WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
2454	tom.houday	2	# $Id: alcasar.sh 2888 2020-11-29 18:13:41Z rexy $
1	root	3
		4	# alcasar.sh
2466	richard	5	# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
		6	# This script is distributed under the Gnu General Public License (GPL)
		7	# team@alcasar.net
959	franck	8
2454	tom.houday	9	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
1157	stephane	10	# Ce programme est un logiciel libre ; This software is free and open source
2454	tom.houday	11	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		12	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		13	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		14	# Voir la Licence Publique Générale GNU pour plus de détails.
959	franck	15
672	richard	16	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	17	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	18	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
2454	tom.houday	19	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
2466	richard	20
2840	rexy	21	# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
1	root	22
		23	# Options :
376	franck	24	# -i or --install
		25	# -u or --uninstall
		26	# Functions :
1378	richard	27	# testing : connectivity tests, free space test and mageia version test
1221	richard	28	# init : Installation of RPM and scripts
		29	# network : Network parameters
2552	rexy	30	# ACC : ALCASAR Control Center installation
		31	# CA : Certification Authority initialization
1837	richard	32	# time_server : NTPd configuration
1221	richard	33	# init_db : Initilization of radius database managed with MariaDB
2421	richard	34	# freeradius : FreeRadius initialisation
1389	richard	35	# chilli : coovachilli initialisation (+authentication page)
2521	armand.ito	36	# e2guardian : E2Guardian filtering HTTP proxy configuration
2840	rexy	37	# antivirus : clamav & freshclam configuration
1389	richard	38	# ulogd : log system in userland (match NFLOG target of iptables)
2775	rexy	39	# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
2688	lucas.echa	40	# unbound : Name server configuration
		41	# dnsmasq : Name server configuration (for whitelist ipset support)
1541	richard	42	# vnstat : little network stat daemon
2688	lucas.echa	43	# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
1266	richard	44	# cron : Logs export + watchdog + connexion statistics
1389	richard	45	# fail2ban : Fail2ban IDS installation and configuration
		46	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
2202	richard	47	# msec : Mandriva security package configuration
2304	tom.houday	48	# letsencrypt : Let's Encrypt client
2552	rexy	49	# post_install : Security, log rotation, etc.
1	root	50
2499	tom.houday	51	DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
1	root	52	DATE=`date '+%d %B %Y - %Hh%M'`
		53	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	54	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	55	mode="install"
1	root	56	# ***** Files parameters - paramètres fichiers *******
2552	rexy	57	DIR_INSTALL=`pwd` # current directory
1015	richard	58	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		59	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
2552	rexy	60	DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
		61	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
		62	DIR_WEB="/var/www/html" # directory of Lighttpd
		63	DIR_DG="/etc/e2guardian" # directory of E2Guardian
		64	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
1015	richard	65	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		66	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
2688	lucas.echa	67	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance)
2552	rexy	68	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
1015	richard	69	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	70	# ***** DBMS parameters - paramètres SGBD ******
2552	rexy	71	DB_RADIUS="radius" # database name used by FreeRadius server
		72	DB_USER="radius" # user name allows to request the users database
		73	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	74	# ***** Network parameters - paramètres réseau *****
2552	rexy	75	HOSTNAME="alcasar" # default hostname
		76	DOMAIN="localdomain" # default local domain
2736	rexy	77	EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		78	INTIF='' # INTIF is connected to the consultation network
1148	crox53	79	MTU="1500"
1243	richard	80	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	81	# **** Paths - chemin des commandes *****
		82	SED="/bin/sed -i"
		83	# **************** End of global parameters *******************
		84
2724	rexy	85	license()
959	franck	86	{
		87	if [ $Lang == "fr" ]
1538	richard	88	then
		89	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		90	else
		91	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	92	fi
1538	richard	93	response=0
2760	lucas.echa	94	PTN='^[oOyYnN]?$'
		95	until [[ "$response" =~ $PTN ]]
1538	richard	96	do
		97	if [ $Lang == "fr" ]
1563	franck	98	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	99	else echo -n "Do you accept the terms of this license (Y/n)? : "
		100	fi
		101	read response
		102	done
		103	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		104	then
		105	exit 1
		106	fi
2724	rexy	107	} # End of license()
959	franck	108
2724	rexy	109	header_install()
1	root	110	{
		111	clear
		112	echo "-----------------------------------------------------------------------------"
460	richard	113	echo " ALCASAR V$VERSION Installation"
1	root	114	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		115	echo "-----------------------------------------------------------------------------"
2724	rexy	116	} # End of header_install()
1	root	117
2552	rexy	118	########################################################
2870	rexy	119	## Function "testing_system" ##
2552	rexy	120	## - Test Mageia version ##
		121	## - Test ALCASAR version (if already installed) ##
		122	## - Test free space on /var (>10G) ##
		123	## - Test Internet access ##
		124	########################################################
2870	rexy	125	testing_system()
29	richard	126	{
1529	richard	127	# Test of Mageia version
		128	# extract the current Mageia version and hardware architecture (i586 ou X64)
		129	fic=`cat /etc/product.id`
		130	unknown_os=0
		131	old="$IFS"
		132	IFS=","
		133	set $fic
2688	lucas.echa	134	for i in "$@"
1529	richard	135	do
		136	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
2454	tom.houday	137	then
1529	richard	138	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		139	unknown_os=`expr $unknown_os + 1`
		140	fi
		141	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
2454	tom.houday	142	then
1529	richard	143	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		144	unknown_os=`expr $unknown_os + 1`
		145	fi
		146	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
2454	tom.houday	147	then
1529	richard	148	ARCH=`echo $i\|cut -d"=" -f2`
		149	unknown_os=`expr $unknown_os + 1`
		150	fi
		151	done
2669	tom.houday	152	if [ "$ARCH" != "x86_64" ]
2149	richard	153	then
		154	if [ $Lang == "fr" ]
2669	tom.houday	155	then echo "Votre architecture matérielle doit être en 64bits"
		156	else echo "You hardware architecture must be 64bits"
2149	richard	157	fi
2482	lucas.echa	158	exit 1
2149	richard	159	fi
1529	richard	160	IFS="$old"
2757	rexy	161	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "7" ) ]]
2688	lucas.echa	162	then
2669	tom.houday	163	if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
		164	then
		165	echo
		166	if [ $Lang == "fr" ]
		167	then
		168	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		169	echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
2757	rexy	170	echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
2669	tom.houday	171	echo "3 - Importez votre base des usagers"
		172	else
		173	echo "The automatic update of ALCASAR can't be performed."
		174	echo "1 - Save your traceability files and the user database"
2757	rexy	175	echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
2669	tom.houday	176	echo "3 - Import your users database"
		177	fi
		178	else
		179	if [ $Lang == "fr" ]
		180	then echo "L'installation d'ALCASAR ne peut pas être réalisée."
		181	else echo "The installation of ALCASAR can't be performed."
		182	fi
		183	fi
		184	echo
		185	if [ $Lang == "fr" ]
2757	rexy	186	then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
		187	else echo "The OS must be replaced (Mageia7.1-64bits)"
2669	tom.houday	188	fi
2688	lucas.echa	189	exit 1
2669	tom.houday	190	fi
		191
1362	richard	192	# Test if ALCASAR is already installed
		193	if [ -e $CONF_FILE ]
		194	then
2396	tom.houday	195	current_version=`grep ^VERSION= $CONF_FILE \| cut -d"=" -f2`
1342	richard	196	if [ $Lang == "fr" ]
2669	tom.houday	197	then echo "La version $current_version d'ALCASAR est déjà installée"
		198	else echo "ALCASAR version $current_version is already installed"
1342	richard	199	fi
1362	richard	200	response=0
2458	richard	201	PTN='^[12]$'
2760	lucas.echa	202	until [[ "$response" =~ $PTN ]]
1362	richard	203	do
		204	if [ $Lang == "fr" ]
2669	tom.houday	205	then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
		206	else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
2499	tom.houday	207	fi
1362	richard	208	read response
		209	done
2458	richard	210	if [ "$response" = "2" ]
1362	richard	211	then
2560	rexy	212	rm -f /var/tmp/alcasar-conf*
1362	richard	213	else
2870	rexy	214	# Create the archive of conf files
1362	richard	215	$DIR_SCRIPTS/alcasar-conf.sh --create
		216	mode="update"
		217	fi
1529	richard	218	fi
2847	rexy	219	# Free /var (when updating) and test free space
		220	[ -d /var/log/netflow ] && rm -rf /var/log/netflow # remove old porttracker RRD database
2850	rexy	221	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
2847	rexy	222	journalctl -q --vacuum-files 1 # remove previous journal logs
2771	rexy	223	free_space=`df -BG --output=avail /var\|tail -1\|tr -d '[:space:]G'`
		224	if [ $free_space -lt 10 ]
1529	richard	225	then
2771	rexy	226	if [ $Lang == "fr" ]
2847	rexy	227	then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
2771	rexy	228	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
1529	richard	229	fi
2771	rexy	230	exit 0
1529	richard	231	fi
2870	rexy	232	} # End of testing_system
2669	tom.houday	233
2870	rexy	234	########################################################
		235	## Function "testing_network" ##
		236	## - Test Internet access ##
		237	########################################################
		238	testing_network()
		239	{
2669	tom.houday	240	# Detect external/internal interfaces
		241	if [ -z "$EXTIF" ]; then
		242	EXTIF=$(/usr/sbin/ip route list \| awk '/^default / {print $5}')
		243	if [ -z "$EXTIF" ]; then
		244	if [ "$Lang" == 'fr' ]
2771	rexy	245	then echo "Aucune passerelle par défaut configurée"
		246	else echo "No default gateway configured"
2669	tom.houday	247	fi
		248	exit 1
		249	fi
		250	fi
		251	if [ "$Lang" == 'fr' ]
		252	then echo "Interface externe (Internet) utilisée : $EXTIF"
		253	else echo "External interface (Internet) used: $EXTIF"
		254	fi
		255
		256	if [ -z "$INTIF" ]; then
		257	interfacesList=$(/usr/sbin/ip -br link show \| cut -d' ' -f1 \| grep -v "^$lo\\|tun0\\|$EXTIF$\$")
2724	rexy	258	interfacesCount=$(echo "$interfacesList" \| wc -w)
2669	tom.houday	259	if [ $interfacesCount -eq 0 ]; then
		260	if [ "$Lang" == 'fr' ]
		261	then echo "Aucune interface de disponible pour le réseau interne"
		262	else echo "No interface available for the internal network"
		263	fi
		264	exit 1
		265	elif [ $interfacesCount -eq 1 ]; then
		266	INTIF="$interfacesList"
		267	else
		268	interfacesSorted=$(/usr/sbin/ip -br addr \| grep -v "^$lo\\|tun0\\|$EXTIF$ " \| sort -b -k3n -k2r -k1)
		269	interfacePreferred=$(echo "$interfacesSorted" \| head -1 \| cut -d' ' -f1)
		270	if [ "$Lang" == 'fr' ]
		271	then echo 'Liste des interfaces disponible :'
		272	else echo 'List of available interfaces:'
		273	fi
		274	echo "$interfacesSorted"
		275	response=''
		276	while true; do
		277	if [ "$Lang" == 'fr' ]
		278	then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
		279	else echo -n "Choice of internal interface ? [$interfacePreferred] "
		280	fi
		281	read response
		282
		283	[ -z "$response" ] && response="$interfacePreferred"
		284
		285	# Check if interface exist
2688	lucas.echa	286	if [ "$(echo "$interfacesList" \| grep -c "^$response\$")" -eq 1 ]; then
2669	tom.houday	287	INTIF="$response"
		288	break
		289	else
		290	if [ "$Lang" == 'fr' ]
		291	then echo "Interface \"$response\" introuvable"
		292	else echo "Interface \"$response\" not found"
		293	fi
		294	fi
		295	done
		296	fi
		297	fi
		298	if [ "$Lang" == 'fr' ]
		299	then echo "Interface interne utilisée : $INTIF"
		300	else echo "Internal interface used: $INTIF"
		301	fi
		302
2290	richard	303	if [ $Lang == "fr" ]
		304	then echo -n "Tests des paramètres réseau : "
2549	tom.houday	305	else echo -n "Network parameters tests: "
2290	richard	306	fi
		307	# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
2688	lucas.echa	308	cd /etc/sysconfig/network-scripts/ \|\| { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
2290	richard	309	IF_INTERFACES=`ls ifcfg-\|cut -d"-" -f2\|grep -v "^lo"\|cut -d"" -f1`
2282	richard	310	for i in $IF_INTERFACES
		311	do
2688	lucas.echa	312	if [ "$(/usr/sbin/ip link \| grep -c " $i:")" -eq 0 ]; then
2282	richard	313	rm -f ifcfg-$i
2454	tom.houday	314
2282	richard	315	if [ $Lang == "fr" ]
		316	then echo "Suppression : ifcfg-$i"
2549	tom.houday	317	else echo "Deleting: ifcfg-$i"
2282	richard	318	fi
		319	fi
		320	done
2688	lucas.echa	321	cd $DIR_INSTALL \|\| { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2290	richard	322	echo -n "."
2454	tom.houday	323	# Test Ethernet NIC links state
2669	tom.houday	324	interfacesDown=$(/usr/sbin/ip -br link \| grep "^$$EXTIF\\|$INTIF$ " \| grep 'NO-CARRIER' \| cut -d' ' -f1)
		325	if [ ! -z "$interfacesDown" ]; then
		326	for i in $interfacesDown; do
		327	if [ $Lang == "fr" ]
		328	then
		329	echo -e "\nÉchec"
		330	echo "Le lien réseau de la carte $i n'est pas actif."
		331	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		332	else
		333	echo -e "\nFailed"
		334	echo "The link state of $i interface is down."
		335	echo "Make sure that this network card is connected to a switch or an A.P."
		336	fi
		337	done
		338	exit 1
		339	fi
1471	richard	340	echo -n "."
		341	# Test EXTIF config files
2681	tom.houday	342	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF \| grep '^\s*inet\s' \| awk '{ print $2 }'`
		343	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d'/' -f1`
2673	tom.houday	344	PUBLIC_GATEWAY=`/usr/sbin/ip route list \| awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
2688	lucas.echa	345	if [ "$(echo $PUBLIC_IP\|wc -c)" -lt 7 ] \|\| [ "$(echo $PUBLIC_GATEWAY\|wc -c)" -lt 7 ]
1471	richard	346	then
784	richard	347	if [ $Lang == "fr" ]
2454	tom.houday	348	then
2669	tom.houday	349	echo -e "\nÉchec"
784	richard	350	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		351	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	352	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	353	else
2669	tom.houday	354	echo -e "\nFailed"
784	richard	355	echo "The Internet connected network card ($EXTIF) isn't well configured."
		356	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
2669	tom.houday	357	echo "Apply the new configuration: 'systemctl restart network'"
784	richard	358	fi
830	richard	359	echo "DEVICE=$EXTIF"
784	richard	360	echo "IPADDR="
		361	echo "NETMASK="
		362	echo "GATEWAY="
		363	echo "DNS1="
		364	echo "DNS2="
830	richard	365	echo "ONBOOT=yes"
2669	tom.houday	366	exit 1
784	richard	367	fi
		368	echo -n "."
2290	richard	369	# Test if default GW is set on EXTIF (router or ISP provider equipment)
2688	lucas.echa	370	if [ "$(/usr/sbin/ip route list\|grep " $EXTIF "\|grep -c '^default ')" -ne 1 ] ; then
595	richard	371	if [ $Lang == "fr" ]
2454	tom.houday	372	then
2669	tom.houday	373	echo -e "\nÉchec"
595	richard	374	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		375	echo "Réglez ce problème puis relancez ce script."
		376	else
2669	tom.houday	377	echo -e "\nFailed"
595	richard	378	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		379	echo "Resolv this problem, then restart this script."
		380	fi
2669	tom.houday	381	exit 1
29	richard	382	fi
308	richard	383	echo -n "."
2290	richard	384	# Test if default GW is alive
1499	richard	385	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
2688	lucas.echa	386	if [ "$(expr $arp_reply)" -eq 0 ]
2454	tom.houday	387	then
595	richard	388	if [ $Lang == "fr" ]
2454	tom.houday	389	then
2669	tom.houday	390	echo -e "\nÉchec"
2290	richard	391	echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	392	echo "Réglez ce problème puis relancez ce script."
		393	else
2669	tom.houday	394	echo -e "\nFailed"
2290	richard	395	echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
595	richard	396	echo "Resolv this problem, then restart this script."
		397	fi
2669	tom.houday	398	exit 1
308	richard	399	fi
		400	echo -n "."
2290	richard	401	# Test Internet connectivity
2669	tom.houday	402	domainTested='www.google.com'
		403	/usr/bin/curl -s --head "$domainTested" &>/dev/null
		404	if [ $? -ne 0 ]; then
595	richard	405	if [ $Lang == "fr" ]
2454	tom.houday	406	then
2669	tom.houday	407	echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
595	richard	408	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		409	echo "Vérifiez la validité des adresses IP des DNS."
		410	else
2669	tom.houday	411	echo -e "\nThe Internet connection try failed ($domainTested)."
595	richard	412	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		413	echo "Verify the DNS IP addresses"
		414	fi
2669	tom.houday	415	exit 1
29	richard	416	fi
308	richard	417	echo ". : ok"
2870	rexy	418	} # End of testing_network()
302	richard	419
2552	rexy	420	#######################################################################
		421	## Function "init" ##
		422	## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
		423	## - Creation of random password for GRUB, mariadb (admin and user) ##
		424	#######################################################################
2724	rexy	425	init()
302	richard	426	{
527	richard	427	if [ "$mode" != "update" ]
302	richard	428	then
		429	# On affecte le nom d'organisme
597	richard	430	header_install
302	richard	431	ORGANISME=!
		432	PTN='^[a-zA-Z0-9-]*$'
2760	lucas.echa	433	until [[ "$ORGANISME" =~ $PTN ]]
2454	tom.houday	434	do
595	richard	435	if [ $Lang == "fr" ]
2454	tom.houday	436	then echo -n "Entrez le nom de votre organisme : "
597	richard	437	else echo -n "Enter the name of your organism : "
595	richard	438	fi
330	franck	439	read ORGANISME
613	richard	440	if [ "$ORGANISME" == "" ]
2688	lucas.echa	441	then
330	franck	442	ORGANISME=!
		443	fi
		444	done
302	richard	445	fi
1	root	446	# On crée aléatoirement les mots de passe et les secrets partagés
2419	richard	447	# We create random passwords and shared secrets
628	richard	448	rm -f $PASSWD_FILE
2419	richard	449	echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
2688	lucas.echa	450	grub2pwd=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c8`
2454	tom.houday	451	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) \| \
		452	LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 \| \
		453	grep -v '[eE]nter password:' \| \
		454	sed -e "s/PBKDF2 hash of your password is //"`
		455	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
		456	[ -e /root/grub.default ] \|\| cp /etc/grub.d/10_linux /root/grub.default
		457	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
		458	chmod 0600 /boot/grub2/user.cfg
2419	richard	459	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
2454	tom.houday	460	echo "GRUB2_user=root" >> $PASSWD_FILE
		461	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
2688	lucas.echa	462	mysqlpwd=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2419	richard	463	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
2412	tom.houday	464	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
2688	lucas.echa	465	radiuspwd=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2419	richard	466	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
2421	richard	467	echo "db_user=$DB_USER" >> $PASSWD_FILE
		468	echo "db_password=$radiuspwd" >> $PASSWD_FILE
2688	lucas.echa	469	secretuam=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2412	tom.houday	470	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
		471	echo "secret_uam=$secretuam" >> $PASSWD_FILE
2688	lucas.echa	472	secretradius=`cat /dev/urandom \| tr -dc '[:alnum:]' \| head -c16`
2412	tom.houday	473	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
		474	echo "secret_radius=$secretradius" >> $PASSWD_FILE
628	richard	475	chmod 640 $PASSWD_FILE
1828	richard	476	# copy scripts in in /usr/local/bin
2664	tom.houday	477	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
1828	richard	478	# copy conf files in /usr/local/etc
1954	richard	479	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
1828	richard	480	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
628	richard	481	# generate central conf file
		482	cat <<EOF > $CONF_FILE
612	richard	483	##########################################
		484	## ##
		485	## ALCASAR Parameters ##
		486	## ##
		487	##########################################
1	root	488
612	richard	489	INSTALL_DATE=$DATE
		490	VERSION=$VERSION
		491	ORGANISM=$ORGANISME
		492	EOF
628	richard	493	chmod o-rwx $CONF_FILE
2724	rexy	494	} # End of init()
1	root	495
2552	rexy	496	#########################################################
		497	## Function "network" ##
		498	## - Define the several network address ##
		499	## - Define the DNS naming ##
		500	## - INTIF parameters (consultation network) ##
		501	## - Write "/etc/hosts" file ##
		502	## - write "hosts.allow" & "hosts.deny" files ##
		503	#########################################################
2724	rexy	504	network()
1	root	505	{
		506	header_install
636	richard	507	if [ "$mode" != "update" ]
		508	then
		509	if [ $Lang == "fr" ]
		510	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		511	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		512	fi
		513	response=0
2760	lucas.echa	514	PTN='^[oOyYnN]?$'
		515	until [[ "$response" =~ $PTN ]]
1	root	516	do
595	richard	517	if [ $Lang == "fr" ]
659	richard	518	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	519	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	520	fi
1	root	521	read response
		522	done
636	richard	523	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		524	then
		525	PRIVATE_IP_MASK="0"
		526	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
2760	lucas.echa	527	until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
1	root	528	do
595	richard	529	if [ $Lang == "fr" ]
597	richard	530	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		531	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	532	fi
597	richard	533	read PRIVATE_IP_MASK
1	root	534	done
636	richard	535	else
2688	lucas.echa	536	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
636	richard	537	fi
595	richard	538	else
2834	rexy	539	PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf\|cut -d"=" -f2`
		540	rm -rf /var/tmp/conf
1	root	541	fi
861	richard	542	# Define LAN side global parameters
1740	richard	543	hostnamectl set-hostname $HOSTNAME.$DOMAIN
977	richard	544	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	545	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	546	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	547	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	548	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	549	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
2688	lucas.echa	550	then
2454	tom.houday	551	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
1499	richard	552	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
2454	tom.houday	553	fi
1499	richard	554	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		555	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	556	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	557	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	558	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
1828	richard	559	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6\| sed 's/:/-/g'\| awk '{print toupper($0)}'` # MAC address of INTIF
841	richard	560	# Define Internet parameters
2809	rexy	561	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF \| grep '^DNS1='\| cut -d"=" -f2` # 1st DNS server
		562	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF \| grep '^DNS2=' \| cut -d"=" -f2` # 2nd DNS server
2870	rexy	563	DNS1=${DNS1:=208.67.220.220}
70	franck	564	DNS2=${DNS2:=208.67.222.222}
1499	richard	565	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	566	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	567	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
2552	rexy	568	# Write network parameters in the conf file
2737	rexy	569	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
		570	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
1469	richard	571	echo "EXTIF=$EXTIF" >> $CONF_FILE
		572	echo "INTIF=$INTIF" >> $CONF_FILE
2770	rexy	573	# Retrieve NIC name of other consultation LAN
2282	richard	574	INTERFACES=`/usr/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "^lo\\|$EXTIF\\|tun0"\|cut -d " " -f2\|tr -d ":"`
		575	for i in $INTERFACES
		576	do
		577	SUB=`echo ${i:0:2}`
		578	if [ $SUB = "wl" ]
		579	then WIFIF=$i
2454	tom.houday	580	elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
2282	richard	581	then LANIF=$i
		582	fi
		583	done
		584	if [ -n "$WIFIF" ]
		585	then echo "WIFIF=$WIFIF" >> $CONF_FILE
		586	elif [ -n "$LANIF" ]
		587	then echo "LANIF=$LANIF" >> $CONF_FILE
		588	fi
2552	rexy	589	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # test static or dynamic
1499	richard	590	if [ $IP_SETTING == "dhcp" ]
2688	lucas.echa	591	then
1499	richard	592	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
1585	richard	593	echo "GW=dhcp" >> $CONF_FILE
1499	richard	594	else
		595	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
1585	richard	596	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
1499	richard	597	fi
1587	richard	598	echo "DNS1=$DNS1" >> $CONF_FILE
		599	echo "DNS2=$DNS2" >> $CONF_FILE
994	franck	600	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	601	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	602	echo "DHCP=on" >> $CONF_FILE
2708	tom.houday	603	echo "EXT_DHCP_IP=" >> $CONF_FILE
		604	echo "RELAY_DHCP_IP=" >> $CONF_FILE
		605	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
2709	tom.houday	606	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
		607	echo "INT_DNS_IP=" >> $CONF_FILE
1610	franck	608	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
1499	richard	609	# network default
597	richard	610	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	611	cat <<EOF > /etc/sysconfig/network
		612	NETWORKING=yes
		613	FORWARD_IPV4=true
		614	EOF
2552	rexy	615	# write "/etc/hosts"
1	root	616	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		617	cat <<EOF > /etc/hosts
503	richard	618	127.0.0.1 localhost
2558	rexy	619	$PRIVATE_IP $HOSTNAME
1	root	620	EOF
2552	rexy	621	# write EXTIF (Internet) config
1499	richard	622	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		623	if [ $IP_SETTING == "dhcp" ]
2688	lucas.echa	624	then
1499	richard	625	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	626	DEVICE=$EXTIF
1585	richard	627	BOOTPROTO=dhcp
		628	DNS1=127.0.0.1
		629	PEERDNS=no
		630	RESOLV_MODS=yes
		631	ONBOOT=yes
1613	franck	632	NOZEROCONF=yes
1585	richard	633	METRIC=10
		634	MII_NOT_SUPPORTED=yes
		635	IPV6INIT=no
		636	IPV6TO4INIT=no
		637	ACCOUNTING=no
		638	USERCTL=no
		639	MTU=$MTU
		640	EOF
2688	lucas.echa	641	else
1585	richard	642	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		643	DEVICE=$EXTIF
14	richard	644	BOOTPROTO=static
597	richard	645	IPADDR=$PUBLIC_IP
		646	NETMASK=$PUBLIC_NETMASK
		647	GATEWAY=$PUBLIC_GATEWAY
2870	rexy	648	DNS1=$DNS1
		649	DNS2=$DNS2
1499	richard	650	RESOLV_MODS=yes
14	richard	651	ONBOOT=yes
		652	METRIC=10
1610	franck	653	NOZEROCONF=yes
14	richard	654	MII_NOT_SUPPORTED=yes
		655	IPV6INIT=no
		656	IPV6TO4INIT=no
		657	ACCOUNTING=no
		658	USERCTL=no
994	franck	659	MTU=$MTU
14	richard	660	EOF
1499	richard	661	fi
2552	rexy	662	# write INTIF (consultation LAN) in normal mode
2868	rexy	663	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
841	richard	664	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		665	DEVICE=$INTIF
		666	BOOTPROTO=static
		667	ONBOOT=yes
		668	NOZEROCONF=yes
		669	MII_NOT_SUPPORTED=yes
		670	IPV6INIT=no
		671	IPV6TO4INIT=no
		672	ACCOUNTING=no
		673	USERCTL=no
		674	EOF
2552	rexy	675	# write INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	676	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	677	DEVICE=$INTIF
		678	BOOTPROTO=static
		679	IPADDR=$PRIVATE_IP
604	richard	680	NETMASK=$PRIVATE_NETMASK
1	root	681	ONBOOT=yes
		682	METRIC=10
		683	NOZEROCONF=yes
		684	MII_NOT_SUPPORTED=yes
14	richard	685	IPV6INIT=no
		686	IPV6TO4INIT=no
		687	ACCOUNTING=no
		688	USERCTL=no
1	root	689	EOF
2282	richard	690	######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
		691	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
		692	then
		693	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
		694	DEVICE=$WIFIF
		695	BOOTPROTO=static
		696	ONBOOT=yes
		697	NOZEROCONF=yes
		698	MII_NOT_SUPPORTED=yes
		699	IPV6INIT=no
		700	IPV6TO4INIT=no
		701	ACCOUNTING=no
		702	USERCTL=no
		703	EOF
		704	elif [ -n "$LANIF" ]
		705	then
		706	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
		707	DEVICE=$LANIF
		708	BOOTPROTO=static
		709	ONBOOT=yes
		710	NOZEROCONF=yes
		711	MII_NOT_SUPPORTED=yes
		712	IPV6INIT=no
		713	IPV6TO4INIT=no
		714	ACCOUNTING=no
		715	USERCTL=no
		716	EOF
		717	fi
2552	rexy	718	# write hosts.allow & hosts.deny
1	root	719	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		720	cat <<EOF > /etc/hosts.allow
		721	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	722	sshd: ALL
1	root	723	ntpd: $PRIVATE_NETWORK_SHORT
		724	EOF
		725	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		726	cat <<EOF > /etc/hosts.deny
		727	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		728	EOF
790	richard	729	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	730	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	731	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	732	# load conntrack ftp module
		733	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
1705	richard	734	echo "nf_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	735	# load ipt_NETFLOW module
		736	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	737	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
2688	lucas.echa	738	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		739	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		740	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
		741	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
2454	tom.houday	742	#
860	richard	743	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
2724	rexy	744	} # End of network()
1	root	745
2763	rexy	746	##################################################################
		747	## Fonction "CA" ##
		748	## - Creating the CA and the server certificate (lighttpd) ##
		749	##################################################################
		750	CA()
		751	{
		752	$DIR_DEST_BIN/alcasar-CA.sh
2814	rexy	753	chmod 755 /etc/pki/
2801	rexy	754	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
2821	rexy	755	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
2811	rexy	756	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
		757	chmod 600 /etc/pki/CA/private/*
		758	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
		759	chmod 640 /etc/pki/tls/private/*
2814	rexy	760	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
2763	rexy	761	} # End of CA()
		762
2552	rexy	763	###################################################
		764	## Function "ACC" ##
		765	## - copy ALCASAR Control Center (ACC) files ##
		766	## - configuration of the web server (Lighttpd) ##
		767	## - creation of the first ACC admin account ##
		768	## - secure the ACC access ##
		769	###################################################
2724	rexy	770	ACC()
1	root	771	{
		772	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		773	mkdir $DIR_WEB
1833	richard	774	# Copy & adapt ACC files
316	richard	775	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
		776	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
2815	rexy	777	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
		778	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
		779	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
5	franck	780	chown -R apache:apache $DIR_WEB/*
1833	richard	781	# copy & adapt "freeradius-web" files
		782	cp -rf $DIR_CONF/freeradius-web/ /etc/
		783	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
		784	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
		785	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		786	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		787	cat <<EOF > /etc/freeradius-web/naslist.conf
		788	nas1_name: alcasar-$ORGANISME
		789	nas1_model: Network Access Controler
		790	nas1_ip: $PRIVATE_IP
		791	nas1_port_num: 0
		792	nas1_community: public
		793	EOF
		794	chown -R apache:apache /etc/freeradius-web/
		795	# create the log & backup structure :
1489	richard	796	# - base = users database
		797	# - archive = tarball of "base + http firewall + netflow"
1833	richard	798	# - security = watchdog log
2829	rexy	799	# - conf_file = archive conf file (usefull in updating process)
2887	rexy	800	for i in base archive security activity_report iot_captures;
1	root	801	do
		802	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		803	done
5	franck	804	chown -R root:apache $DIR_SAVE
1833	richard	805	# Configuring & securing php
2887	rexy	806	[ -e /etc/php.d/05_date.ini ] \|\| cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
		807	timezone=`timedatectl show --property=Timezone\|cut -d"=" -f2`
		808	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
71	richard	809	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
411	richard	810	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		811	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
2397	tom.houday	812	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
		813	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
71	richard	814	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		815	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
2397	tom.houday	816	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
2488	lucas.echa	817	# Configuring & securing Lighttpd
790	richard	818	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
2488	lucas.echa	819	[ -e /etc/lighttpd/lighttpd.conf.default ] \|\| cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
		820	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
2688	lucas.echa	821	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
		822	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
2488	lucas.echa	823	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
		824	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
2592	rexy	825
		826	[ -e /etc/lighttpd/modules.conf.default ] \|\| cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
2812	rexy	827	$SED "s?^#[ ]\"mod_auth\",.?\"mod_auth\",?g" /etc/lighttpd/modules.conf
		828	$SED "s?^#[ ]\"mod_alias\",.?\"mod_alias\",?g" /etc/lighttpd/modules.conf
		829	$SED "s?^#[ ]\"mod_redirect\",.?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
		830	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
2488	lucas.echa	831	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
		832
2592	rexy	833	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] \|\| cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
2739	rexy	834	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
2592	rexy	835
		836	[ -e /etc/php-fpm.conf.default ] \|\| cp /etc/php-fpm.conf /etc/php-fpm.conf.default
		837	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
		838	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
		839	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
		840
		841	[ -d /etc/lighttpd/vhosts.d ] \|\| mkdir /etc/lighttpd/vhosts.d
		842	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
2688	lucas.echa	843	$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
		844	$SED 's/^$SERVER\["socket"\] == ".:443./$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
		845	$SED "s/^$[\t ]$var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
		846	$SED "s/^$[\t ]$var.server_name./\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
2818	rexy	847	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
2592	rexy	848
2588	rexy	849	[ -d /var/log/lighttpd ] \|\| mkdir /var/log/lighttpd
		850	[ -e /var/log/lighttpd/access.log ] \|\| touch /var/log/lighttpd/access.log
		851	[ -e /var/log/lighttpd/error.log ] \|\| touch /var/log/lighttpd/error.log
2688	lucas.echa	852
2588	rexy	853	chown -R apache:apache /var/log/lighttpd
2488	lucas.echa	854
2552	rexy	855	# Creation of the first account (in 'admin' profile)
2293	tom.houday	856	if [ "$mode" = "install" ]
2688	lucas.echa	857	then
		858	header_install
1268	richard	859	# Creation of keys file for the admin account ("admin")
2688	lucas.echa	860	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		861	mkdir -p $DIR_DEST_ETC/digest
		862	chmod 755 $DIR_DEST_ETC/digest
2737	rexy	863	if [ $Lang == "fr" ]
2760	lucas.echa	864	then echo "Création du premier compte administrateur : "
		865	else echo "Creation of the first admin account : "
2737	rexy	866	fi
2688	lucas.echa	867	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		868	do
		869	$DIR_DEST_BIN/alcasar-profil.sh --add admin
		870	done
2293	tom.houday	871	fi
2818	rexy	872	# Creation of ACC certs links
		873	[ -d /var/www/html/certs ] \|\| mkdir /var/www/html/certs
		874	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
		875	# Run lighttpd after coova (in order waiting tun0 to be up)
2488	lucas.echa	876	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
2293	tom.houday	877	# Log file for ACC access imputability
2887	rexy	878	[ -e $DIR_SAVE/security/acc_access.log ] \|\| touch $DIR_SAVE/security/acc_access.log
		879	chown root:apache $DIR_SAVE/security/acc_access.log
		880	chmod 664 $DIR_SAVE/security/acc_access.log
2888	rexy	881	# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
		882	cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
2724	rexy	883	} # End of ACC()
1	root	884
2552	rexy	885	#############################################################
		886	## Function "time_server" ##
		887	## - Configuring NTP server ##
		888	#############################################################
2724	rexy	889	time_server()
1837	richard	890	{
		891	# Set the Internet time server
		892	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		893	cat <<EOF > /etc/ntp/step-tickers
		894	0.fr.pool.ntp.org # adapt to your country
		895	1.fr.pool.ntp.org
		896	2.fr.pool.ntp.org
		897	EOF
		898	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		899	cat <<EOF > /etc/ntp.conf
		900	server 0.fr.pool.ntp.org # adapt to your country
		901	server 1.fr.pool.ntp.org
		902	server 2.fr.pool.ntp.org
		903	server 127.127.1.0 # local clock si NTP internet indisponible ...
		904	fudge 127.127.1.0 stratum 10
		905	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
		906	restrict 127.0.0.1
		907	driftfile /var/lib/ntp/drift
		908	logfile /var/log/ntp.log
		909	disable monitor
		910	EOF
		911	chown -R ntp:ntp /var/lib/ntp
		912	# Synchronize now
2688	lucas.echa	913	ntpd -4 -q -g &
2724	rexy	914	} # End of time_server()
1837	richard	915
2541	rexy	916	#####################################################################
		917	## Function "init_db" ##
		918	## - Mysql initialization ##
		919	## - Set admin (root) password ##
		920	## - Remove unused users & databases ##
		921	## - Radius database creation ##
		922	## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
		923	#####################################################################
2724	rexy	924	init_db()
1	root	925	{
2688	lucas.echa	926	if [ "`systemctl is-active mysqld`" == "active" ]
1990	richard	927	then
		928	systemctl stop mysqld
		929	fi
1355	richard	930	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	931	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
1355	richard	932	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1979	richard	933	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
1980	richard	934	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
		935	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
2591	rexy	936	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
2724	rexy	937	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
2416	richard	938	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
		939	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
		940	/usr/bin/systemctl start mysqld
1963	richard	941	nb_round=1
1981	richard	942	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
1963	richard	943	do
		944	nb_round=`expr $nb_round + 1`
		945	sleep 2
		946	done
1981	richard	947	if [ ! -S /var/lib/mysql/mysql.sock ]
1963	richard	948	then
1981	richard	949	echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
1963	richard	950	exit
1955	richard	951	fi
1355	richard	952	# Secure the server
2688	lucas.echa	953	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON . TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
2416	richard	954	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
2688	lucas.echa	955	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		956	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	957	# Create 'radius' database
2688	lucas.echa	958	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	959	# Add an empty radius database structure
2688	lucas.echa	960	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
615	richard	961	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	962	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
2416	richard	963	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		964	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
		965	/usr/bin/systemctl unset-environment MYSQLD_OPTS
1574	richard	966	/usr/bin/systemctl daemon-reload
2724	rexy	967	} # End of init_db()
1	root	968
2423	richard	969	###################################################################
		970	## Function "freeradius" ##
		971	## - Set the configuration files ##
		972	## - Set the shared secret between coova-chilli and freeradius ##
		973	## - Adapt the Mysql conf file and counters ##
		974	###################################################################
2724	rexy	975	freeradius()
1	root	976	{
1800	richard	977	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1	root	978	chown -R radius:radius /etc/raddb
		979	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
2420	richard	980	# Set radius global parameters (radius.conf)
1	root	981	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		982	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		983	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
2420	richard	984	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
		985	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
2728	rexy	986	# Add ALCASAR & Coovachilli dictionaries
		987	[ -e /etc/raddb/dictionary.default ] \|\| cp /etc/raddb/dictionary /etc/raddb/dictionary.default
2730	rexy	988	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
		989	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
		990	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
		991	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
2420	richard	992	# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1	root	993	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		994	cat << EOF > /etc/raddb/clients.conf
2438	richard	995	client localhost {
		996	ipaddr = 127.0.0.1
1	root	997	secret = $secretradius
2438	richard	998	shortname = chilli
2454	tom.houday	999	nas_type = other
1	root	1000	}
		1001	EOF
2758	rexy	1002	# Set Virtual server
		1003	# Remvoveing all except "alcasar virtual site")
		1004	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled) Change the firewall rules to allow "radius" extern connections.
2467	richard	1005	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
		1006	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
		1007	chown radius:apache /etc/raddb/sites-available/alcasar*
		1008	chmod 660 /etc/raddb/sites-available/alcasar*
2758	rexy	1009	rm -f /etc/raddb/sites-enabled/*
2420	richard	1010	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
2454	tom.houday	1011	# Set modules
2728	rexy	1012	# Add custom LDAP "available module"
2758	rexy	1013	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
2465	richard	1014	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
		1015	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
2728	rexy	1016	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
2454	tom.houday	1017	rm -rf /etc/raddb/mods-enabled/*
2615	tom.houday	1018	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
2454	tom.houday	1019	do
		1020	ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
		1021	done
2758	rexy	1022	# Configure SQL module
2420	richard	1023	[ -e /etc/raddb/mods-available/sql.default ] \|\| cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
2423	richard	1024	$SED "s?^[\t ]driver =.?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
		1025	$SED "s?^[\t ]dialect =.?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
2420	richard	1026	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
2423	richard	1027	$SED "s?^#[\t ]server =.?server = \"localhost\"?g" /etc/raddb/mods-available/sql
		1028	$SED "s?^#[\t ]port =.?port = \"3306\"?g" /etc/raddb/mods-available/sql
		1029	$SED "s?^#[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
		1030	$SED "s?^#[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
2758	rexy	1031	# no TLS encryption on 127.0.0.1
2763	rexy	1032	$SED "s?^[\t ]ca_file =.?#&?g" /etc/raddb/mods-available/sql
		1033	$SED "s?^[\t ]ca_path =.?#&?g" /etc/raddb/mods-available/sql
		1034	$SED "s?^[\t ]certificate_file =.?#&?g" /etc/raddb/mods-available/sql
		1035	$SED "s?^[\t ]private_key_file =.?#&?g" /etc/raddb/mods-available/sql
		1036	$SED "s?^[\t ]cipher =.?#&?g" /etc/raddb/mods-available/sql
		1037	$SED "s?^[\t ]tls_required =.?tls_required = no?g" /etc/raddb/mods-available/sql
2454	tom.houday	1038	# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
2420	richard	1039	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] \|\| cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
		1040	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
		1041	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
2421	richard	1042	# sqlcounter modifications
2470	richard	1043	[ -e /etc/raddb/mods-available/sqlcounter.default ] \|\| cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
		1044	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
		1045	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
2421	richard	1046	# make certain that mysql is up before freeradius start
1358	richard	1047	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		1048	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1574	richard	1049	/usr/bin/systemctl daemon-reload
2597	tom.houday	1050	# Allow apache to change some conf files (ie : ldap on/off)
		1051	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
2770	rexy	1052	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
2724	rexy	1053	} # End of freeradius()
1	root	1054
2423	richard	1055	#############################################################################
2552	rexy	1056	## Function "chilli" ##
2423	richard	1057	## - Creation of the conf file and init file (systemd) for coova-chilli ##
		1058	## - Adapt the authentication web page (intercept.php) ##
		1059	#############################################################################
2724	rexy	1060	chilli()
1	root	1061	{
1370	richard	1062	# chilli unit for systemd
2324	tom.houday	1063	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1064	# This file is part of systemd.
		1065	#
		1066	# systemd is free software; you can redistribute it and/or modify it
		1067	# under the terms of the GNU General Public License as published by
		1068	# the Free Software Foundation; either version 2 of the License, or
		1069	# (at your option) any later version.
2771	rexy	1070
		1071	# This unit launches coova-chilli a captive portal
1370	richard	1072	[Unit]
		1073	Description=chilli is a captive portal daemon
		1074	After=network.target
		1075
		1076	[Service]
1379	richard	1077	Type=forking
1370	richard	1078	ExecStart=/usr/libexec/chilli start
		1079	ExecStop=/usr/libexec/chilli stop
		1080	ExecReload=/usr/libexec/chilli reload
2775	rexy	1081	PIDFile=/run/chilli.pid
1370	richard	1082
		1083	[Install]
		1084	WantedBy=multi-user.target
		1085	EOF
799	richard	1086	# init file creation
1370	richard	1087	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
1801	richard	1088	cat <<EOF > /etc/init.d/chilli
799	richard	1089	#!/bin/sh
		1090	#
		1091	# chilli CoovaChilli init
		1092	#
		1093	# chkconfig: 2345 65 35
		1094	# description: CoovaChilli
		1095	### BEGIN INIT INFO
		1096	# Provides: chilli
2454	tom.houday	1097	# Required-Start: network
		1098	# Should-Start:
799	richard	1099	# Required-Stop: network
2454	tom.houday	1100	# Should-Stop:
799	richard	1101	# Default-Start: 2 3 5
		1102	# Default-Stop:
		1103	# Description: CoovaChilli access controller
		1104	### END INIT INFO
		1105
		1106	[ -f /usr/sbin/chilli ] \|\| exit 0
		1107	. /etc/init.d/functions
		1108	CONFIG=/etc/chilli.conf
2775	rexy	1109	pidfile=/run/chilli.pid
799	richard	1110	[ -f \$CONFIG ] \|\| {
2394	tom.houday	1111	echo "\$CONFIG Not found"
		1112	exit 0
799	richard	1113	}
2882	rexy	1114	current_users_file="/tmp/current_users.txt" # file containing active users
799	richard	1115	RETVAL=0
		1116	prog="chilli"
		1117	case \$1 in
2394	tom.houday	1118	start)
2454	tom.houday	1119	if [ -f \$pidfile ] ; then
2394	tom.houday	1120	gprintf "chilli is already running"
		1121	else
		1122	gprintf "Starting \$prog: "
2884	rexy	1123	echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
2775	rexy	1124	rm -f /run/chilli* # cleaning
2394	tom.houday	1125	/usr/sbin/modprobe tun >/dev/null 2>&1
		1126	echo 1 > /proc/sys/net/ipv4/ip_forward
		1127	[ -e /dev/net/tun ] \|\| {
2454	tom.houday	1128	(cd /dev;
		1129	mkdir net;
		1130	cd net;
2394	tom.houday	1131	mknod tun c 10 200)
		1132	}
		1133	ifconfig $INTIF 0.0.0.0
		1134	/usr/sbin/ethtool -K $INTIF gro off
		1135	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1136	RETVAL=\$?
		1137	fi
		1138	;;
799	richard	1139
2394	tom.houday	1140	reload)
		1141	killall -HUP chilli
		1142	;;
799	richard	1143
2394	tom.houday	1144	restart)
		1145	\$0 stop
		1146	sleep 2
		1147	\$0 start
		1148	;;
799	richard	1149
2394	tom.houday	1150	status)
		1151	status chilli
		1152	RETVAL=0
		1153	;;
		1154
		1155	stop)
2454	tom.houday	1156	if [ -f \$pidfile ] ; then
2394	tom.houday	1157	gprintf "Shutting down \$prog: "
		1158	killproc /usr/sbin/chilli
		1159	RETVAL=\$?
		1160	[ \$RETVAL = 0 ] && rm -f \$pidfile
		1161	[ -e \$current_users_file ] && rm -f \$current_users_file
2454	tom.houday	1162	else
2394	tom.houday	1163	gprintf "chilli is not running"
		1164	fi
		1165	;;
		1166
		1167	*)
		1168	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1169	exit 1
799	richard	1170	esac
		1171	echo
		1172	EOF
2324	tom.houday	1173	chmod a+x /etc/init.d/chilli
		1174	ln -s /etc/init.d/chilli /usr/libexec/chilli
799	richard	1175	# conf file creation
346	richard	1176	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
2016	raphael.pi	1177	#NTP Option configuration for DHCP
2032	richard	1178	#DHCP Options : rfc2132
		1179	#dhcp option value will be convert in hexa.
		1180	#NTP option (or 'option 42') is like :
2454	tom.houday	1181	#
2032	richard	1182	# Code Len Address 1 Address 2
		1183	# +-----+-----+-----+-----+-----+-----+-----+-----+--
		1184	# \| 42 \| n \| a1 \| a2 \| a3 \| a4 \| a1 \| a2 \| ...
		1185	# +-----+-----+-----+-----+-----+-----+-----+-----+--
		1186	#
		1187	#Code : 42 => 2a
		1188	#Len : 4 => 04
2688	lucas.echa	1189	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP \| cut -d'.' -f4)")
346	richard	1190	cat <<EOF > /etc/chilli.conf
		1191	# coova config for ALCASAR
2775	rexy	1192	cmdsocket /run/chilli.sock
1336	richard	1193	unixipc chilli.$INTIF.ipc
2775	rexy	1194	pidfile /run/chilli.pid
346	richard	1195	net $PRIVATE_NETWORK_MASK
595	richard	1196	dhcpif $INTIF
841	richard	1197	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1198	#nodynip
865	richard	1199	#statip
		1200	dynip $PRIVATE_NETWORK_MASK
1249	richard	1201	domain $DOMAIN
355	richard	1202	dns1 $PRIVATE_IP
		1203	dns2 $PRIVATE_IP
346	richard	1204	uamlisten $PRIVATE_IP
503	richard	1205	uamport 3990
2370	tom.houday	1206	uamuiport 3991
837	richard	1207	macauth
		1208	macpasswd password
1697	richard	1209	strictmacauth
1243	richard	1210	locationname $HOSTNAME.$DOMAIN
346	richard	1211	radiusserver1 127.0.0.1
		1212	radiusserver2 127.0.0.1
		1213	radiussecret $secretradius
		1214	radiusauthport 1812
		1215	radiusacctport 1813
2818	rexy	1216	uamserver http://$HOSTNAME.$DOMAIN/intercept.php
2374	tom.houday	1217	redirurl
1243	richard	1218	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1219	uamsecret $secretuam
1249	richard	1220	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1221	coaport 3799
1379	richard	1222	conup $DIR_DEST_BIN/alcasar-conup.sh
		1223	condown $DIR_DEST_BIN/alcasar-condown.sh
2594	tom.houday	1224	macup $DIR_DEST_BIN/alcasar-macup.sh
503	richard	1225	include $DIR_DEST_ETC/alcasar-uamallowed
		1226	include $DIR_DEST_ETC/alcasar-uamdomain
2016	raphael.pi	1227	dhcpopt 2a04$PRIVATE_IP_HEXA
1613	franck	1228	#dhcpgateway none
		1229	#dhcprelayagent none
1610	franck	1230	#dhcpgatewayport none
2234	richard	1231	sslkeyfile /etc/pki/tls/private/alcasar.key
		1232	sslcertfile /etc/pki/tls/certs/alcasar.crt
2818	rexy	1233	#redirssl
		1234	#uamuissl
346	richard	1235	EOF
2274	richard	1236	# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1237	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
2274	richard	1238	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
840	richard	1239	# create files for trusted domains and urls
1148	crox53	1240	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1241	chown root:apache $DIR_DEST_ETC/alcasar-*
		1242	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1243	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1244	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
796	richard	1245	# user 'chilli' creation (in order to run conup/off and up/down scripts
2396	tom.houday	1246	chilli_exist=`grep -c ^chilli: /etc/passwd`
796	richard	1247	if [ "$chilli_exist" == "1" ]
		1248	then
2454	tom.houday	1249	userdel -r chilli 2>/dev/null
796	richard	1250	fi
		1251	groupadd -f chilli
		1252	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
2724	rexy	1253	} # End of chilli()
1349	richard	1254
2541	rexy	1255	################################################################
2521	armand.ito	1256	## Function "e2guardian" ##
2541	rexy	1257	## - Set the parameters of this HTML proxy (as controler) ##
		1258	################################################################
2724	rexy	1259	e2guardian()
1	root	1260	{
2758	rexy	1261	# Adapt systemd unit
		1262	[ -e /lib/systemd/system/e2guardian.service.default ] \|\| cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
2521	armand.ito	1263	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
		1264	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
		1265	[ -e $DIR_DG/e2guardian.conf.default ] \|\| cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
2758	rexy	1266	# Adapt the main conf file
1293	richard	1267	# French deny HTML page
2764	rexy	1268	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
2840	rexy	1269	# 2 filtergroups (8080 & 8090)
		1270	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
		1271	# Listen on 8080 (HTTP for BL users) only on LAN side
		1272	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
2775	rexy	1273	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
2840	rexy	1274	# Listen on 8090 (HTTP for WL/AV users) only on LAN side
		1275	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
		1276	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
2844	rexy	1277	# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
		1278	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1293	richard	1279	# Don't log
2521	armand.ito	1280	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
2775	rexy	1281	# Disable HTML content control (weighted & banned)
2521	armand.ito	1282	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
2840	rexy	1283	# Enable authport plugin
		1284	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
		1285	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
		1286	# Enable clamd scanner
		1287	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
		1288
2841	rexy	1289	# Adapt the first group conf file
		1290	[ -e $DIR_DG/e2guardianf1.conf.default ] \|\| cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
		1291	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
		1292	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
2866	rexy	1293	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
2841	rexy	1294
2867	rexy	1295	# copy & adapt HTML templates
2866	rexy	1296	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
		1297	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
2867	rexy	1298	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
		1299	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
2866	rexy	1300
2841	rexy	1301	###### ALCASAR special filtering ####
2840	rexy	1302	# RAZ bannedphraselist
		1303	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
2758	rexy	1304	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
2519	rexy	1305	# Disable URL control with regex
2764	rexy	1306	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
2758	rexy	1307	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
2775	rexy	1308	# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
2764	rexy	1309	# [ -e /usr/share/e2guardian/languages/french/template.html.default ] \|\| mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
		1310	# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
		1311	# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] \|\| mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
		1312	# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
2758	rexy	1313	# Dont filtering files by extension or mime-type (empty list)
497	richard	1314	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
2764	rexy	1315	touch $DIR_DG/lists/bannedextensionlist
497	richard	1316	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1317	touch $DIR_DG/lists/bannedmimetypelist
2758	rexy	1318	# Empty LAN IP list that won't be WEB filtered
497	richard	1319	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1320	touch $DIR_DG/lists/exceptioniplist
2758	rexy	1321	# Creation of ALCASAR banned site list
2841	rexy	1322	[ -e $DIR_DG/lists/greysitelist.default ] \|\| mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
		1323	cat <<EOF > $DIR_DG/lists/greysitelist
2775	rexy	1324	# E2guardian filter config for ALCASAR
		1325	# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
2758	rexy	1326	# block all SSL and CONNECT tunnels
		1327	**s
		1328	# block all SSL and CONNECT tunnels specified only as an IP
		1329	*ips
		1330	# block all sites specified only by an IP
		1331	*ip
		1332	EOF
2775	rexy	1333	# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
497	richard	1334	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
2758	rexy	1335	cat <<EOF > $DIR_DG/lists/bannedurllist
		1336	# E2guardian filter config for ALCASAR
		1337	EOF
2775	rexy	1338	# Creation of files for rehabilited domains and urls
2758	rexy	1339	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
		1340	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
		1341	touch $DIR_DG/lists/exceptionsitelist
		1342	touch $DIR_DG/lists/exceptionurllist
		1343	# Add Bing to the safesearch url regext list (parental control)
2775	rexy	1344	[ -e $DIR_DG/lists/urlregexplist.default ] \|\| cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
2758	rexy	1345	cat <<EOF >> $DIR_DG/lists/urlregexplist
2776	rexy	1346
2758	rexy	1347	# Bing - add 'adlt=strict'
		1348	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1349	EOF
		1350	# 'Safesearch' regex actualisation
		1351	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
		1352	# change the google safesearch ("safe=strict" instead of "safe=vss")
		1353	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
2841	rexy	1354
		1355	# Create & adapt the second group conf file (av + av_wl)
		1356	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
		1357	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
2842	rexy	1358	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
		1359	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
2841	rexy	1360
2775	rexy	1361	# create log folder
		1362	mkdir -p /var/log/e2guardian
		1363	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
2724	rexy	1364	} # End of e2guardian()
1	root	1365
71	richard	1366	##################################################################
2519	rexy	1367	## Function "antivirus" ##
2840	rexy	1368	## - Set the parameters of clamav and freshclam ##
71	richard	1369	##################################################################
2724	rexy	1370	antivirus()
71	richard	1371	{
2840	rexy	1372	# Clamd adaptation to e2guardian
2841	rexy	1373	[ -e /lib/systemd/system/clamav-daemon.service.default ] \|\| cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
		1374	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
		1375	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
2868	rexy	1376	[ -e /lib/systemd/system/clamav-daemon.socket.default ] \|\| cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
		1377	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
		1378	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
		1379
2840	rexy	1380	[ -e /etc/clamd.conf.default ] \|\| cp /etc/clamd.conf /etc/clamd.conf.default
2841	rexy	1381	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
		1382	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
		1383	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
		1384	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
2865	rexy	1385	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
		1386	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
		1387	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
2840	rexy	1388	chmod 775 /var/log/clamav /var/lib/clamav
		1389	chmod 664 /var/log/clamav/*
1358	richard	1390	# update virus database every 4 hours (24h/6)
1357	richard	1391	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1392	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1393	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
2865	rexy	1394	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
2764	rexy	1395	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
2841	rexy	1396	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1397	# update now
2801	rexy	1398	/usr/bin/freshclam --no-warnings --quiet
2724	rexy	1399	} # End of antivirus()
71	richard	1400
2724	rexy	1401	##############################################################
		1402	## function "ulogd" ##
		1403	## - Ulog config for multi-log files ##
		1404	##############################################################
		1405	ulogd()
476	richard	1406	{
		1407	# Three instances of ulogd (three different logfiles)
		1408	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1409	nl=1
1358	richard	1410	for log_type in traceability ssh ext-access
478	richard	1411	do
1365	richard	1412	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1413	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1414	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1704	richard	1415	$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
478	richard	1416	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1417	[emu1]
478	richard	1418	file="/var/log/firewall/$log_type.log"
		1419	sync=1
		1420	EOF
1452	richard	1421	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1422	nl=`expr $nl + 1`
		1423	done
476	richard	1424	chown -R root:apache /var/log/firewall
		1425	chmod 750 /var/log/firewall
		1426	chmod 640 /var/log/firewall/*
2724	rexy	1427	} # End of ulogd()
476	richard	1428
1159	crox53	1429	##########################################################
2519	rexy	1430	## Function "nfsen" ##
2771	rexy	1431	## - configure NetFlow collector (nfcapd) ##
		1432	## - configure NetFlow grapher (nfsen-ng) ##
1159	crox53	1433	##########################################################
1389	richard	1434	nfsen()
1	root	1435	{
2772	rexy	1436	groupadd -f nfcapd
2868	rexy	1437	id -u nfcapd >/dev/null 2>&1 \|\| useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
2771	rexy	1438	# nfcapd unit for systemd
		1439	cat << EOF > /lib/systemd/system/nfcapd.service
1372	richard	1440	# This file is part of systemd.
		1441	#
		1442	# systemd is free software; you can redistribute it and/or modify it
		1443	# under the terms of the GNU General Public License as published by
		1444	# the Free Software Foundation; either version 2 of the License, or
		1445	# (at your option) any later version.
		1446
2771	rexy	1447	# This unit launches nfcapd (a Netflow collector).
1372	richard	1448	[Unit]
2771	rexy	1449	Description=Netflow Capture Daemon
		1450	After=network-online.target iptables.service
1372	richard	1451
		1452	[Service]
2771	rexy	1453	Type=exec
2776	rexy	1454	ExecStartPre=/bin/mkdir -p /run/nfcapd
		1455	ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
2771	rexy	1456	PIDFile=/run/nfcapd/nfcapd.pid
2825	rexy	1457	ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
2771	rexy	1458	ExecReload=/bin/kill -HUP $MAINPID
1372	richard	1459
		1460	[Install]
		1461	WantedBy=multi-user.target
		1462	EOF
2825	rexy	1463	[ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] \|\| mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
2775	rexy	1464	[ -d /run/nfcapd ] \|\| mkdir -p /run/nfcapd
		1465	chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
2724	rexy	1466	} # End of nfsen()
1	root	1467
2552	rexy	1468	###########################################################
		1469	## Function "vnstat" ##
2809	rexy	1470	## - Initialization of vnstat and vnstat-dashboard ##
2552	rexy	1471	###########################################################
2724	rexy	1472	vnstat()
1541	richard	1473	{
2809	rexy	1474	# vnstat
		1475	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
2589	rexy	1476	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
2688	lucas.echa	1477	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
2809	rexy	1478	# vnstat-dashboard
		1479	$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
2844	rexy	1480	[ -e /lib/systemd/system/vnstat.service.default ] \|\| cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
2870	rexy	1481	$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
2724	rexy	1482	} # End of vnstat()
2281	tom.houday	1483
2724	rexy	1484	###################################################################
		1485	## Function "dnsmasq" ##
		1486	## - creation of the conf files of dnsmasq (whitelist for ipset )##
		1487	###################################################################
		1488	dnsmasq()
219	jeremy	1489	{
		1490	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
2688	lucas.echa	1491	[ -e /etc/dnsmasq.conf.default ] \|\| mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
2724	rexy	1492	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1928	richard	1493	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1494	# Configuration file for "dnsmasq with whitelist"
1873	richard	1495	# ADD Toulouse university whitelist domains
2775	rexy	1496	pid-file=/run/dnsmasq-whitelist.pid
2688	lucas.echa	1497	listen-address=127.0.0.1
1356	richard	1498	port=55
1472	richard	1499	no-dhcp-interface=lo
1356	richard	1500	bind-interfaces
1721	richard	1501	cache-size=1024
1356	richard	1502	domain-needed
		1503	expand-hosts
		1504	bogus-priv
		1505	filterwin2k
2688	lucas.echa	1506	ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
		1507	server=$DNS1
		1508	server=$DNS2
1356	richard	1509	EOF
2688	lucas.echa	1510	# Create dnsmasq-whitelist unit
2745	rexy	1511	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
2688	lucas.echa	1512	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
		1513	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
2775	rexy	1514	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
2724	rexy	1515	} # End of dnsmasq()
2688	lucas.echa	1516
2724	rexy	1517	#########################################################
		1518	## Function "unbound" ##
		1519	## - create the conf files for 4 unbound services ##
		1520	## - create the systemd files for 4 unbound services ##
		1521	#########################################################
2688	lucas.echa	1522	unbound ()
		1523	{
		1524	[ -d /etc/unbound/conf.d ] \|\| mkdir -p /etc/unbound/conf.d
		1525	[ -d /etc/unbound/conf.d/common ] \|\| mkdir /etc/unbound/conf.d/common
		1526	[ -d /etc/unbound/conf.d/common/local-forward ] \|\| mkdir /etc/unbound/conf.d/common/local-forward
		1527	[ -d /etc/unbound/conf.d/common/local-dns ] \|\| mkdir /etc/unbound/conf.d/common/local-dns
		1528	[ -d /etc/unbound/conf.d/forward ] \|\| mkdir /etc/unbound/conf.d/forward
		1529	[ -d /etc/unbound/conf.d/blacklist ] \|\| mkdir /etc/unbound/conf.d/blacklist
		1530	[ -d /etc/unbound/conf.d/whitelist ] \|\| mkdir /etc/unbound/conf.d/whitelist
		1531	[ -d /etc/unbound/conf.d/blackhole ] \|\| mkdir /etc/unbound/conf.d/blackhole
2833	rexy	1532	[ -d /var/log/unbound ] \|\| mkdir /var/log/unbound
		1533	chown unbound:unbound /var/log/unbound
2688	lucas.echa	1534	[ -e /etc/unbound/unbound.conf.default ] \|\| cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
		1535
2724	rexy	1536	# Forward zone configuration file for all unbound dns servers
2688	lucas.echa	1537	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
		1538	forward-zone:
		1539	name: "."
		1540	forward-addr: $DNS1
		1541	forward-addr: $DNS2
1472	richard	1542	EOF
		1543
2724	rexy	1544	# Custom configuration file for manual DNS configuration
2688	lucas.echa	1545	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
		1546	## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
		1547	## Add one block for each domain name managed by an other DNS server
		1548	##
		1549	## Example:
		1550	##
		1551	## server:
		1552	## local-zone: "<your_domain>." transparent
		1553	## forward-zone:
		1554	## name: "<your_domain>."
		1555	## forward-addr: <@IP_domain_server>
		1556	##
2558	rexy	1557	EOF
		1558
2724	rexy	1559	# Configuration file of ALCASAR main domains for $INTIF
2688	lucas.echa	1560	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
		1561	server:
		1562	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
2831	rexy	1563	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
2688	lucas.echa	1564	EOF
		1565
2724	rexy	1566	# Configuration file for lo of forward unbound
2688	lucas.echa	1567	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
		1568	server:
		1569	interface: 127.0.0.1@53
		1570	access-control-view: 127.0.0.1/8 lo
		1571	view:
		1572	name: "lo"
2864	rexy	1573	local-data: "$HOSTNAME A 127.0.0.1"
2688	lucas.echa	1574	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
2864	rexy	1575	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
2688	lucas.echa	1576	view-first: yes
		1577	EOF
		1578
2724	rexy	1579	# Configuration file for $INTIF of forward unbound
2688	lucas.echa	1580	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
		1581	server:
		1582	interface: ${PRIVATE_IP}@53
		1583	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
		1584	view:
		1585	name: "$INTIF"
		1586	view-first: yes
		1587	EOF
		1588
2831	rexy	1589	# Configuration file for main unbound
2688	lucas.echa	1590	cat << EOF > /etc/unbound/unbound.conf
		1591	server:
		1592	verbosity: 1
		1593	hide-version: yes
		1594	hide-identity: yes
		1595	do-ip6: no
		1596	include: /etc/unbound/conf.d/common/forward-zone.conf
		1597	include: /etc/unbound/conf.d/common/local-forward/*
		1598	include: /etc/unbound/conf.d/common/local-dns/*
		1599	include: /etc/unbound/conf.d/forward/*
		1600	EOF
		1601
2724	rexy	1602	# Configuration file for $INTIF of blacklist unbound
2688	lucas.echa	1603	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
		1604	server:
		1605	interface: ${PRIVATE_IP}@54
		1606	access-control: $PRIVATE_IP_MASK allow
		1607	access-control-tag: $PRIVATE_IP_MASK "blacklist"
		1608	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
		1609	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
		1610	EOF
		1611
2724	rexy	1612	# Configuration file for blacklist unbound
2688	lucas.echa	1613	cat << EOF > /etc/unbound/unbound-blacklist.conf
		1614	server:
		1615	verbosity: 1
		1616	hide-version: yes
		1617	hide-identity: yes
		1618	do-ip6: no
		1619	logfile: "/var/log/unbound/unbound-blacklist.log"
		1620	chroot: ""
		1621	define-tag: "blacklist"
		1622	log-local-actions: yes
		1623	include: /etc/unbound/conf.d/common/forward-zone.conf
		1624	include: /etc/unbound/conf.d/common/local-forward/*
		1625	include: /etc/unbound/conf.d/common/local-dns/*
		1626	include: /etc/unbound/conf.d/blacklist/*
		1627	include: /usr/local/share/unbound-bl-enabled/*
		1628	EOF
		1629
2724	rexy	1630	# Configuration file for $INTIF of whitelist unbound
2688	lucas.echa	1631	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
		1632	server:
		1633	interface: ${PRIVATE_IP}@55
		1634	access-control: $PRIVATE_IP_MASK allow
		1635	access-control-tag: $PRIVATE_IP_MASK "whitelist"
		1636	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
		1637	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
		1638	EOF
		1639
2724	rexy	1640	# Configuration file for whitelist unbound
2688	lucas.echa	1641	cat << EOF > /etc/unbound/unbound-whitelist.conf
		1642	server:
		1643	verbosity: 1
		1644	hide-version: yes
		1645	hide-identity: yes
		1646	do-ip6: no
		1647	do-not-query-localhost: no
		1648	define-tag: "whitelist"
		1649	local-zone: "." transparent
		1650	local-zone-tag: "." "whitelist"
2861	rexy	1651	include: /etc/unbound/conf.d/common/local-forward/*
		1652	include: /etc/unbound/conf.d/common/local-dns/*
		1653	include: /etc/unbound/conf.d/whitelist/*
2688	lucas.echa	1654	include: /usr/local/share/unbound-wl-enabled/*
		1655	forward-zone:
		1656	name: "."
2881	rexy	1657	forward-addr: 127.0.0.1@55
2688	lucas.echa	1658	EOF
		1659
2724	rexy	1660	# Configuration file for $INTIF of blackhole unbound
2688	lucas.echa	1661	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
		1662	server:
		1663	interface: ${PRIVATE_IP}@56
		1664	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
		1665	view:
		1666	name: "$INTIF"
		1667	local-zone: "." redirect
		1668	local-data: ". A $PRIVATE_IP"
		1669	EOF
		1670
2724	rexy	1671	# Configuration file for blackhole unbound
2688	lucas.echa	1672	cat << EOF > /etc/unbound/unbound-blackhole.conf
		1673	server:
		1674	verbosity: 1
		1675	hide-version: yes
		1676	hide-identity: yes
		1677	do-ip6: no
2861	rexy	1678	include: /etc/unbound/conf.d/common/local-forward/*
		1679	include: /etc/unbound/conf.d/common/local-dns/*
2688	lucas.echa	1680	include: /etc/unbound/conf.d/blackhole/*
		1681	EOF
		1682
		1683	if [ ! -e /lib/systemd/system/unbound.service.default ]
		1684	then
		1685	cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
		1686	fi
		1687	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
		1688	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
		1689	for list in blacklist blackhole whitelist
1474	richard	1690	do
2688	lucas.echa	1691	cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
		1692	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
2775	rexy	1693	$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1474	richard	1694	done
2688	lucas.echa	1695	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
2724	rexy	1696	} # End of unbound()
2688	lucas.echa	1697
2689	lucas.echa	1698	##################################################
		1699	## Function "dhcpd" ##
		1700	##################################################
2724	rexy	1701	dhcpd()
2689	lucas.echa	1702	{
		1703	[ -e /etc/dhcpd.conf.default ] \|\| cp /etc/dhcpd.conf /etc/dhcpd.conf.default
		1704	cat <<EOF > /etc/dhcpd.conf
		1705	ddns-update-style none;
		1706	subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
		1707	option routers $PRIVATE_IP;
		1708	option subnet-mask $PRIVATE_NETMASK;
		1709	option domain-name-servers $PRIVATE_IP;
		1710	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
		1711	default-lease-time 21600;
		1712	max-lease-time 43200;
		1713	}
		1714	EOF
2724	rexy	1715	} # End of dhcpd()
2689	lucas.echa	1716
2552	rexy	1717	##########################################################
		1718	## Function "BL" ##
2769	rexy	1719	## - copy & adapt Toulouse BL to ALCASAR architecture ##
2688	lucas.echa	1720	## - domain names for unbound-bl & unbound-wl ##
2552	rexy	1721	## - URLs for E²guardian ##
		1722	## - IPs for NetFilter ##
2769	rexy	1723	## - copy additional BLs (TOR + Ultrasurf + C&C) ##
2552	rexy	1724	##########################################################
2724	rexy	1725	BL()
308	richard	1726	{
1930	richard	1727	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
648	richard	1728	rm -rf $DIR_DG/lists/blacklists
1930	richard	1729	mkdir -p /tmp/blacklists
1938	richard	1730	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
2769	rexy	1731	# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1957	richard	1732	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
		1733	touch $DIR_DG/lists/blacklists/ossi-bl/domains
		1734	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
		1735	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
		1736	touch $DIR_DG/lists/blacklists/ossi-wl/domains
		1737	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
2769	rexy	1738	# add additional BL files
2770	rexy	1739	for x in $(ls $DIR_BLACKLIST \| grep -v "^blacklists")
1957	richard	1740	do
		1741	mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
		1742	cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains
		1743	echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
		1744	done
2521	armand.ito	1745	chown -R e2guardian:apache $DIR_DG
1957	richard	1746	chown -R root:apache $DIR_DEST_SHARE
		1747	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1927	richard	1748	# adapt the Toulouse BL to ALCASAR architecture
1957	richard	1749	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1925	richard	1750	# enable the default categories
1957	richard	1751	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
2560	rexy	1752	rm -rf /tmp/blacklists
2724	rexy	1753	} # End of BL()
219	jeremy	1754
2552	rexy	1755	#######################################################
		1756	## Function "cron" ##
		1757	## - write all cron & anacron files ##
		1758	#######################################################
2724	rexy	1759	cron()
1	root	1760	{
2640	rexy	1761	# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1	root	1762	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1763	cat <<EOF > /etc/crontab
1828	richard	1764	SHELL=/usr/bin/bash
2640	rexy	1765	PATH=/sbin:/bin:/usr/sbin:/usr/bin
1	root	1766	MAILTO=root
		1767	HOME=/
		1768
		1769	# run-parts
		1770	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1771	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1772	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1773	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1774	EOF
		1775	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1776	cat <<EOF >> /etc/anacrontab
2454	tom.houday	1777	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1778	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
1	root	1779	EOF
811	richard	1780	cat <<EOF > /etc/cron.d/alcasar-mysql
2640	rexy	1781	# Verify, repair and export users database (every monday at 4:45 am)
1828	richard	1782	45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
2640	rexy	1783	# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1828	richard	1784	40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1785	EOF
952	franck	1786	cat <<EOF > /etc/cron.d/alcasar-archive
2640	rexy	1787	# Archiving logs (traceability & users database) (every Monday at 5:35 am)
952	franck	1788	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1789	EOF
2454	tom.houday	1790	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
2640	rexy	1791	# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1566	richard	1792	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1793	EOF
2454	tom.houday	1794	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
2640	rexy	1795	# Update the system (everyday at 3:30 am)
762	franck	1796	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1797	EOF
2454	tom.houday	1798	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1808	richard	1799	# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
2640	rexy	1800	# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
		1801	# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
		1802	# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
		1803	# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
		1804	# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1808	richard	1805	1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
		1806	5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
		1807	10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
		1808	15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
2009	raphael.pi	1809	35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1	root	1810	EOF
2454	tom.houday	1811	cat <<EOF > /etc/cron.d/alcasar-watchdog
2640	rexy	1812	# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
		1813	# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
2886	rexy	1814	# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
2640	rexy	1815	# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
2395	tom.houday	1816	/10 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1905	raphael.pi	1817
2886	rexy	1818	@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
2228	franck	1819	#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1	root	1820	EOF
2454	tom.houday	1821	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
2886	rexy	1822	# start dead daemons (after boot process and every 20')
1851	franck	1823	@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
2886	rexy	1824	/20 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
808	franck	1825	EOF
2454	tom.houday	1826	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
2769	rexy	1827	# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
		1828
1874	raphael.pi	1829	EOF
2769	rexy	1830	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
		1831	# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
		1832
		1833	EOF
2304	tom.houday	1834	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
2640	rexy	1835	# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
2304	tom.houday	1836	@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
		1837	EOF
2771	rexy	1838	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
2886	rexy	1839	# Remove netflow files older than one year (daily --> see "cron.daily")
2825	rexy	1840	@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
2771	rexy	1841	EOF
1808	richard	1842	# removing the users crons
522	richard	1843	rm -f /var/spool/cron/*
2724	rexy	1844	} # End of cron()
1	root	1845
2867	rexy	1846	########################################################################
		1847	## Fonction "Fail2Ban" ##
		1848	##- Adapt conf file to ALCASAR ##
		1849	##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
		1850	########################################################################
1163	crox53	1851	fail2ban()
		1852	{
2868	rexy	1853	# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
2867	rexy	1854	[ -e /etc/fail2ban/jail.conf.default ] \|\| cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
		1855	$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
		1856
		1857	# add 5 jails and their filters
		1858	## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
2868	rexy	1859	cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
2867	rexy	1860	[sshd]
		1861	enabled = true
		1862	#enabled = false
		1863	maxretry = 3
2868	rexy	1864	bantime = 3m
		1865	findtime = 5m
2867	rexy	1866	EOF
		1867
		1868	## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
2868	rexy	1869	cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
2867	rexy	1870	[lighttpd-auth]
		1871	enabled = true
		1872	#enabled = false
		1873	maxretry = 3
2868	rexy	1874	bantime = 3m
		1875	findtime = 3m
2867	rexy	1876	EOF
		1877
		1878	## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
2868	rexy	1879	cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
2867	rexy	1880	[alcasar_mod-evasive]
		1881	#enabled = true
		1882	enabled = false
		1883	backend = auto
		1884	filter = alcasar_mod-evasive
		1885	action = iptables-allports[name=alcasar_mod-evasive]
		1886	logpath = /var/log/lighttpd/access.log
		1887	maxretry = 3
2868	rexy	1888	bantime = 3m
		1889	findtime = 3m
2867	rexy	1890	EOF
		1891	cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
		1892	[Definition]
		1893	failregex = <HOST> .+\] "[^"]+" 403
		1894	ignoreregex =
		1895	EOF
		1896
		1897	### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
2868	rexy	1898	cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
2867	rexy	1899	[alcasar_intercept]
		1900	enabled = true
		1901	#enabled = false
		1902	backend = auto
		1903	filter = alcasar_intercept
		1904	action = iptables-allports[name=alcasar_intercept]
		1905	logpath = /var/log/lighttpd/access.log
		1906	maxretry = 5
2868	rexy	1907	bantime = 3m
		1908	findtime = 3m
		1909	EOF
2867	rexy	1910	cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
		1911	[Definition]
		1912	failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
		1913	ignoreregex =
		1914	EOF
		1915
		1916	## alcasar_change-pwd : ban after 5 failed user change password attempts
2868	rexy	1917	cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
2867	rexy	1918	[alcasar_change-pwd]
		1919	enabled = true
		1920	#enabled = false
		1921	backend = auto
		1922	filter = alcasar_change-pwd
		1923	action = iptables-allports[name=alcasar_change-pwd]
		1924	logpath = /var/log/lighttpd/access.log
		1925	maxretry = 5
2868	rexy	1926	bantime = 3m
		1927	findtime = 3m
2867	rexy	1928	EOF
		1929	cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
		1930	[Definition]
		1931	failregex = <HOST> .* \"POST \/password\.php
		1932	ignoreregex =
		1933	EOF
		1934
2840	rexy	1935	# allow reading of 2 log files (fail2ban & watchdog).
2744	rexy	1936	[ -e /var/log/fail2ban.log ] \|\| /usr/bin/touch /var/log/fail2ban.log
2887	rexy	1937	[ -e $DIR_SAVE/security/watchdog.log ] \|\| /usr/bin/touch $DIR_SAVE/security/watchdog.log
1165	crox53	1938	chmod 644 /var/log/fail2ban.log
2887	rexy	1939	chmod 644 $DIR_SAVE/security/watchdog.log
1418	richard	1940	/usr/bin/touch /var/log/auth.log
1515	richard	1941	# fail2ban unit
		1942	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1943	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
2775	rexy	1944	$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
2488	lucas.echa	1945	$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
2724	rexy	1946	} # End of fail2ban()
1163	crox53	1947
2552	rexy	1948	#########################################################
		1949	## Fonction "gammu_smsd" ##
		1950	## - Creating of SMS management database ##
		1951	## - Write the gammu a gammu_smsd conf files ##
		1952	#########################################################
1376	richard	1953	gammu_smsd()
		1954	{
2601	tom.houday	1955	# Create 'gammu' system user
		1956	groupadd -f gammu_smsd
2868	rexy	1957	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
2601	tom.houday	1958	usermod -a -G dialout gammu_smsd
		1959
		1960	# Create 'gammu' database
		1961	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
2688	lucas.echa	1962	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1376	richard	1963	# Add a gammu database structure
2688	lucas.echa	1964	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1376	richard	1965
2552	rexy	1966	# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
2601	tom.houday	1967	cat << EOF > /etc/gammurc
2552	rexy	1968	[gammu]
		1969	device = /dev/ttyUSB0
		1970	connection = at115200
		1971	EOF
		1972
2601	tom.houday	1973	cat << EOF > /etc/gammu_smsd_conf
1376	richard	1974	[gammu]
		1975	port = /dev/ttyUSB0
		1976	connection = at115200
		1977
		1978	[smsd]
		1979	PIN = 1234
		1980	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1981	logformat = textall
		1982	debuglevel = 0
		1983
		1984	service = sql
		1985	driver = native_mysql
		1986	user = $DB_USER
		1987	password = $radiuspwd
		1988	pc = localhost
		1989	database = $DB_GAMMU
		1990
2631	rexy	1991	RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1376	richard	1992
		1993	StatusFrequency = 30
1380	richard	1994	;LoopSleep = 2
1376	richard	1995
		1996	;ResetFrequency = 300
		1997	;HardResetFrequency = 120
		1998
2454	tom.houday	1999	CheckSecurity = 1
1376	richard	2000	CheckSignal = 1
		2001	CheckBattery = 0
		2002	EOF
2601	tom.houday	2003	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1376	richard	2004
2601	tom.houday	2005	# Create the systemd unit
		2006	cat << EOF > /lib/systemd/system/gammu-smsd.service
		2007	[Unit]
		2008	Description=SMS daemon for Gammu
		2009	Documentation=man:gammu-smsd(1)
		2010	After=network.target mysql.service
1376	richard	2011
2601	tom.houday	2012	[Service]
		2013	Type=forking
2775	rexy	2014	ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2601	tom.houday	2015	ExecReload=/bin/kill -HUP $MAINPID
2775	rexy	2016	ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
		2017	PIDFile=/run/gammu-smsd.pid
2601	tom.houday	2018
		2019	[Install]
		2020	WantedBy=multi-user.target
		2021	EOF
		2022
2314	richard	2023	# Log folder for gammu-smsd
2772	rexy	2024	[ -d /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
2601	tom.houday	2025	chmod 755 /var/log/gammu-smsd
1376	richard	2026
2552	rexy	2027	# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
		2028	# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2542	rexy	2029	#cat << EOF > /lib/udev/rules.d/66-huawei.rules
		2030	#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
		2031	#EOF
2552	rexy	2032	# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
		2033	# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
		2034
2724	rexy	2035	} # End of gammu_smsd()
1376	richard	2036
2552	rexy	2037	############################################################
		2038	## Fonction "msec" ##
		2039	## - Apply the "fileserver" security level ##
2863	rexy	2040	## - remove the "system request" for rebooting ##
2552	rexy	2041	## - Fix several file permissions ##
		2042	############################################################
2202	richard	2043	msec()
		2044	{
		2045
		2046	# Apply fileserver security level
2211	richard	2047	[ -e /etc/security/msec/security.conf.default ] \|\| cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
		2048	echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2202	richard	2049
2203	richard	2050	# Set permissions monitoring and enforcement
2202	richard	2051	cat <<EOF > /etc/security/msec/perm.local
2801	rexy	2052	/var/log/firewall/ root.apache 750
2202	richard	2053	/var/log/firewall/* root.apache 640
		2054	/etc/security/msec/perm.local root.root 640
		2055	/etc/security/msec/level.local root.root 640
		2056	/etc/freeradius-web root.apache 750
		2057	/etc/freeradius-web/admin.conf root.apache 640
2420	richard	2058	/etc/raddb/client.conf radius.radius 640
		2059	/etc/raddb/radius.conf radius.radius 640
		2060	/etc/raddb/mods-available/ldap radius.apache 660
2202	richard	2061	/etc/raddb/sites-available/alcasar radius.apache 660
2863	rexy	2062	/etc/pki/CA/ root.apache 750 force
		2063	/etc/pki/CA/* root.apache 640 force
		2064	/etc/pki/CA/private/ root.root 700 force
		2065	/etc/pki/CA/private/* root.root 600 force
		2066	/etc/pki/tls/private/ root.apache 750 force
		2067	/etc/pki/tls/private/* root.apache 640 force
2865	rexy	2068	/var/log/clamav/ e2guardian.e2guardian 755 force
		2069	/var/log/clamav/* e2guardian.e2guardian 764 force
		2070	/var/lib/clamav/ e2guardian.e2guardian 755 force
2202	richard	2071	EOF
2454	tom.houday	2072	# apply now hourly & daily checks
2202	richard	2073	/usr/sbin/msec
2211	richard	2074	/etc/cron.weekly/msec
2202	richard	2075
2724	rexy	2076	} # End of msec()
2202	richard	2077
		2078	##################################################################
2552	rexy	2079	## Fonction "letsencrypt" ##
		2080	## - Install Let's Encrypt client ##
		2081	## - Prepare Let's Encrypt ALCASAR configuration file ##
2304	tom.houday	2082	##################################################################
		2083	letsencrypt()
		2084	{
		2085	echo "Installing Let's Encrypt client..."
2586	tom.houday	2086	# Remove potential old installers
		2087	rm -rf /tmp/acme.sh-*
2304	tom.houday	2088	# Extract acme.sh
		2089	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
		2090	pwdInstall=$(pwd)
2688	lucas.echa	2091	cd /tmp/acme.sh-* \|\| { echo "Unable to find ACME directory"; exit 1; }
2304	tom.houday	2092	acmesh_installDir="/opt/acme.sh"
		2093	acmesh_confDir="/usr/local/etc/letsencrypt"
2354	tom.houday	2094	acmesh_userAgent="ALCASAR"
2304	tom.houday	2095	# Install acme.sh
		2096	./acme.sh --install \
		2097	--home $acmesh_installDir \
		2098	--config-home $acmesh_confDir/data \
		2099	--certhome $acmesh_confDir/certs \
		2100	--accountkey $acmesh_confDir/ca/account.key \
		2101	--accountconf $acmesh_confDir/data/account.conf \
		2102	--useragent $acmesh_userAgent \
2308	tom.houday	2103	--nocron \
		2104	> /dev/null
2304	tom.houday	2105	if [ $? -ne 0 ]; then
		2106	echo "Error during installation of Let's Encrypt client (acme.sh)."
		2107	fi
		2108	# Create configuration file
		2109	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
		2110	email=
		2111	dateIssueRequest=
		2112	domainRequest=
		2113	challenge=
		2114	dateIssued=
		2115	dnsapi=
		2116	dateNextRenewal=
		2117	EOF
2688	lucas.echa	2118	cd $pwdInstall \|\| { echo "Unable to find $pwdInstall directory"; exit 1; }
2304	tom.houday	2119	rm -rf /tmp/acme.sh-*
2724	rexy	2120	} # End of letsencrypt()
2304	tom.houday	2121
		2122	##################################################################
2552	rexy	2123	## Fonction "post_install" ##
		2124	## - Modifying banners (locals et ssh) & prompts ##
		2125	## - SSH config ##
		2126	## - sudoers config & files security ##
		2127	## - log rotate & ANSSI security parameters ##
		2128	## - Apply former conf in case of an update ##
		2129	##################################################################
1	root	2130	post_install()
		2131	{
2840	rexy	2132	# change the SSHD options
2195	richard	2133	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
		2134	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
5	franck	2135	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	2136	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		2137	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		2138	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2840	rexy	2139	# sshd listens on EXTIF & INTIF
		2140	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
		2141	# sshd authorized certificate for root login
		2142	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
		2143	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
		2144
793	richard	2145	# postfix banner anonymisation
2688	lucas.echa	2146	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
1841	richard	2147	chown -R postfix:postfix /var/lib/postfix
2195	richard	2148	# ALCASAR conf file
2818	rexy	2149	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2409	tom.houday	2150	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1839	richard	2151	echo "SSH=on" >> $CONF_FILE
1631	richard	2152	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
628	richard	2153	echo "LDAP=off" >> $CONF_FILE
2447	richard	2154	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2461	richard	2155	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2454	tom.houday	2156	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
		2157	echo "LDAP_FILTER=" >> $CONF_FILE
		2158	echo "LDAP_USER=alcasar" >> $CONF_FILE
		2159	echo "LDAP_PASSWORD=" >> $CONF_FILE
2705	tom.houday	2160	echo "LDAP_SSL=on" >> $CONF_FILE
		2161	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2600	tom.houday	2162	echo "SMS=off" >> $CONF_FILE
		2163	echo "SMS_NUM=" >> $CONF_FILE
2454	tom.houday	2164	echo "MULTIWAN=off" >> $CONF_FILE
1078	franck	2165	echo "FAILOVER=30" >> $CONF_FILE
		2166	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	2167	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		2168	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2688	lucas.echa	2169	echo "BL_PUREIP=on" >> $CONF_FILE
		2170	echo "BL_SAFESEARCH=off" >> $CONF_FILE
		2171	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2770	rexy	2172	echo "IOT_CAPTURE=off" >> $CONF_FILE
2195	richard	2173	# Prompt customisation (colors)
1	root	2174	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	2175	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	2176	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2195	richard	2177	# sudoers configuration for "apache" & "sysadmin"
1	root	2178	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
2850	rexy	2179	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	2180	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	2181	# Modify some logrotate files (gammu, ulogd)

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 2888