1,14 → 1,14 |
#!/bin/bash |
# $Id$ |
# $Id$ |
|
# alcasar.sh |
|
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] |
# Ce programme est un logiciel libre ; This software is free and open source |
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
# Voir la Licence Publique Générale GNU pour plus de détails. |
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. |
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. |
# Voir la Licence Publique Générale GNU pour plus de détails. |
|
# team@alcasar.net |
|
18,7 → 18,7 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau) |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants : |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
|
# Options : |
39,7 → 39,7 |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Nfsen Netflow grapher |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
55,7 → 55,7 |
Lang=`echo $LANG|cut -c 1-2` |
mode="install" |
# ******* Files parameters - paramètres fichiers ********* |
DIR_INSTALL=`pwd` # current directory |
DIR_INSTALL=`pwd` # current directory |
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
135,17 → 135,17 |
for i in $* |
do |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
then |
then |
DISTRIBUTION=`echo $i|cut -d"=" -f2` |
unknown_os=`expr $unknown_os + 1` |
fi |
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ] |
then |
then |
CURRENT_VERSION=`echo $i|cut -d"=" -f2` |
unknown_os=`expr $unknown_os + 1` |
fi |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ] |
then |
then |
ARCH=`echo $i|cut -d"=" -f2` |
unknown_os=`expr $unknown_os + 1` |
fi |
177,7 → 177,7 |
fi |
read response |
done |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then |
rm -f /tmp/alcasar-conf* |
else |
195,7 → 195,7 |
then |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée." |
echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC" |
echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)" |
208,7 → 208,7 |
fi |
else |
if [ $Lang == "fr" ] |
then |
then |
echo "L'installation d'ALCASAR ne peut pas être réalisée." |
else |
echo "The installation of ALCASAR can't be performed." |
216,7 → 216,7 |
fi |
echo |
if [ $Lang == "fr" ] |
then |
then |
echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)" |
else |
echo "The OS must be replaced (Mageia6-64bits)" |
245,11 → 245,11 |
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
for i in $IF_INTERFACES |
do |
IP_INTERFACE=`/usr/sbin/ip link|grep $i` |
IP_INTERFACE=`/usr/sbin/ip link|grep $i` |
if [ -z "$IP_INTERFACE" ] |
then |
rm -f ifcfg-$i |
|
|
if [ $Lang == "fr" ] |
then echo "Suppression : ifcfg-$i" |
else echo "Deleting : ifcfg-$i" |
258,13 → 258,13 |
done |
cd $DIR_INSTALL |
echo -n "." |
# Test Ethernet NIC links state |
# Test Ethernet NIC links state |
DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"` |
for i in $DOWN_IF |
do |
echo $i |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "Le lien réseau de la carte $i n'est pas actif." |
echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)" |
283,7 → 283,7 |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ] |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée." |
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
307,7 → 307,7 |
# Test if default GW is set on EXTIF (router or ISP provider equipment) |
if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte." |
echo "Réglez ce problème puis relancez ce script." |
322,9 → 322,9 |
# Test if default GW is alive |
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
if [ $(expr $arp_reply) -eq 0 ] |
then |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "Échec" |
echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas." |
echo "Réglez ce problème puis relancez ce script." |
342,7 → 342,7 |
if [ ! -e /tmp/con_ok.html ] |
then |
if [ $Lang == "fr" ] |
then |
then |
echo "La tentative de connexion vers Internet a échoué (google.fr)." |
echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI." |
echo "Vérifiez la validité des adresses IP des DNS." |
371,9 → 371,9 |
ORGANISME=! |
PTN='^[a-zA-Z0-9-]*$' |
until [[ $(expr $ORGANISME : $PTN) -gt 0 ]] |
do |
do |
if [ $Lang == "fr" ] |
then echo -n "Entrez le nom de votre organisme : " |
then echo -n "Entrez le nom de votre organisme : " |
else echo -n "Enter the name of your organism : " |
fi |
read ORGANISME |
388,17 → 388,17 |
rm -f $PASSWD_FILE |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
sed -e "s/PBKDF2 hash of your password is //"` |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
chmod 0600 /boot/grub2/user.cfg |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
sed -e "s/PBKDF2 hash of your password is //"` |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg |
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default |
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry) |
chmod 0600 /boot/grub2/user.cfg |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
echo "GRUB2_user=root" >> $PASSWD_FILE |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
echo "GRUB2_user=root" >> $PASSWD_FILE |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
475,10 → 475,10 |
read PRIVATE_IP_MASK |
done |
else |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
fi |
else |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
rm -rf conf/etc/alcasar.conf |
fi |
# Define LAN side global parameters |
490,9 → 490,9 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
then |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
fi |
fi |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
526,7 → 526,7 |
SUB=`echo ${i:0:2}` |
if [ $SUB = "wl" ] |
then WIFIF=$i |
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] |
then LANIF=$i |
fi |
done |
536,8 → 536,8 |
elif [ -n "$LANIF" ] |
then echo "LANIF=$LANIF" >> $CONF_FILE |
fi |
######################################################################################################### |
|
######################################################################################################### |
|
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # IP setting (static or dynamic) |
if [ $IP_SETTING == "dhcp" ] |
then |
590,7 → 590,7 |
USERCTL=no |
MTU=$MTU |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
666,7 → 666,7 |
USERCTL=no |
EOF |
fi |
######################################################################################################### |
######################################################################################################### |
# Renseignement des fichiers hosts.allow et hosts.deny |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
cat <<EOF > /etc/hosts.allow |
691,7 → 691,7 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
# |
# |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
|
819,7 → 819,7 |
do |
header_install |
if [ $Lang == "fr" ] |
then |
then |
echo "" |
echo "Définissez un premier compte d'administration d'ALCASAR :" |
echo |
869,7 → 869,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_all |
884,7 → 884,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_admin |
899,7 → 899,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_manager |
914,7 → 914,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
930,7 → 930,7 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
1050,7 → 1050,7 |
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
# Create 'radius' database |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
# Add an empty radius database structure |
1088,24 → 1088,24 |
ipaddr = 127.0.0.1 |
secret = $secretradius |
shortname = chilli |
nas_type = other |
nas_type = other |
} |
EOF |
# Set Virtual server (remvove all except "alcasar virtual site") |
rm -f /etc/raddb/sites-enabled/* |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar |
chown radius:apache /etc/raddb/sites-available/alcasar |
chmod 660 /etc/raddb/sites-available/alcasar |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled) |
|
# Set modules |
# Set modules |
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC) |
rm -rf /etc/raddb/mods-enabled/* |
for mods in sql sqlcounter attr_filter expiration logintime pap expr |
do |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
done |
rm -rf /etc/raddb/mods-enabled/* |
for mods in sql sqlcounter attr_filter expiration logintime pap expr |
do |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods |
done |
# Configure SQL mod |
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default |
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql |
1115,7 → 1115,7 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc. |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf |
1152,7 → 1152,7 |
/usr/bin/systemctl daemon-reload |
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
|
|
} # End freeradius () |
|
############################################################################# |
1195,10 → 1195,10 |
# description: CoovaChilli |
### BEGIN INIT INFO |
# Provides: chilli |
# Required-Start: network |
# Should-Start: |
# Required-Start: network |
# Should-Start: |
# Required-Stop: network |
# Should-Stop: |
# Should-Stop: |
# Default-Start: 2 3 5 |
# Default-Stop: |
# Description: CoovaChilli access controller |
1217,7 → 1217,7 |
prog="chilli" |
case \$1 in |
start) |
if [ -f \$pidfile ] ; then |
if [ -f \$pidfile ] ; then |
gprintf "chilli is already running" |
else |
gprintf "Starting \$prog: " |
1226,9 → 1226,9 |
/usr/sbin/modprobe tun >/dev/null 2>&1 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
[ -e /dev/net/tun ] || { |
(cd /dev; |
mkdir net; |
cd net; |
(cd /dev; |
mkdir net; |
cd net; |
mknod tun c 10 200) |
} |
ifconfig $INTIF 0.0.0.0 |
1254,13 → 1254,13 |
;; |
|
stop) |
if [ -f \$pidfile ] ; then |
if [ -f \$pidfile ] ; then |
gprintf "Shutting down \$prog: " |
killproc /usr/sbin/chilli |
RETVAL=\$? |
[ \$RETVAL = 0 ] && rm -f \$pidfile |
[ -e \$current_users_file ] && rm -f \$current_users_file |
else |
else |
gprintf "chilli is not running" |
fi |
;; |
1279,7 → 1279,7 |
#DHCP Options : rfc2132 |
#dhcp option value will be convert in hexa. |
#NTP option (or 'option 42') is like : |
# |
# |
# Code Len Address 1 Address 2 |
# +-----+-----+-----+-----+-----+-----+-----+-----+-- |
# | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ... |
1346,7 → 1346,7 |
chilli_exist=`grep -c ^chilli: /etc/passwd` |
if [ "$chilli_exist" == "1" ] |
then |
userdel -r chilli 2>/dev/null |
userdel -r chilli 2>/dev/null |
fi |
groupadd -f chilli |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli |
1363,7 → 1363,7 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service |
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default |
# By default the filter is off |
# By default the filter is off |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf |
# French deny HTML page |
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf |
1395,7 → 1395,7 |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf |
# maximum age of a child process before it croaks it |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf |
|
|
# on désactive par défaut le contrôle de téléchargement de fichiers |
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf |
1417,14 → 1417,14 |
## Fonction "antivirus" ## |
## - configuration of havp, libclamav and freshclam ## |
################################################################## |
antivirus () |
antivirus () |
{ |
# create 'havp' user |
havp_exist=`grep -c ^havp: /etc/passwd` |
if [ "$havp_exist" == "1" ] |
then |
userdel -r havp 2>/dev/null |
groupdel havp 2>/dev/null |
userdel -r havp 2>/dev/null |
groupdel havp 2>/dev/null |
fi |
groupadd -f havp |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp |
1471,13 → 1471,13 |
## Fonction "tinyproxy" ## |
## - configuration of tinyproxy (proxy between filterde users and havp) ## |
########################################################################## |
tinyproxy () |
tinyproxy () |
{ |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd` |
if [ "$tinyproxy_exist" == "1" ] |
then |
userdel -r tinyproxy 2>/dev/null |
groupdel tinyproxy 2>/dev/null |
userdel -r tinyproxy 2>/dev/null |
groupdel tinyproxy 2>/dev/null |
fi |
groupadd -f tinyproxy |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy |
1596,7 → 1596,7 |
PIDFile=/var/run/nfsen/nfsen.pid |
ExecStartPre=/bin/mkdir -p /var/run/nfsen |
ExecStartPre=/bin/chown apache:apache /var/run/nfsen |
ExecStart=/usr/bin/nfsen start |
ExecStart=/usr/bin/nfsen start |
ExecStop=/usr/bin/nfsen stop |
ExecReload=/usr/bin/nfsen restart |
TimeoutSec=0 |
1605,7 → 1605,7 |
WantedBy=multi-user.target |
EOF |
# Add the listen port to collect netflow packet (nfcapd) |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
# expire delay for the profile "live" |
/usr/bin/systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
1643,8 → 1643,8 |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on. |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
cat << EOF > /etc/dnsmasq.conf |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
cat << EOF > /etc/dnsmasq.conf |
# Configuration file for "dnsmasq in forward mode" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
listen-address=$PRIVATE_IP |
1712,7 → 1712,7 |
bogus-priv |
filterwin2k |
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
EOF |
# 4th dnsmasq listen on udp 56 ("blackhole") |
cat << EOF > /etc/dnsmasq-blackhole.conf |
1826,8 → 1826,8 |
EOF |
[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default |
cat <<EOF >> /etc/anacrontab |
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql |
7 10 cron.logExport nice /etc/cron.d/alcasar-archive |
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql |
7 10 cron.logExport nice /etc/cron.d/alcasar-archive |
7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import |
EOF |
|
1841,16 → 1841,16 |
# Archive des logs et de la base de données (tous les lundi à 5h35) |
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now |
EOF |
cat << EOF > /etc/cron.d/alcasar-ticket-clean |
cat <<EOF > /etc/cron.d/alcasar-ticket-clean |
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur |
30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh |
EOF |
cat << EOF > /etc/cron.d/alcasar-distrib-updates |
cat <<EOF > /etc/cron.d/alcasar-distrib-updates |
# mise à jour automatique de la distribution tous les jours 3h30 |
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1 |
EOF |
|
cat << EOF > /etc/cron.d/alcasar-connections-stats |
cat <<EOF > /etc/cron.d/alcasar-connections-stats |
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin). |
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct') |
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct') |
1863,7 → 1863,7 |
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1 |
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1 |
EOF |
cat << EOF > /etc/cron.d/alcasar-watchdog |
cat <<EOF > /etc/cron.d/alcasar-watchdog |
# run the "watchdog" every 3' |
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05 |
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1 |
1871,7 → 1871,7 |
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1 |
EOF |
# Enabling the watchdog every 18' |
cat << EOF > /etc/cron.d/alcasar-daemon-watchdog |
cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog |
# activate the daemon-watchdog after boot process |
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1 |
# activate the daemon-watchdog every 18' |
1879,8 → 1879,8 |
EOF |
|
# Enabling category update from rsync |
cat << EOF > /etc/cron.d/alcasar-rsync-bl |
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). |
cat <<EOF > /etc/cron.d/alcasar-rsync-bl |
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). |
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1 |
EOF |
|
1959,7 → 1959,7 |
;ResetFrequency = 300 |
;HardResetFrequency = 120 |
|
CheckSecurity = 1 |
CheckSecurity = 1 |
CheckSignal = 1 |
CheckBattery = 0 |
EOF |
2011,7 → 2011,7 |
/var/log/netflow/porttracker root.apache 770 |
/var/log/netflow/porttracker/* root.apache 660 |
EOF |
# apply now hourly & daily checks |
# apply now hourly & daily checks |
/usr/sbin/msec |
/etc/cron.weekly/msec |
|
2099,12 → 2099,12 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE |
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE |
echo "LDAP_FILTER=" >> $CONF_FILE |
echo "LDAP_USER=alcasar" >> $CONF_FILE |
echo "LDAP_PASSWORD=" >> $CONF_FILE |
echo "MULTIWAN=off" >> $CONF_FILE |
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE |
echo "LDAP_FILTER=" >> $CONF_FILE |
echo "LDAP_USER=alcasar" >> $CONF_FILE |
echo "LDAP_PASSWORD=" >> $CONF_FILE |
echo "MULTIWAN=off" >> $CONF_FILE |
echo "FAILOVER=30" >> $CONF_FILE |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE |
2125,7 → 2125,7 |
# actualisation des fichiers logs compressés |
for dir in firewall dansguardian httpd |
do |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
done |
# create the alcasar-load_balancing unit |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
2157,13 → 2157,13 |
do |
/usr/bin/systemctl -q enable $i.service |
done |
|
|
# disable processes at boot time (Systemctl) |
for i in ulogd gpm |
do |
/usr/bin/systemctl -q disable $i.service |
done |
|
|
# Apply French Security Agency (ANSSI) rules |
# ignore ICMP broadcast (smurf attack) |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf |
2180,7 → 2180,7 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf |
# set conntrack timer to 1h (3600s) instead of 5 weeks |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf |
# disable log_martians (ALCASAR is often installed between two private network addresses) |
# disable log_martians (ALCASAR is often installed between two private network addresses) |
echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf |
# disable iptables_helpers |
echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf |
2199,21 → 2199,21 |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM |
if [ $vm_vga == 0 ] # is not a VM |
if [ $vm_vga == 0 ] # is not a VM |
then |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
echo >> /etc/mageia-release |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub |
fi |
if [ $Lang == "fr" ] |
then |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
else |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
fi |
/usr/bin/update-grub2 |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
echo >> /etc/mageia-release |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub |
fi |
if [ $Lang == "fr" ] |
then |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
else |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
fi |
/usr/bin/update-grub2 |
# Load and apply the previous conf file |
if [ "$mode" = "update" ] |
then |
2222,7 → 2222,7 |
PARENT_SCRIPT=`basename $0` |
export PARENT_SCRIPT # to avoid stop&start process during the installation process |
$DIR_DEST_BIN/alcasar-conf.sh --apply |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE |
fi |
2249,7 → 2249,7 |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain" |
echo |
echo " Appuyez sur 'Entrée' pour continuer" |
else |
else |
echo "# End of ALCASAR install process #" |
echo "# #" |
echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #" |
2321,7 → 2321,7 |
# Uninstall the running version |
$DIR_SCRIPTS/alcasar-uninstall.sh -update |
fi |
# Test if manual update |
# Test if manual update |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
then |
header_install |
2338,13 → 2338,13 |
else echo -n "Do you want to use it (Y/n)?"; |
fi |
read response |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then rm -f /tmp/alcasar-conf* |
fi |
done |
fi |
# Test if update |
if [ -e /tmp/alcasar-conf* ] |
if [ -e /tmp/alcasar-conf* ] |
then |
if [ $Lang == "fr" ] |
then echo "#### Installation avec mise à jour ####"; |
2351,7 → 2351,7 |
else echo "#### Installation with update ####"; |
fi |
# Extract the central configuration file |
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf |
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf |
ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2` |
PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2` |
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1` |
2387,7 → 2387,7 |
if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ] |
then |
$DIR_SCRIPTS/alcasar-conf.sh --create |
else |
else |
rm -f /tmp/alcasar-conf* |
fi |
# Uninstall the running version |