	richard	213	then
2560	rexy	214	rm -f /var/tmp/alcasar-conf*
1362	richard	215	else
1684	richard	216	# Retrieve former NICname
2549	tom.houday	217	EXTIF_saved=`grep ^EXTIF= $CONF_FILE \| cut -d'=' -f2-` # EXTernal InterFace
		218	INTIF_saved=`grep ^INTIF= $CONF_FILE \| cut -d'=' -f2-` # INTernal InterFace
2688	lucas.echa	219	[ "$(/usr/sbin/ip link \| grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved \|\| echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
		220	[ "$(/usr/sbin/ip link \| grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved \|\| echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
1564	richard	221	# Create the current conf file
1362	richard	222	$DIR_SCRIPTS/alcasar-conf.sh --create
		223	mode="update"
		224	fi
1529	richard	225	fi
2669	tom.houday	226	# Test free space on /var
1529	richard	227	if [ ! -d /var/log/netflow/porttracker ]
		228	then
2688	lucas.echa	229	free_space=`df -BG --output=avail /var\|tail -1\|tr -d '[:space:]G'`
1529	richard	230	if [ $free_space -lt 10 ]
		231	then
		232	if [ $Lang == "fr" ]
		233	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		234	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		235	fi
		236	exit 0
		237	fi
		238	fi
2669	tom.houday	239
		240	# Detect external/internal interfaces
		241	if [ -z "$EXTIF" ]; then
		242	EXTIF=$(/usr/sbin/ip route list \| awk '/^default / {print $5}')
		243	if [ -z "$EXTIF" ]; then
		244	if [ "$Lang" == 'fr' ]
		245	then echo -n "Aucune passerelle par défaut configurée"
		246	else echo -n "No default gateway configured"
		247	fi
		248	exit 1
		249	fi
		250	fi
		251	if [ "$Lang" == 'fr' ]
		252	then echo "Interface externe (Internet) utilisée : $EXTIF"
		253	else echo "External interface (Internet) used: $EXTIF"
		254	fi
		255
		256	if [ -z "$INTIF" ]; then
		257	interfacesList=$(/usr/sbin/ip -br link show \| cut -d' ' -f1 \| grep -v "^$lo\\|tun0\\|$EXTIF$\$")
		258	interfacesCount=$(echo "$interfacesList" \| wc -l)
		259	if [ $interfacesCount -eq 0 ]; then
		260	if [ "$Lang" == 'fr' ]
		261	then echo "Aucune interface de disponible pour le réseau interne"
		262	else echo "No interface available for the internal network"
		263	fi
		264	exit 1
		265	elif [ $interfacesCount -eq 1 ]; then
		266	INTIF="$interfacesList"
		267	else
		268	interfacesSorted=$(/usr/sbin/ip -br addr \| grep -v "^$lo\\|tun0\\|$EXTIF$ " \| sort -b -k3n -k2r -k1)
		269	interfacePreferred=$(echo "$interfacesSorted" \| head -1 \| cut -d' ' -f1)
		270
		271	if [ "$Lang" == 'fr' ]
		272	then echo 'Liste des interfaces disponible :'
		273	else echo 'List of available interfaces:'
		274	fi
		275	echo "$interfacesSorted"
		276	response=''
		277	while true; do
		278	if [ "$Lang" == 'fr' ]
		279	then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
		280	else echo -n "Choice of internal interface ? [$interfacePreferred] "
		281	fi
		282	read response
		283
		284	[ -z "$response" ] && response="$interfacePreferred"
		285
		286	# Check if interface exist
2688	lucas.echa	287	if [ "$(echo "$interfacesList" \| grep -c "^$response\$")" -eq 1 ]; then
2669	tom.houday	288	INTIF="$response"
		289	break
		290	else
		291	if [ "$Lang" == 'fr' ]
		292	then echo "Interface \"$response\" introuvable"
		293	else echo "Interface \"$response\" not found"
		294	fi
		295	fi
		296	done
		297	fi
		298	fi
		299	if [ "$Lang" == 'fr' ]
		300	then echo "Interface interne utilisée : $INTIF"
		301	else echo "Internal interface used: $INTIF"
		302	fi
		303
2290	richard	304	if [ $Lang == "fr" ]
		305	then echo -n "Tests des paramètres réseau : "
2549	tom.houday	306	else echo -n "Network parameters tests: "
2290	richard	307	fi
		308	# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
2688	lucas.echa	309	cd /etc/sysconfig/network-scripts/ \|\| { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
2290	richard	310	IF_INTERFACES=`ls ifcfg-\|cut -d"-" -f2\|grep -v "^lo"\|cut -d"" -f1`
2282	richard	311	for i in $IF_INTERFACES
		312	do
2688	lucas.echa	313	if [ "$(/usr/sbin/ip link \| grep -c " $i:")" -eq 0 ]; then
2282	richard	314	rm -f ifcfg-$i
2454	tom.houday	315
2282	richard	316	if [ $Lang == "fr" ]
		317	then echo "Suppression : ifcfg-$i"
2549	tom.houday	318	else echo "Deleting: ifcfg-$i"
2282	richard	319	fi
		320	fi
		321	done
2688	lucas.echa	322	cd $DIR_INSTALL \|\| { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2290	richard	323	echo -n "."
2454	tom.houday	324	# Test Ethernet NIC links state
2669	tom.houday	325	interfacesDown=$(/usr/sbin/ip -br link \| grep "^$$EXTIF\\|$INTIF$ " \| grep 'NO-CARRIER' \| cut -d' ' -f1)
		326	if [ ! -z "$interfacesDown" ]; then
		327	for i in $interfacesDown; do
		328	if [ $Lang == "fr" ]
		329	then
		330	echo -e "\nÉchec"
		331	echo "Le lien réseau de la carte $i n'est pas actif."
		332	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		333	else
		334	echo -e "\nFailed"
		335	echo "The link state of $i interface is down."
		336	echo "Make sure that this network card is connected to a switch or an A.P."
		337	fi
		338	done
		339	exit 1
		340	fi
1471	richard	341	echo -n "."
		342	# Test EXTIF config files
2681	tom.houday	343	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF \| grep '^\s*inet\s' \| awk '{ print $2 }'`
		344	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d'/' -f1`
2673	tom.houday	345	PUBLIC_GATEWAY=`/usr/sbin/ip route list \| awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
2688	lucas.echa	346	if [ "$(echo $PUBLIC_IP\|wc -c)" -lt 7 ] \|\| [ "$(echo $PUBLIC_GATEWAY\|wc -c)" -lt 7 ]
1471	richard	347	then
784	richard	348	if [ $Lang == "fr" ]
2454	tom.houday	349	then
2669	tom.houday	350	echo -e "\nÉchec"
784	richard	351	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		352	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	353	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	354	else
2669	tom.houday	355	echo -e "\nFailed"
784	richard	356	echo "The Internet connected network card ($EXTIF) isn't well configured."
		357	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
2669	tom.houday	358	echo "Apply the new configuration: 'systemctl restart network'"
784	richard	359	fi
830	richard	360	echo "DEVICE=$EXTIF"
784	richard	361	echo "IPADDR="
		362	echo "NETMASK="
		363	echo "GATEWAY="
		364	echo "DNS1="
		365	echo "DNS2="
830	richard	366	echo "ONBOOT=yes"
2669	tom.houday	367	exit 1
784	richard	368	fi
		369	echo -n "."
2290	richard	370	# Test if default GW is set on EXTIF (router or ISP provider equipment)
2688	lucas.echa	371	if [ "$(/usr/sbin/ip route list\|grep " $EXTIF "\|grep -c '^default ')" -ne 1 ] ; then
595	richard	372	if [ $Lang == "fr" ]
2454	tom.houday	373	then
2669	tom.houday	374	echo -e "\nÉchec"
595	richard	375	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		376	echo "Réglez ce problème puis relancez ce script."
		377	else
2669	tom.houday	378	echo -e "\nFailed"
595	richard	379	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		380	echo "Resolv this problem, then restart this script."
		381	fi
2669	tom.houday	382	exit 1
29	richard	383	fi
308	richard	384	echo -n "."
2290	richard	385	# Test if default GW is alive
1499	richard	386	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
2688	lucas.echa	387	if [ "$(expr $arp_reply)" -eq 0 ]
2454	tom.houday	388	then
595	richard	389	if [ $Lang == "fr" ]
2454	tom.houday	390	then
2669	tom.houday	391	echo -e "\nÉchec"
2290	richard	392	echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	393	echo "Réglez ce problème puis relancez ce script."
		394	else
2669	tom.houday	395	echo -e "\nFailed"
2290	richard	396	echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
595	richard	397	echo "Resolv this problem, then restart this script."
		398	fi
2669	tom.houday	399	exit 1
308	richard	400	fi
		401	echo -n "."
2290	richard	402	# Test Internet connectivity
2669	tom.houday	403	domainTested='www.google.com'
		404	/usr/bin/curl -s --head "$domainTested" &>/dev/null
		405	if [ $? -ne 0 ]; then
595	richard	406	if [ $Lang == "fr" ]
2454	tom.houday	407	then
2669	tom.houday	408	echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
595	richard	409	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		410	echo "Vérifiez la validité des adresses IP des DNS."
		411	else
2669	tom.houday	412	echo -e "\nThe Internet connection try failed ($domainTested)."
595	richard	413	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		414	echo "Verify the DNS IP addresses"
		415	fi
2669	tom.houday	416	exit 1
29	richard	417	fi
308	richard	418	echo ". : ok"
1389	richard	419	} # end of testing ()
302	richard	420
2552	rexy	421	#######################################################################
		422	## Function "init" ##
		423	## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
		424	## - Creation of random password for GRUB, mariadb (admin and user) ##
		425	#######################################################################
302	richard	426	init ()
		427	{
527	richard	428	if [ "$mode" != "update" ]
302	richard	429	then
		430	# On affecte le nom d'organisme
597	richard	431	header_install
302	richard	432	ORGANISME=!
		433	PTN='^[a-zA-Z0-9-]*$'
580	richard	434	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
2454	tom.houday	435	do
595	richard	436	if [ $Lang == "fr" ]
2454	tom.houday	437	then echo -n "Entrez le nom de votre organisme : "
597	richard	438	else echo -n "Enter the name of your organism : "
595	richard	439	fi
330	franck	440	read ORGANISME
613	richard	441	if [ "$ORGANISME" == "" ]
2688	lucas.echa	442	then
330	franck	443	ORGANISME=!
		444	fi
		445	done
302	richard	446	fi
1	root	447	# On crée aléatoirement les mots de passe et les secrets partagés
2419	richard	448	# We create random passwords and shared secrets
628	richard	449	rm -f $PASSWD_FILE
2419	richard	450	echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
2688	lucas.echa	451	grub2pwd=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c8`
2454	tom.houday	452	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) \| \
		453	LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 \| \
		454	grep -v '[eE]nter password:' \| \
		455	sed -e "s/PBKDF2 hash of your password is //"`
		456	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
		457	[ -e /root/grub.default ] \|\| cp /etc/grub.d/10_linux /root/grub.default
		458	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
		459	chmod 0600 /boot/grub2/user.cfg
2419	richard	460	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
2454	tom.houday	461	echo "GRUB2_user=root" >> $PASSWD_FILE
		462	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
2688	lucas.echa	463	mysqlpwd=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2419	richard	464	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
2412	tom.houday	465	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
2688	lucas.echa	466	radiuspwd=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2419	richard	467	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
2421	richard	468	echo "db_user=$DB_USER" >> $PASSWD_FILE
		469	echo "db_password=$radiuspwd" >> $PASSWD_FILE
2688	lucas.echa	470	secretuam=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2412	tom.houday	471	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
		472	echo "secret_uam=$secretuam" >> $PASSWD_FILE
2688	lucas.echa	473	secretradius=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2412	tom.houday	474	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
		475	echo "secret_radius=$secretradius" >> $PASSWD_FILE
628	richard	476	chmod 640 $PASSWD_FILE
1828	richard	477	# copy scripts in in /usr/local/bin
2664	tom.houday	478	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
1828	richard	479	# copy conf files in /usr/local/etc
1954	richard	480	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
1828	richard	481	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
628	richard	482	# generate central conf file
		483	cat <<EOF > $CONF_FILE
612	richard	484	##########################################
		485	## ##
		486	## ALCASAR Parameters ##
		487	## ##
		488	##########################################
1	root	489
612	richard	490	INSTALL_DATE=$DATE
		491	VERSION=$VERSION
		492	ORGANISM=$ORGANISME
1748	richard	493	HOSTNAME=$HOSTNAME
923	franck	494	DOMAIN=$DOMAIN
612	richard	495	EOF
628	richard	496	chmod o-rwx $CONF_FILE
1	root	497	} # End of init ()
		498
2552	rexy	499	#########################################################
		500	## Function "network" ##
		501	## - Define the several network address ##
		502	## - Define the DNS naming ##
		503	## - INTIF parameters (consultation network) ##
		504	## - Write "/etc/hosts" file ##
		505	## - write "hosts.allow" & "hosts.deny" files ##
		506	#########################################################
1	root	507	network ()
		508	{
		509	header_install
636	richard	510	if [ "$mode" != "update" ]
		511	then
		512	if [ $Lang == "fr" ]
		513	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		514	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		515	fi
		516	response=0
		517	PTN='^[oOyYnN]$'
		518	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	519	do
595	richard	520	if [ $Lang == "fr" ]
659	richard	521	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	522	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	523	fi
1	root	524	read response
		525	done
636	richard	526	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		527	then
		528	PRIVATE_IP_MASK="0"
		529	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		530	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	531	do
595	richard	532	if [ $Lang == "fr" ]
597	richard	533	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		534	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	535	fi
597	richard	536	read PRIVATE_IP_MASK
1	root	537	done
636	richard	538	else
2688	lucas.echa	539	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
636	richard	540	fi
595	richard	541	else
2454	tom.houday	542	PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf\|cut -d"=" -f2`
637	richard	543	rm -rf conf/etc/alcasar.conf
1	root	544	fi
861	richard	545	# Define LAN side global parameters
1740	richard	546	hostnamectl set-hostname $HOSTNAME.$DOMAIN
977	richard	547	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	548	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	549	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	550	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	551	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	552	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
2688	lucas.echa	553	then
2454	tom.houday	554	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
1499	richard	555	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
2454	tom.houday	556	fi
1499	richard	557	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		558	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	559	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	560	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	561	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
1828	richard	562	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	563	# Define Internet parameters
2464	richard	564	if [ "$mode" != "update" ]
2457	richard	565	then
2464	richard	566	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF \| grep '^DNS1='\| cut -d"=" -f2` # 1st DNS server
		567	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF \| grep '^DNS2=' \| cut -d"=" -f2` # 2nd DNS server
		568	else
		569	DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF \| grep '^DNS1=' \| cut -d"=" -f2` # 1st DNS server
		570	DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF \| grep '^DNS2=' \| cut -d"=" -f2` # 2nd DNS server
		571	fi
2693	franck	572	DNS1=${DNS1:=208.67.220.220}
70	franck	573	DNS2=${DNS2:=208.67.222.222}
2693	franck	574	# if [ "$DNS1" == "" ]
		575	# then
		576	# if [ $Lang == "fr" ]
		577	# then
		578	# echo "L'adresse IP des serveurs DNS ne sont pas corrects"
		579	# echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
		580	# else
		581	# echo "The IP address of DNS servers are not set correctly"
		582	# echo "Check the extern network card configuration ($EXTIF)"
		583	# fi
		584	# exit 0
		585	# fi
1499	richard	586	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	587	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	588	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
2552	rexy	589	# Write network parameters in the conf file
1469	richard	590	echo "EXTIF=$EXTIF" >> $CONF_FILE
		591	echo "INTIF=$INTIF" >> $CONF_FILE
2282	richard	592	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
		593	INTERFACES=`/usr/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "^lo\\|$EXTIF\\|tun0"\|cut -d " " -f2\|tr -d ":"`
		594	for i in $INTERFACES
		595	do
		596	SUB=`echo ${i:0:2}`
		597	if [ $SUB = "wl" ]
		598	then WIFIF=$i
2454	tom.houday	599	elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
2282	richard	600	then LANIF=$i
		601	fi
		602	done
		603	if [ -n "$WIFIF" ]
		604	then echo "WIFIF=$WIFIF" >> $CONF_FILE
		605	elif [ -n "$LANIF" ]
		606	then echo "LANIF=$LANIF" >> $CONF_FILE
		607	fi
2454	tom.houday	608	#########################################################################################################
2552	rexy	609	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # test static or dynamic
1499	richard	610	if [ $IP_SETTING == "dhcp" ]
2688	lucas.echa	611	then
1499	richard	612	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	613	echo "GW=dhcp" >> $CONF_FILE
1499	richard	614	else
		615	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	616	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
1499	richard	617	fi
1587	richard	618	echo "DNS1=$DNS1" >> $CONF_FILE
		619	echo "DNS2=$DNS2" >> $CONF_FILE
994	franck	620	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	621	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	622	echo "DHCP=on" >> $CONF_FILE
914	franck	623	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		624	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		625	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1610	franck	626	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
		627	echo "INT_DNS_IP=none" >> $CONF_FILE
		628	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
1499	richard	629	# network default
597	richard	630	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	631	cat <<EOF > /etc/sysconfig/network
		632	NETWORKING=yes
		633	FORWARD_IPV4=true
		634	EOF
2552	rexy	635	# write "/etc/hosts"
1	root	636	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		637	cat <<EOF > /etc/hosts
503	richard	638	127.0.0.1 localhost
2558	rexy	639	$PRIVATE_IP $HOSTNAME
1	root	640	EOF
2552	rexy	641	# write EXTIF (Internet) config
1499	richard	642	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		643	if [ $IP_SETTING == "dhcp" ]
2688	lucas.echa	644	then
1499	richard	645	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	646	DEVICE=$EXTIF
1585	richard	647	BOOTPROTO=dhcp
		648	DNS1=127.0.0.1
		649	PEERDNS=no
		650	RESOLV_MODS=yes
		651	ONBOOT=yes
1613	franck	652	NOZEROCONF=yes
1585	richard	653	METRIC=10
		654	MII_NOT_SUPPORTED=yes
		655	IPV6INIT=no
		656	IPV6TO4INIT=no
		657	ACCOUNTING=no
		658	USERCTL=no
		659	MTU=$MTU
		660	EOF
2688	lucas.echa	661	else
1585	richard	662	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		663	DEVICE=$EXTIF
14	richard	664	BOOTPROTO=static
597	richard	665	IPADDR=$PUBLIC_IP
		666	NETMASK=$PUBLIC_NETMASK
		667	GATEWAY=$PUBLIC_GATEWAY
14	richard	668	DNS1=127.0.0.1
1499	richard	669	RESOLV_MODS=yes
14	richard	670	ONBOOT=yes
		671	METRIC=10
1610	franck	672	NOZEROCONF=yes
14	richard	673	MII_NOT_SUPPORTED=yes
		674	IPV6INIT=no
		675	IPV6TO4INIT=no
		676	ACCOUNTING=no
		677	USERCTL=no
994	franck	678	MTU=$MTU
14	richard	679	EOF
1499	richard	680	fi
2552	rexy	681	# write INTIF (consultation LAN) in normal mode
841	richard	682	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		683	DEVICE=$INTIF
		684	BOOTPROTO=static
		685	ONBOOT=yes
		686	NOZEROCONF=yes
		687	MII_NOT_SUPPORTED=yes
		688	IPV6INIT=no
		689	IPV6TO4INIT=no
		690	ACCOUNTING=no
		691	USERCTL=no
		692	EOF
1558	richard	693	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
2552	rexy	694	# write INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	695	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	696	DEVICE=$INTIF
		697	BOOTPROTO=static
		698	IPADDR=$PRIVATE_IP
604	richard	699	NETMASK=$PRIVATE_NETMASK
1	root	700	ONBOOT=yes
		701	METRIC=10
		702	NOZEROCONF=yes
		703	MII_NOT_SUPPORTED=yes
14	richard	704	IPV6INIT=no
		705	IPV6TO4INIT=no
		706	ACCOUNTING=no
		707	USERCTL=no
1	root	708	EOF
2282	richard	709	######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
		710	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
		711	then
		712	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
		713	DEVICE=$WIFIF
		714	BOOTPROTO=static
		715	ONBOOT=yes
		716	NOZEROCONF=yes
		717	MII_NOT_SUPPORTED=yes
		718	IPV6INIT=no
		719	IPV6TO4INIT=no
		720	ACCOUNTING=no
		721	USERCTL=no
		722	EOF
		723	elif [ -n "$LANIF" ]
		724	then
		725	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
		726	DEVICE=$LANIF
		727	BOOTPROTO=static
		728	ONBOOT=yes
		729	NOZEROCONF=yes
		730	MII_NOT_SUPPORTED=yes
		731	IPV6INIT=no
		732	IPV6TO4INIT=no
		733	ACCOUNTING=no
		734	USERCTL=no
		735	EOF
		736	fi
2454	tom.houday	737	#########################################################################################################
2552	rexy	738	# write hosts.allow & hosts.deny
1	root	739	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		740	cat <<EOF > /etc/hosts.allow
		741	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	742	sshd: ALL
1	root	743	ntpd: $PRIVATE_NETWORK_SHORT
		744	EOF
		745	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		746	cat <<EOF > /etc/hosts.deny
		747	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		748	EOF
790	richard	749	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	750	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	751	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	752	# load conntrack ftp module
		753	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
1705	richard	754	echo "nf_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	755	# load ipt_NETFLOW module
		756	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	757	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
2688	lucas.echa	758	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		759	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		760	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
		761	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
2454	tom.houday	762	#
860	richard	763	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	764	} # End of network ()
		765
2552	rexy	766	###################################################
		767	## Function "ACC" ##
		768	## - copy ALCASAR Control Center (ACC) files ##
		769	## - configuration of the web server (Lighttpd) ##
		770	## - creation of the first ACC admin account ##
		771	## - secure the ACC access ##
		772	###################################################
1221	richard	773	ACC ()
1	root	774	{
		775	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		776	mkdir $DIR_WEB
1833	richard	777	# Copy & adapt ACC files
316	richard	778	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
		779	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		780	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		781	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		782	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		783	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	784	chown -R apache:apache $DIR_WEB/*
1833	richard	785	# copy & adapt "freeradius-web" files
		786	cp -rf $DIR_CONF/freeradius-web/ /etc/
		787	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
		788	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
		789	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		790	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		791	cat <<EOF > /etc/freeradius-web/naslist.conf
		792	nas1_name: alcasar-$ORGANISME
		793	nas1_model: Network Access Controler
		794	nas1_ip: $PRIVATE_IP
		795	nas1_port_num: 0
		796	nas1_community: public
		797	EOF
		798	chown -R apache:apache /etc/freeradius-web/
		799	# create the log & backup structure :
1489	richard	800	# - base = users database
		801	# - archive = tarball of "base + http firewall + netflow"
1833	richard	802	# - security = watchdog log
2138	richard	803	for i in base archive security activity_report;
1	root	804	do
		805	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		806	done
5	franck	807	chown -R root:apache $DIR_SAVE
1833	richard	808	# Configuring & securing php
71	richard	809	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	810	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		811	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	812	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		813	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
2397	tom.houday	814	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
		815	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
71	richard	816	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		817	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
2397	tom.houday	818	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
2488	lucas.echa	819	# Configuring & securing Lighttpd
790	richard	820	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
2488	lucas.echa	821	[ -e /etc/lighttpd/lighttpd.conf.default ] \|\| cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
		822	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
2688	lucas.echa	823	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
		824	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
2488	lucas.echa	825	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
		826	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
2592	rexy	827
		828	[ -e /etc/lighttpd/modules.conf.default ] \|\| cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
2488	lucas.echa	829	$SED "s?^#[ ]\"mod_auth\",.? \"mod_auth\",?g" /etc/lighttpd/modules.conf
		830	$SED "s?^#[ ]\"mod_alias\",.? \"mod_alias\",?g" /etc/lighttpd/modules.conf
		831	$SED "s?^#[ ]\"mod_redirect\",.? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
		832	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
		833
2592	rexy	834	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] \|\| cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
		835
		836	[ -e /etc/php-fpm.conf.default ] \|\| cp /etc/php-fpm.conf /etc/php-fpm.conf.default
		837	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
		838	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
		839	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
		840
		841	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
		842
		843	[ -d /etc/lighttpd/vhosts.d ] \|\| mkdir /etc/lighttpd/vhosts.d
		844	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
2688	lucas.echa	845	$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
		846	$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
		847	$SED "s/^$[\t ]$var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
		848	$SED "s/^$[\t ]$var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
2593	rexy	849	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
2592	rexy	850
2588	rexy	851	[ -d /var/log/lighttpd ] \|\| mkdir /var/log/lighttpd
		852	[ -e /var/log/lighttpd/access.log ] \|\| touch /var/log/lighttpd/access.log
		853	[ -e /var/log/lighttpd/error.log ] \|\| touch /var/log/lighttpd/error.log
2688	lucas.echa	854
2588	rexy	855	chown -R apache:apache /var/log/lighttpd
2488	lucas.echa	856	/usr/bin/systemctl start lighttpd
2499	tom.houday	857	/usr/bin/systemctl start php-fpm
2488	lucas.echa	858
2552	rexy	859	# Creation of the first account (in 'admin' profile)
2293	tom.houday	860	if [ "$mode" = "install" ]
2688	lucas.echa	861	then
		862	header_install
1268	richard	863	# Creation of keys file for the admin account ("admin")
2688	lucas.echa	864	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		865	mkdir -p $DIR_DEST_ETC/digest
		866	chmod 755 $DIR_DEST_ETC/digest
		867	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		868	do
		869	$DIR_DEST_BIN/alcasar-profil.sh --add admin
		870	done
2293	tom.houday	871	fi
2488	lucas.echa	872
2561	rexy	873	# Run after coova (in order to wait tun0 to be up)
2488	lucas.echa	874	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
2293	tom.houday	875	# Log file for ACC access imputability
		876	[ -e /var/Save/security/acc_access.log ] \|\| touch /var/Save/security/acc_access.log
		877	chown root:apache /var/Save/security/acc_access.log
		878	chmod 664 /var/Save/security/acc_access.log
1389	richard	879	} # End of ACC ()
1	root	880
2552	rexy	881	##################################################################
		882	## Fonction "CA" ##
		883	## - Creating the CA and the server certificate (lighttpd) ##
		884	##################################################################
1221	richard	885	CA ()
1	root	886	{
510	richard	887	$DIR_DEST_BIN/alcasar-CA.sh
5	franck	888	chown -R root:apache /etc/pki
1	root	889	chmod -R 750 /etc/pki
1389	richard	890	} # End of CA ()
1	root	891
2552	rexy	892	#############################################################
		893	## Function "time_server" ##
		894	## - Configuring NTP server ##
		895	#############################################################
1837	richard	896	time_server ()
		897	{
		898	# Set the Internet time server
		899	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		900	cat <<EOF > /etc/ntp/step-tickers
		901	0.fr.pool.ntp.org # adapt to your country
		902	1.fr.pool.ntp.org
		903	2.fr.pool.ntp.org
		904	EOF
		905	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		906	cat <<EOF > /etc/ntp.conf
		907	server 0.fr.pool.ntp.org # adapt to your country
		908	server 1.fr.pool.ntp.org
		909	server 2.fr.pool.ntp.org
		910	server 127.127.1.0 # local clock si NTP internet indisponible ...
		911	fudge 127.127.1.0 stratum 10
		912	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
		913	restrict 127.0.0.1
		914	driftfile /var/lib/ntp/drift
		915	logfile /var/log/ntp.log
		916	disable monitor
		917	EOF
		918	chown -R ntp:ntp /var/lib/ntp
		919	# Synchronize now
2688	lucas.echa	920	ntpd -4 -q -g &
1837	richard	921	} # End of time_server ()
		922
2541	rexy	923	#####################################################################
		924	## Function "init_db" ##
		925	## - Mysql initialization ##
		926	## - Set admin (root) password ##
		927	## - Remove unused users & databases ##
		928	## - Radius database creation ##
		929	## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
		930	#####################################################################
1	root	931	init_db ()
		932	{
2688	lucas.echa	933	if [ "`systemctl is-active mysqld`" == "active" ]
1990	richard	934	then
		935	systemctl stop mysqld
		936	fi
1355	richard	937	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	938	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
1355	richard	939	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1979	richard	940	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
1980	richard	941	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
		942	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
2591	rexy	943	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
2416	richard	944	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
		945	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
		946	/usr/bin/systemctl start mysqld
1963	richard	947	nb_round=1
1981	richard	948	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
1963	richard	949	do
		950	nb_round=`expr $nb_round + 1`
		951	sleep 2
		952	done
1981	richard	953	if [ ! -S /var/lib/mysql/mysql.sock ]
1963	richard	954	then
1981	richard	955	echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
1963	richard	956	exit
1955	richard	957	fi
1355	richard	958	# Secure the server
2688	lucas.echa	959	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON . TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
		960
2416	richard	961	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
2688	lucas.echa	962	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		963	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	964	# Create 'radius' database
2688	lucas.echa	965	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	966	# Add an empty radius database structure
2688	lucas.echa	967	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
615	richard	968	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	969	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
2416	richard	970	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		971	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
		972	/usr/bin/systemctl unset-environment MYSQLD_OPTS
1574	richard	973	/usr/bin/systemctl daemon-reload
1389	richard	974	} # End of init_db ()
1	root	975
2423	richard	976	###################################################################
		977	## Function "freeradius" ##
		978	## - Set the configuration files ##
		979	## - Set the shared secret between coova-chilli and freeradius ##
		980	## - Adapt the Mysql conf file and counters ##
		981	###################################################################
2421	richard	982	freeradius ()
1	root	983	{
1800	richard	984	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1	root	985	chown -R radius:radius /etc/raddb
		986	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
2420	richard	987	# Set radius global parameters (radius.conf)
1	root	988	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		989	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		990	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
2420	richard	991	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
		992	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
2419	richard	993
2501	tom.houday	994	# Add ALCASAR dictionary
		995	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
2512	tom.houday	996	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
		997	# Add CoovaChilli dictionary
		998	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
		999	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
2420	richard	1000	# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1	root	1001	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		1002	cat << EOF > /etc/raddb/clients.conf
2438	richard	1003	client localhost {
		1004	ipaddr = 127.0.0.1
1	root	1005	secret = $secretradius
2438	richard	1006	shortname = chilli
2454	tom.houday	1007	nas_type = other
1	root	1008	}
		1009	EOF
2420	richard	1010	# Set Virtual server (remvove all except "alcasar virtual site")
		1011	rm -f /etc/raddb/sites-enabled/*
2467	richard	1012	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
		1013	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
		1014	chown radius:apache /etc/raddb/sites-available/alcasar*
		1015	chmod 660 /etc/raddb/sites-available/alcasar*
2420	richard	1016	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
2454	tom.houday	1017	# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
2420	richard	1018
2454	tom.houday	1019	# Set modules
2465	richard	1020	# Add custom LDAP "available module"
		1021	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
		1022	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
2422	richard	1023	# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
2454	tom.houday	1024	rm -rf /etc/raddb/mods-enabled/*
2615	tom.houday	1025	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
2454	tom.houday	1026	do
		1027	ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
		1028	done
2423	richard	1029	# Configure SQL mod
2420	richard	1030	[ -e /etc/raddb/mods-available/sql.default ] \|\| cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
2423	richard	1031	$SED "s?^[\t ]driver =.?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
		1032	$SED "s?^[\t ]dialect =.?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
2420	richard	1033	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
2423	richard	1034	$SED "s?^#[\t ]server =.?server = \"localhost\"?g" /etc/raddb/mods-available/sql
		1035	$SED "s?^#[\t ]port =.?port = \"3306\"?g" /etc/raddb/mods-available/sql
		1036	$SED "s?^#[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
		1037	$SED "s?^#[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
2454	tom.houday	1038	# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
2420	richard	1039	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] \|\| cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
		1040	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
		1041	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
2421	richard	1042	# sqlcounter modifications
2470	richard	1043	[ -e /etc/raddb/mods-available/sqlcounter.default ] \|\| cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
		1044	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
		1045	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
2421	richard	1046	# make certain that mysql is up before freeradius start
1358	richard	1047	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		1048	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	1049	/usr/bin/systemctl daemon-reload
2597	tom.houday	1050	# Allow apache to change some conf files (ie : ldap on/off)
		1051	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
2421	richard	1052	} # End freeradius ()
1	root	1053
2423	richard	1054	#############################################################################
2552	rexy	1055	## Function "chilli" ##
2423	richard	1056	## - Creation of the conf file and init file (systemd) for coova-chilli ##
		1057	## - Adapt the authentication web page (intercept.php) ##
		1058	#############################################################################
1389	richard	1059	chilli ()
1	root	1060	{
1370	richard	1061	# chilli unit for systemd
2324	tom.houday	1062	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1063	# This file is part of systemd.
		1064	#
		1065	# systemd is free software; you can redistribute it and/or modify it
		1066	# under the terms of the GNU General Public License as published by
		1067	# the Free Software Foundation; either version 2 of the License, or
		1068	# (at your option) any later version.
1370	richard	1069	[Unit]
		1070	Description=chilli is a captive portal daemon
		1071	After=network.target
		1072
		1073	[Service]
1379	richard	1074	Type=forking
1370	richard	1075	ExecStart=/usr/libexec/chilli start
		1076	ExecStop=/usr/libexec/chilli stop
		1077	ExecReload=/usr/libexec/chilli reload
		1078	PIDFile=/var/run/chilli.pid
		1079
		1080	[Install]
		1081	WantedBy=multi-user.target
		1082	EOF
799	richard	1083	# init file creation
1370	richard	1084	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
1801	richard	1085	cat <<EOF > /etc/init.d/chilli
799	richard	1086	#!/bin/sh
		1087	#
		1088	# chilli CoovaChilli init
		1089	#
		1090	# chkconfig: 2345 65 35
		1091	# description: CoovaChilli
		1092	### BEGIN INIT INFO
		1093	# Provides: chilli
2454	tom.houday	1094	# Required-Start: network
		1095	# Should-Start:
799	richard	1096	# Required-Stop: network
2454	tom.houday	1097	# Should-Stop:
799	richard	1098	# Default-Start: 2 3 5
		1099	# Default-Stop:
		1100	# Description: CoovaChilli access controller
		1101	### END INIT INFO
		1102
		1103	[ -f /usr/sbin/chilli ] \|\| exit 0
		1104	. /etc/init.d/functions
		1105	CONFIG=/etc/chilli.conf
		1106	pidfile=/var/run/chilli.pid
		1107	[ -f \$CONFIG ] \|\| {
2394	tom.houday	1108	echo "\$CONFIG Not found"
		1109	exit 0
799	richard	1110	}
2376	tom.houday	1111	current_users_file="/var/tmp/havp/current_users.txt" # file containing active users
799	richard	1112	RETVAL=0
		1113	prog="chilli"
		1114	case \$1 in
2394	tom.houday	1115	start)
2454	tom.houday	1116	if [ -f \$pidfile ] ; then
2394	tom.houday	1117	gprintf "chilli is already running"
		1118	else
		1119	gprintf "Starting \$prog: "
		1120	echo '' > \$current_users_file && chown apache:apache \$current_users_file
		1121	rm -f /var/run/chilli* # cleaning
		1122	/usr/sbin/modprobe tun >/dev/null 2>&1
		1123	echo 1 > /proc/sys/net/ipv4/ip_forward
		1124	[ -e /dev/net/tun ] \|\| {
2454	tom.houday	1125	(cd /dev;
		1126	mkdir net;
		1127	cd net;
2394	tom.houday	1128	mknod tun c 10 200)
		1129	}
		1130	ifconfig $INTIF 0.0.0.0
		1131	/usr/sbin/ethtool -K $INTIF gro off
		1132	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1133	RETVAL=\$?
		1134	fi
		1135	;;
799	richard	1136
2394	tom.houday	1137	reload)
		1138	killall -HUP chilli
		1139	;;
799	richard	1140
2394	tom.houday	1141	restart)
		1142	\$0 stop
		1143	sleep 2
		1144	\$0 start
		1145	;;
799	richard	1146
2394	tom.houday	1147	status)
		1148	status chilli
		1149	RETVAL=0
		1150	;;
		1151
		1152	stop)
2454	tom.houday	1153	if [ -f \$pidfile ] ; then
2394	tom.houday	1154	gprintf "Shutting down \$prog: "
		1155	killproc /usr/sbin/chilli
		1156	RETVAL=\$?
		1157	[ \$RETVAL = 0 ] && rm -f \$pidfile
		1158	[ -e \$current_users_file ] && rm -f \$current_users_file
2454	tom.houday	1159	else
2394	tom.houday	1160	gprintf "chilli is not running"
		1161	fi
		1162	;;
		1163
		1164	*)
		1165	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1166	exit 1
799	richard	1167	esac
		1168	echo
		1169	EOF
2324	tom.houday	1170	chmod a+x /etc/init.d/chilli
		1171	ln -s /etc/init.d/chilli /usr/libexec/chilli
799	richard	1172	# conf file creation
346	richard	1173	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
2016	raphael.pi	1174	#NTP Option configuration for DHCP
2032	richard	1175	#DHCP Options : rfc2132
		1176	#dhcp option value will be convert in hexa.
		1177	#NTP option (or 'option 42') is like :
2454	tom.houday	1178	#
2032	richard	1179	# Code Len Address 1 Address 2
		1180	# +-----+-----+-----+-----+-----+-----+-----+-----+--
		1181	# \| 42 \| n \| a1 \| a2 \| a3 \| a4 \| a1 \| a2 \| ...
		1182	# +-----+-----+-----+-----+-----+-----+-----+-----+--
		1183	#
		1184	#Code : 42 => 2a
		1185	#Len : 4 => 04
2688	lucas.echa	1186	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f4)")
346	richard	1187	cat <<EOF > /etc/chilli.conf
		1188	# coova config for ALCASAR
		1189	cmdsocket /var/run/chilli.sock
1336	richard	1190	unixipc chilli.$INTIF.ipc
1551	richard	1191	pidfile /var/run/chilli.pid
346	richard	1192	net $PRIVATE_NETWORK_MASK
595	richard	1193	dhcpif $INTIF
841	richard	1194	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1195	#nodynip
865	richard	1196	#statip
		1197	dynip $PRIVATE_NETWORK_MASK
1249	richard	1198	domain $DOMAIN
355	richard	1199	dns1 $PRIVATE_IP
		1200	dns2 $PRIVATE_IP
346	richard	1201	uamlisten $PRIVATE_IP
503	richard	1202	uamport 3990
2370	tom.houday	1203	uamuiport 3991
837	richard	1204	macauth
		1205	macpasswd password
1697	richard	1206	strictmacauth
1243	richard	1207	locationname $HOSTNAME.$DOMAIN
346	richard	1208	radiusserver1 127.0.0.1
		1209	radiusserver2 127.0.0.1
		1210	radiussecret $secretradius
		1211	radiusauthport 1812
		1212	radiusacctport 1813
1243	richard	1213	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
2374	tom.houday	1214	redirurl
1243	richard	1215	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1216	uamsecret $secretuam
1249	richard	1217	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1218	coaport 3799
1379	richard	1219	conup $DIR_DEST_BIN/alcasar-conup.sh
		1220	condown $DIR_DEST_BIN/alcasar-condown.sh
2594	tom.houday	1221	macup $DIR_DEST_BIN/alcasar-macup.sh
503	richard	1222	include $DIR_DEST_ETC/alcasar-uamallowed
		1223	include $DIR_DEST_ETC/alcasar-uamdomain
2016	raphael.pi	1224	dhcpopt 2a04$PRIVATE_IP_HEXA
1613	franck	1225	#dhcpgateway none
		1226	#dhcprelayagent none
1610	franck	1227	#dhcpgatewayport none
2234	richard	1228	sslkeyfile /etc/pki/tls/private/alcasar.key
		1229	sslcertfile /etc/pki/tls/certs/alcasar.crt
		1230	redirssl
2370	tom.houday	1231	uamuissl
346	richard	1232	EOF
2274	richard	1233	# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1234	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
2274	richard	1235	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
840	richard	1236	# create files for trusted domains and urls
1148	crox53	1237	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1238	chown root:apache $DIR_DEST_ETC/alcasar-*
		1239	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1240	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1241	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
796	richard	1242	# user 'chilli' creation (in order to run conup/off and up/down scripts
2396	tom.houday	1243	chilli_exist=`grep -c ^chilli: /etc/passwd`
796	richard	1244	if [ "$chilli_exist" == "1" ]
		1245	then
2454	tom.houday	1246	userdel -r chilli 2>/dev/null
796	richard	1247	fi
		1248	groupadd -f chilli
		1249	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1250	} # End of chilli ()
1349	richard	1251
2541	rexy	1252	################################################################
2521	armand.ito	1253	## Function "e2guardian" ##
2541	rexy	1254	## - Set the parameters of this HTML proxy (as controler) ##
		1255	################################################################
2521	armand.ito	1256	e2guardian ()
1	root	1257	{
2521	armand.ito	1258	mkdir -p /var/e2guardian /var/log/e2guardian
		1259	chown -R e2guardian /var/e2guardian /var/log/e2guardian
		1260	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
		1261	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
		1262	[ -e $DIR_DG/e2guardian.conf.default ] \|\| cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
2454	tom.houday	1263	# By default the filter is off
2521	armand.ito	1264	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1293	richard	1265	# French deny HTML page
2521	armand.ito	1266	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1293	richard	1267	# Listen only on LAN side
2521	armand.ito	1268	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1342	richard	1269	# DG send its flow to HAVP
2521	armand.ito	1270	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1293	richard	1271	# replace the default deny HTML page
2521	armand.ito	1272	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
		1273	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1293	richard	1274	# Don't log
2521	armand.ito	1275	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
2519	rexy	1276	# # Change the default report page
2521	armand.ito	1277	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
2519	rexy	1278	# Disable HTML content control
2521	armand.ito	1279	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
497	richard	1280	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1281	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
2519	rexy	1282	# Disable URL control with regex
497	richard	1283	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1284	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
2521	armand.ito	1285	# Configure E2guardian for large site
1721	richard	1286	# Minimum number of processus to handle connections
2521	armand.ito	1287	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1721	richard	1288	# Maximum number of processus to handle connections
2521	armand.ito	1289	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1721	richard	1290	# Run at least 8 daemons
2521	armand.ito	1291	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1721	richard	1292	# minimum number of processes to spawn
2521	armand.ito	1293	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1721	richard	1294	# maximum age of a child process before it croaks it
2521	armand.ito	1295	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
2519	rexy	1296	# Disable download files control
2521	armand.ito	1297	[ -e $DIR_DG/e2guardianf1.conf.default ] \|\| cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
		1298	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
497	richard	1299	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1300	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1301	touch $DIR_DG/lists/bannedextensionlist
		1302	touch $DIR_DG/lists/bannedmimetypelist
		1303	# 'Safesearch' regex actualisation
498	richard	1304	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1305	# empty LAN IP list that won't be WEB filtered
		1306	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1307	touch $DIR_DG/lists/exceptioniplist
		1308	# Keep a copy of URL & domain filter configuration files
		1309	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1310	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
2521	armand.ito	1311	} # End of e2guardian ()
1	root	1312
71	richard	1313	##################################################################
2519	rexy	1314	## Function "antivirus" ##
		1315	## - Set the parameters of havp, libclamav and freshclam ##
71	richard	1316	##################################################################
2454	tom.houday	1317	antivirus ()
71	richard	1318	{
1358	richard	1319	# create 'havp' user
2396	tom.houday	1320	havp_exist=`grep -c ^havp: /etc/passwd`
307	richard	1321	if [ "$havp_exist" == "1" ]
288	richard	1322	then
2454	tom.houday	1323	userdel -r havp 2>/dev/null
		1324	groupdel havp 2>/dev/null
288	richard	1325	fi
307	richard	1326	groupadd -f havp
1486	richard	1327	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1841	richard	1328	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1484	richard	1329	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1841	richard	1330	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
109	richard	1331	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1332	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1333	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1334	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1335	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1336	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1337	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1338	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1339	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1340	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1341	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1342	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1343	# skip checking of youtube flow (too heavy load / risk too low)
		1344	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1345	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1346	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1347	# adapt init script and systemd unit
335	richard	1348	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1349	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1350	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1351	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1352	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1353	# replace of the intercept page (template)
340	richard	1354	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1355	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1356	# update virus database every 4 hours (24h/6)
1357	richard	1357	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1358	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1359	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1360	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1361	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1362	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1363	# update now
1382	richard	1364	/usr/bin/freshclam --no-warnings
1389	richard	1365	} # End of antivirus ()
71	richard	1366
2519	rexy	1367	################################################################################
		1368	## Function "tinyproxy" ##
2552	rexy	1369	## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
2519	rexy	1370	################################################################################
2454	tom.houday	1371	tinyproxy ()
1485	richard	1372	{
2396	tom.houday	1373	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1486	richard	1374	if [ "$tinyproxy_exist" == "1" ]
		1375	then
2454	tom.houday	1376	userdel -r tinyproxy 2>/dev/null
		1377	groupdel tinyproxy 2>/dev/null
1486	richard	1378	fi
		1379	groupadd -f tinyproxy
1488	richard	1380	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1668	richard	1381	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
		1382	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1486	richard	1383	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1384	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1385	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1386	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1387	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1388	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1389	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1390	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1391	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1392	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1393	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1394	# Create the systemd unit
		1395	cat << EOF > /lib/systemd/system/tinyproxy.service
		1396	# This file is part of systemd.
		1397	#
		1398	# systemd is free software; you can redistribute it and/or modify it
		1399	# under the terms of the GNU General Public License as published by
		1400	# the Free Software Foundation; either version 2 of the License, or
		1401	# (at your option) any later version.
1485	richard	1402
1509	richard	1403	# This unit launches tinyproxy (a very light proxy).
1518	richard	1404	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1405	[Unit]
		1406	Description=Tinyproxy Web Proxy Server
		1407	After=network.target iptables.service
		1408
		1409	[Service]
		1410	Type=forking
1518	richard	1411	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1412	ExecStartPre=/bin/sleep 2
		1413	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1414	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1415
		1416	[Install]
		1417	WantedBy=multi-user.target
		1418	EOF
		1419
1485	richard	1420	} # end of tinyproxy
2519	rexy	1421	##############################################################################
		1422	## function "ulogd" ##
		1423	## - Ulog config for multi-log files ##
		1424	##############################################################################
1389	richard	1425	ulogd ()
476	richard	1426	{
		1427	# Three instances of ulogd (three different logfiles)
		1428	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1429	nl=1
1358	richard	1430	for log_type in traceability ssh ext-access
478	richard	1431	do
1365	richard	1432	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1433	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1434	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1704	richard	1435	$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
478	richard	1436	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1437	[emu1]
478	richard	1438	file="/var/log/firewall/$log_type.log"
		1439	sync=1
		1440	EOF
1452	richard	1441	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1442	nl=`expr $nl + 1`
		1443	done
476	richard	1444	chown -R root:apache /var/log/firewall
		1445	chmod 750 /var/log/firewall
		1446	chmod 640 /var/log/firewall/*
1389	richard	1447	} # End of ulogd ()
476	richard	1448
1159	crox53	1449
		1450	##########################################################
2519	rexy	1451	## Function "nfsen" ##
		1452	## - install the nfsen grapher ##
		1453	## - install the two plugins porttracker & surfmap ##
1159	crox53	1454	##########################################################
1389	richard	1455	nfsen()
1	root	1456	{
2330	tom.houday	1457	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1365	richard	1458	# Add PortTracker plugin
1534	richard	1459	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1460	do
2330	tom.houday	1461	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1462	done
2330	tom.houday	1463	$SED "s?^my \$PORTSDBDIR =.?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-/contrib/PortTracker/PortTracker.pm
1365	richard	1464	# use of our conf file and init unit
2330	tom.houday	1465	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1570	richard	1466	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1467	DirTmp=$(pwd)
2688	lucas.echa	1468	cd /tmp/nfsen-*/ \|\| { echo "Unable to find nfsen directory"; exit 1; }
1570	richard	1469	/usr/bin/perl install.pl etc/nfsen.conf
		1470	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1471	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1472	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1473	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1474	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1475	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1476	# nfsen unit for systemd
2330	tom.houday	1477	cat << EOF > /lib/systemd/system/nfsen.service
1372	richard	1478	# This file is part of systemd.
		1479	#
		1480	# systemd is free software; you can redistribute it and/or modify it
		1481	# under the terms of the GNU General Public License as published by
		1482	# the Free Software Foundation; either version 2 of the License, or
		1483	# (at your option) any later version.
		1484
		1485	# This unit launches nfsen (a Netflow grapher).
		1486	[Unit]
		1487	Description= NfSen init script
		1488	After=network.target iptables.service
		1489
		1490	[Service]
		1491	Type=oneshot
		1492	RemainAfterExit=yes
1393	richard	1493	PIDFile=/var/run/nfsen/nfsen.pid
		1494	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1495	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
2454	tom.houday	1496	ExecStart=/usr/bin/nfsen start
1372	richard	1497	ExecStop=/usr/bin/nfsen stop
1393	richard	1498	ExecReload=/usr/bin/nfsen restart
1372	richard	1499	TimeoutSec=0
		1500
		1501	[Install]
		1502	WantedBy=multi-user.target
		1503	EOF
1365	richard	1504	# Add the listen port to collect netflow packet (nfcapd)
2688	lucas.echa	1505	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1365	richard	1506	# expire delay for the profile "live"
1574	richard	1507	/usr/bin/systemctl start nfsen
1393	richard	1508	/bin/nfsen -m live -e 62d 2>/dev/null
2643	rexy	1509	# add SURFmap plugin (waiting for new technical solution)
		1510	# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
		1511	# cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
		1512	# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
		1513	# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
		1514	# cd /tmp/
2688	lucas.echa	1515	# /usr/bin/sh SURFmap/install.sh
2643	rexy	1516	# clear the installation
		1517	# rm -rf /tmp/SURFmap*
2657	tom.houday	1518	rm -rf /tmp/nfsen-*
2688	lucas.echa	1519	cd $DirTmp \|\| { echo "Unable to find $DirTmp directory"; exit 1; }
2581	rexy	1520	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1389	richard	1521	} # End of nfsen ()
1	root	1522
2552	rexy	1523	###########################################################
		1524	## Function "vnstat" ##
		1525	## - Initialization of Vnstat and vnstat phpFrontEnd ##
		1526	###########################################################
1541	richard	1527	vnstat ()
		1528	{
2330	tom.houday	1529	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
2589	rexy	1530	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
2688	lucas.echa	1531	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
2330	tom.houday	1532	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1533	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
		1534	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
2589	rexy	1535	/usr/bin/vnstat -i $EXTIF -u --force
2281	tom.houday	1536	} # End of vnstat
		1537
2558	rexy	1538	##################################################################
		1539	## Function "dnsmasq" ##
		1540	## - creation of the conf files of the 4 intances of dnsmasq ##
		1541	## - creation of the file managing domain name (local & remote) ##
		1542	##################################################################
1389	richard	1543	dnsmasq ()
219	jeremy	1544	{
		1545	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
2688	lucas.echa	1546	[ -e /etc/dnsmasq.conf.default ] \|\| mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
		1547	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1928	richard	1548	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1549	# Configuration file for "dnsmasq with whitelist"
1873	richard	1550	# ADD Toulouse university whitelist domains
1472	richard	1551	pid-file=/var/run/dnsmasq-whitelist.pid
2688	lucas.echa	1552	listen-address=127.0.0.1
1356	richard	1553	port=55
1472	richard	1554	no-dhcp-interface=lo
1356	richard	1555	bind-interfaces
1721	richard	1556	cache-size=1024
1356	richard	1557	domain-needed
		1558	expand-hosts
		1559	bogus-priv
		1560	filterwin2k
2688	lucas.echa	1561	ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
		1562	server=$DNS1
		1563	server=$DNS2
1356	richard	1564	EOF
2688	lucas.echa	1565
		1566	# Create dnsmasq-whitelist unit
		1567	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
		1568	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
		1569	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
		1570	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
		1571	} # End dnsmasq
		1572
		1573	##################################################
		1574	## Function "unbound" ##
		1575	##################################################
		1576	unbound ()
		1577	{
		1578	[ -d /etc/unbound/conf.d ] \|\| mkdir -p /etc/unbound/conf.d
		1579	[ -d /etc/unbound/conf.d/common ] \|\| mkdir /etc/unbound/conf.d/common
		1580	[ -d /etc/unbound/conf.d/common/local-forward ] \|\| mkdir /etc/unbound/conf.d/common/local-forward
		1581	[ -d /etc/unbound/conf.d/common/local-dns ] \|\| mkdir /etc/unbound/conf.d/common/local-dns
		1582	[ -d /etc/unbound/conf.d/forward ] \|\| mkdir /etc/unbound/conf.d/forward
		1583	[ -d /etc/unbound/conf.d/blacklist ] \|\| mkdir /etc/unbound/conf.d/blacklist
		1584	[ -d /etc/unbound/conf.d/whitelist ] \|\| mkdir /etc/unbound/conf.d/whitelist
		1585	[ -d /etc/unbound/conf.d/blackhole ] \|\| mkdir /etc/unbound/conf.d/blackhole
		1586	[ -d /var/log/unbound ] \|\| { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
		1587	[ -e /etc/unbound/unbound.conf.default ] \|\| cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
		1588
		1589	# Local static DNS configuration
		1590	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] \|\| touch /etc/unbound/conf.d/common/local-dns/global.conf
		1591
		1592	# Forward zone configuration file for all unbound dns servers
		1593	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
		1594	forward-zone:
		1595	name: "."
		1596	forward-addr: $DNS1
		1597	forward-addr: $DNS2
1472	richard	1598	EOF
		1599
2688	lucas.echa	1600	# Custom configuration file for manual DNS configuration
		1601	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
		1602	## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
		1603	## Add one block for each domain name managed by an other DNS server
		1604	##
		1605	## Example:
		1606	##
		1607	## server:
		1608	## local-zone: "<your_domain>." transparent
		1609	## forward-zone:
		1610	## name: "<your_domain>."
		1611	## forward-addr: <@IP_domain_server>
		1612	##
2558	rexy	1613	## INFO : local hostnames are resolved in /etc/hosts file
		1614	EOF
		1615
2688	lucas.echa	1616	# Configuration file of ALCASAR main domains for $INTIF
		1617	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
		1618	server:
		1619	local-zone: "$HOSTNAME.$DOMAIN" static
		1620	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
		1621	local-zone: "$HOSTNAME" static
		1622	local-data: "$HOSTNAME A $PRIVATE_IP"
		1623	local-zone: "$DOMAIN." static
		1624	local-data: "$DOMAIN. A"
		1625	EOF
		1626
		1627	# Configuration file for lo of forward unbound
		1628	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
		1629	server:
		1630	interface: 127.0.0.1@53
		1631	access-control-view: 127.0.0.1/8 lo
		1632
		1633	view:
		1634	name: "lo"
		1635	local-zone: "$HOSTNAME.$DOMAIN" static
		1636	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
		1637	local-zone: "$HOSTNAME" static
		1638	local-data: "$HOSTNAME A 127.0.0.1"
		1639	local-zone: "$DOMAIN." static
		1640	local-data: "$DOMAIN. A"
		1641	view-first: yes
		1642	EOF
		1643
		1644	# Configuration file for $INTIF of forward unbound
		1645	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
		1646	server:
		1647	interface: ${PRIVATE_IP}@53
		1648	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
		1649
		1650	view:
		1651	name: "$INTIF"
		1652	local-zone: "$HOSTNAME.$DOMAIN" static
		1653	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
		1654	local-zone: "$HOSTNAME" static
		1655	local-data: "$HOSTNAME A $PRIVATE_IP"
		1656	view-first: yes
		1657	EOF
		1658
		1659	# Configuration file for forward unbound
		1660	cat << EOF > /etc/unbound/unbound.conf
		1661	server:
		1662	verbosity: 1
		1663	hide-version: yes
		1664	hide-identity: yes
		1665	do-ip6: no
		1666
		1667	include: /etc/unbound/conf.d/common/forward-zone.conf
		1668	include: /etc/unbound/conf.d/common/local-forward/*
		1669	include: /etc/unbound/conf.d/common/local-dns/*
		1670	include: /etc/unbound/conf.d/forward/*
		1671	EOF
		1672
		1673	# Configuration file for $INTIF of blacklist unbound
		1674	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
		1675	server:
		1676	interface: ${PRIVATE_IP}@54
		1677	access-control: $PRIVATE_IP_MASK allow
		1678	access-control-tag: $PRIVATE_IP_MASK "blacklist"
		1679	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
		1680	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
		1681	EOF
		1682
		1683	# Configuration file for blacklist unbound
		1684	cat << EOF > /etc/unbound/unbound-blacklist.conf
		1685	server:
		1686	verbosity: 1
		1687	hide-version: yes
		1688	hide-identity: yes
		1689	do-ip6: no
		1690	logfile: "/var/log/unbound/unbound-blacklist.log"
		1691	chroot: ""
		1692	define-tag: "blacklist"
		1693	log-local-actions: yes
		1694
		1695	include: /etc/unbound/conf.d/common/forward-zone.conf
		1696	include: /etc/unbound/conf.d/common/local-forward/*
		1697	include: /etc/unbound/conf.d/common/local-dns/*
		1698	include: /etc/unbound/conf.d/blacklist/*
		1699
		1700	include: /usr/local/share/unbound-bl-enabled/*
		1701	EOF
		1702
		1703	# Configuration file for $INTIF of whitelist unbound
		1704	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
		1705	server:
		1706	interface: ${PRIVATE_IP}@55
		1707	access-control: $PRIVATE_IP_MASK allow
		1708	access-control-tag: $PRIVATE_IP_MASK "whitelist"
		1709	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
		1710	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
		1711	EOF
		1712
		1713	# Configuration file for whitelist unbound
		1714	cat << EOF > /etc/unbound/unbound-whitelist.conf
		1715	server:
		1716	verbosity: 1
		1717	hide-version: yes
		1718	hide-identity: yes
		1719	do-ip6: no
		1720	do-not-query-localhost: no
		1721	define-tag: "whitelist"
		1722
		1723	local-zone: "." transparent
		1724	local-zone-tag: "." "whitelist"
		1725
		1726	include: /usr/local/share/unbound-wl-enabled/*
		1727	include: /etc/unbound/conf.d/whitelist/*
		1728	include: /etc/unbound/conf.d/common/local-dns/*
		1729	include: /etc/unbound/conf.d/common/local-forward/*
		1730
		1731	forward-zone:
		1732	name: "."
		1733	forward-addr: 127.0.0.1@55
		1734	EOF
		1735
		1736	# Configuration file for $INTIF of blackhole unbound
		1737	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
		1738	server:
		1739	interface: ${PRIVATE_IP}@56
		1740	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
		1741
		1742	view:
		1743	name: "$INTIF"
		1744	local-zone: "." redirect
		1745	local-data: ". A $PRIVATE_IP"
		1746	EOF
		1747
		1748	# Configuration file for blackhole unbound
		1749	cat << EOF > /etc/unbound/unbound-blackhole.conf
		1750	server:
		1751	verbosity: 1
		1752	hide-version: yes
		1753	hide-identity: yes
		1754	do-ip6: no
		1755
		1756	include: /etc/unbound/conf.d/blackhole/*
		1757	include: /etc/unbound/conf.d/common/local-dns/*
		1758	include: /etc/unbound/conf.d/common/local-forward/*
		1759	EOF
		1760
		1761	if [ ! -e /lib/systemd/system/unbound.service.default ]
		1762	then
		1763	cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
		1764	fi
		1765	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
		1766	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
		1767
		1768	for list in blacklist blackhole whitelist
1474	richard	1769	do
2688	lucas.echa	1770	cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
		1771	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
		1772	$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1474	richard	1773	done
308	richard	1774
2688	lucas.echa	1775	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
		1776	} # End unbound
		1777
2689	lucas.echa	1778	##################################################
		1779	## Function "dhcpd" ##
		1780	##################################################
		1781	dhcpd ()
		1782	{
		1783	[ -e /etc/dhcpd.conf.default ] \|\| cp /etc/dhcpd.conf /etc/dhcpd.conf.default
		1784
		1785	cat <<EOF > /etc/dhcpd.conf
		1786	ddns-update-style none;
		1787	subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
		1788	option routers $PRIVATE_IP;
		1789	option subnet-mask $PRIVATE_NETMASK;
		1790	option domain-name-servers $PRIVATE_IP;
		1791
		1792	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
		1793	default-lease-time 21600;
		1794	max-lease-time 43200;
		1795	}
		1796	EOF
		1797	}
		1798
2552	rexy	1799	##########################################################
		1800	## Function "BL" ##
		1801	## - copy Toulouse BL ##
		1802	## - adapt this BL to ALCASAR architecture ##
2688	lucas.echa	1803	## - domain names for unbound-bl & unbound-wl ##
2552	rexy	1804	## - URLs for E²guardian ##
		1805	## - IPs for NetFilter ##
		1806	##########################################################
308	richard	1807	BL ()
		1808	{
1930	richard	1809	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
648	richard	1810	rm -rf $DIR_DG/lists/blacklists
1930	richard	1811	mkdir -p /tmp/blacklists
1938	richard	1812	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1383	richard	1813	# creation of file for the rehabilited domains and urls
648	richard	1814	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1815	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1816	touch $DIR_DG/lists/exceptionsitelist
		1817	touch $DIR_DG/lists/exceptionurllist
2521	armand.ito	1818	# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
648	richard	1819	cat <<EOF > $DIR_DG/lists/bannedurllist
2521	armand.ito	1820	# E2guardian filter config for ALCASAR
311	richard	1821	EOF
648	richard	1822	cat <<EOF > $DIR_DG/lists/bannedsitelist
2521	armand.ito	1823	# E2guardian domain filter config for ALCASAR
311	richard	1824	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1825	#**
		1826	# block all SSL and CONNECT tunnels
		1827	**s
		1828	# block all SSL and CONNECT tunnels specified only as an IP
		1829	*ips
		1830	# block all sites specified only by an IP
		1831	*ip
		1832	EOF
1852	raphael.pi	1833	# Add Bing to the safesearch url regext list (parental control)
878	richard	1834	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1835	# Bing - add 'adlt=strict'
		1836	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1837	EOF
1913	richard	1838	# change the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1839	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1925	richard	1840	# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1957	richard	1841	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
		1842	touch $DIR_DG/lists/blacklists/ossi-bl/domains
		1843	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
		1844	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
		1845	touch $DIR_DG/lists/blacklists/ossi-wl/domains
		1846	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1927	richard	1847	# add custom ALCASAR BL files
1957	richard	1848	for x in $(ls $DIR_BLACKLIST \| grep -v "^blacklist")
		1849	do
		1850	mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
		1851	cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains
		1852	echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
		1853	done
2521	armand.ito	1854	chown -R e2guardian:apache $DIR_DG
1957	richard	1855	chown -R root:apache $DIR_DEST_SHARE
		1856	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1927	richard	1857	# adapt the Toulouse BL to ALCASAR architecture
1957	richard	1858	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1925	richard	1859	# enable the default categories
1957	richard	1860	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
2560	rexy	1861	rm -rf /tmp/blacklists
2314	richard	1862	} # End BL()
219	jeremy	1863
2552	rexy	1864	#######################################################
		1865	## Function "cron" ##
		1866	## - write all cron & anacron files ##
		1867	#######################################################
1	root	1868	cron ()
		1869	{
2640	rexy	1870	# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1	root	1871	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1872	cat <<EOF > /etc/crontab
1828	richard	1873	SHELL=/usr/bin/bash
2640	rexy	1874	PATH=/sbin:/bin:/usr/sbin:/usr/bin
1	root	1875	MAILTO=root
		1876	HOME=/
		1877
		1878	# run-parts
		1879	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1880	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1881	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1882	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1883	EOF
		1884	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1885	cat <<EOF >> /etc/anacrontab
2454	tom.houday	1886	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1887	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
1	root	1888	EOF
811	richard	1889	cat <<EOF > /etc/cron.d/alcasar-mysql
2640	rexy	1890	# Verify, repair and export users database (every monday at 4:45 am)
1828	richard	1891	45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
2640	rexy	1892	# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1828	richard	1893	40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1894	EOF
952	franck	1895	cat <<EOF > /etc/cron.d/alcasar-archive
2640	rexy	1896	# Archiving logs (traceability & users database) (every Monday at 5:35 am)
952	franck	1897	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1898	EOF
2454	tom.houday	1899	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
2640	rexy	1900	# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1566	richard	1901	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1902	EOF
2454	tom.houday	1903	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
2640	rexy	1904	# Update the system (everyday at 3:30 am)
762	franck	1905	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1906	EOF
2454	tom.houday	1907	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1808	richard	1908	# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
2640	rexy	1909	# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
		1910	# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
		1911	# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
		1912	# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
		1913	# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1808	richard	1914	1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
		1915	5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
		1916	10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
		1917	15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
2009	raphael.pi	1918	35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1	root	1919	EOF
2454	tom.houday	1920	cat <<EOF > /etc/cron.d/alcasar-watchdog
2640	rexy	1921	# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
		1922	# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
		1923	# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
2395	tom.houday	1924	/10 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1905	raphael.pi	1925
2228	franck	1926	#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1	root	1927	EOF
2454	tom.houday	1928	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
2640	rexy	1929	# start dead daemons (after boot process and every 18')
1851	franck	1930	@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
808	franck	1931	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1932	EOF
2454	tom.houday	1933	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
2640	rexy	1934	# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1905	raphael.pi	1935
1874	raphael.pi	1936	EOF
2304	tom.houday	1937	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
2640	rexy	1938	# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
2304	tom.houday	1939	@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
		1940	EOF
		1941
1808	richard	1942	# removing the users crons
522	richard	1943	rm -f /var/spool/cron/*
2314	richard	1944	} # End cron()
1	root	1945
2552	rexy	1946	######################################################################
		1947	## Fonction "Fail2Ban" ##
		1948	##- Adapt conf file to ALCASAR ##
		1949	##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
		1950	######################################################################
1163	crox53	1951	fail2ban()
		1952	{
2243	tom.houday	1953	/usr/bin/sh $DIR_CONF/fail2ban.sh
1474	richard	1954	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1955	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1956	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1957	chmod 644 /var/log/fail2ban.log
1489	richard	1958	chmod 644 /var/Save/security/watchdog.log
1418	richard	1959	/usr/bin/touch /var/log/auth.log
1515	richard	1960	# fail2ban unit
		1961	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1962	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1963	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
2488	lucas.echa	1964	$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
2314	richard	1965	} # End fail2ban()
1163	crox53	1966
2552	rexy	1967	#########################################################
		1968	## Fonction "gammu_smsd" ##
		1969	## - Creating of SMS management database ##
		1970	## - Write the gammu a gammu_smsd conf files ##
		1971	#########################################################
1376	richard	1972	gammu_smsd()
		1973	{
2601	tom.houday	1974	# Create 'gammu' system user
		1975	groupadd -f gammu_smsd
		1976	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
		1977	usermod -a -G dialout gammu_smsd
		1978
		1979	# Create 'gammu' database
		1980	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
2688	lucas.echa	1981	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1376	richard	1982	# Add a gammu database structure
2688	lucas.echa	1983	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1376	richard	1984
2552	rexy	1985	# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
2601	tom.houday	1986	cat << EOF > /etc/gammurc
2552	rexy	1987	[gammu]
		1988	device = /dev/ttyUSB0
		1989	connection = at115200
		1990	EOF
		1991
2601	tom.houday	1992	cat << EOF > /etc/gammu_smsd_conf
1376	richard	1993	[gammu]
		1994	port = /dev/ttyUSB0
		1995	connection = at115200
		1996
		1997	[smsd]
		1998	PIN = 1234
		1999	logfile = /var/log/gammu-smsd/gammu-smsd.log
		2000	logformat = textall
		2001	debuglevel = 0
		2002
		2003	service = sql
		2004	driver = native_mysql
		2005	user = $DB_USER
		2006	password = $radiuspwd
		2007	pc = localhost
		2008	database = $DB_GAMMU
		2009
2631	rexy	2010	RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1376	richard	2011
		2012	StatusFrequency = 30
1380	richard	2013	;LoopSleep = 2
1376	richard	2014
		2015	;ResetFrequency = 300
		2016	;HardResetFrequency = 120
		2017
2454	tom.houday	2018	CheckSecurity = 1
1376	richard	2019	CheckSignal = 1
		2020	CheckBattery = 0
		2021	EOF
2601	tom.houday	2022	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1376	richard	2023
2601	tom.houday	2024	# Create the systemd unit
		2025	cat << EOF > /lib/systemd/system/gammu-smsd.service
		2026	[Unit]
		2027	Description=SMS daemon for Gammu
		2028	Documentation=man:gammu-smsd(1)
		2029	After=network.target mysql.service
1376	richard	2030
2601	tom.houday	2031	[Service]
		2032	Type=forking
		2033	ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
		2034	ExecReload=/bin/kill -HUP $MAINPID
		2035	ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
		2036	PIDFile=/var/run/gammu-smsd.pid
		2037
		2038	[Install]
		2039	WantedBy=multi-user.target
		2040	EOF
		2041
2314	richard	2042	# Log folder for gammu-smsd
2601	tom.houday	2043	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
		2044	chmod 755 /var/log/gammu-smsd
1376	richard	2045
2552	rexy	2046	# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
		2047	# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2542	rexy	2048	#cat << EOF > /lib/udev/rules.d/66-huawei.rules
		2049	#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
		2050	#EOF
2552	rexy	2051	# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
		2052	# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
		2053
2314	richard	2054	} # End gammu_smsd()
1376	richard	2055
2552	rexy	2056	############################################################
		2057	## Fonction "msec" ##
		2058	## - Apply the "fileserver" security level ##
		2059	## - remove the "system request" for rebboting ##
		2060	## - Fix several file permissions ##
		2061	############################################################
2202	richard	2062	msec()
		2063	{
		2064
		2065	# Apply fileserver security level
2211	richard	2066	[ -e /etc/security/msec/security.conf.default ] \|\| cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
		2067	echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2202	richard	2068
2203	richard	2069	# Set permissions monitoring and enforcement
2202	richard	2070	cat <<EOF > /etc/security/msec/perm.local
		2071	/var/log/firefwall/ root.apache 750
		2072	/var/log/firewall/* root.apache 640
		2073	/etc/security/msec/perm.local root.root 640
		2074	/etc/security/msec/level.local root.root 640
		2075	/etc/freeradius-web root.apache 750
		2076	/etc/freeradius-web/admin.conf root.apache 640
2420	richard	2077	/etc/raddb/client.conf radius.radius 640
		2078	/etc/raddb/radius.conf radius.radius 640
		2079	/etc/raddb/mods-available/ldap radius.apache 660
2202	richard	2080	/etc/raddb/sites-available/alcasar radius.apache 660
		2081	/etc/pki/* root.apache 750
2211	richard	2082	/var/log/netflow/porttracker root.apache 770
		2083	/var/log/netflow/porttracker/* root.apache 660
2202	richard	2084	EOF
2454	tom.houday	2085	# apply now hourly & daily checks
2202	richard	2086	/usr/sbin/msec
2211	richard	2087	/etc/cron.weekly/msec
2202	richard	2088
2314	richard	2089	} # End msec()
2202	richard	2090
2304	tom.houday	2091
2202	richard	2092	##################################################################
2552	rexy	2093	## Fonction "letsencrypt" ##
		2094	## - Install Let's Encrypt client ##
		2095	## - Prepare Let's Encrypt ALCASAR configuration file ##
2304	tom.houday	2096	##################################################################
		2097	letsencrypt()
		2098	{
		2099	echo "Installing Let's Encrypt client..."
		2100
2586	tom.houday	2101	# Remove potential old installers
		2102	rm -rf /tmp/acme.sh-*
		2103
2304	tom.houday	2104	# Extract acme.sh
		2105	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
		2106
		2107	pwdInstall=$(pwd)
2688	lucas.echa	2108	cd /tmp/acme.sh-* \|\| { echo "Unable to find ACME directory"; exit 1; }
2304	tom.houday	2109
		2110	acmesh_installDir="/opt/acme.sh"
		2111	acmesh_confDir="/usr/local/etc/letsencrypt"
2354	tom.houday	2112	acmesh_userAgent="ALCASAR"
2304	tom.houday	2113
		2114	# Install acme.sh
		2115	./acme.sh --install \
		2116	--home $acmesh_installDir \
		2117	--config-home $acmesh_confDir/data \
		2118	--certhome $acmesh_confDir/certs \
		2119	--accountkey $acmesh_confDir/ca/account.key \
		2120	--accountconf $acmesh_confDir/data/account.conf \
		2121	--useragent $acmesh_userAgent \
2308	tom.houday	2122	--nocron \
		2123	> /dev/null
2304	tom.houday	2124
		2125	if [ $? -ne 0 ]; then
		2126	echo "Error during installation of Let's Encrypt client (acme.sh)."
		2127	fi
		2128
		2129	# Create configuration file
		2130	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
		2131	email=
		2132	dateIssueRequest=
		2133	domainRequest=
		2134	challenge=
		2135	dateIssued=
		2136	dnsapi=
		2137	dateNextRenewal=
		2138	EOF
		2139
2688	lucas.echa	2140	cd $pwdInstall \|\| { echo "Unable to find $pwdInstall directory"; exit 1; }
2304	tom.houday	2141	rm -rf /tmp/acme.sh-*
		2142
		2143	} # END letsencrypt()
		2144
		2145	##################################################################
2552	rexy	2146	## Fonction "post_install" ##
		2147	## - Modifying banners (locals et ssh) & prompts ##
		2148	## - SSH config ##
		2149	## - sudoers config & files security ##
		2150	## - log rotate & ANSSI security parameters ##
		2151	## - Apply former conf in case of an update ##
		2152	##################################################################
1	root	2153	post_install()
		2154	{
2195	richard	2155	# change the SSH banner
		2156	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
		2157	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
5	franck	2158	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	2159	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		2160	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		2161	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	2162	# postfix banner anonymisation
2688	lucas.echa	2163	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
1841	richard	2164	chown -R postfix:postfix /var/lib/postfix
2195	richard	2165	# sshd liste on EXTIF & INTIF
1548	richard	2166	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2693