18,7 → 18,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
|
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
|
# Options : |
# -i or --install |
34,7 → 34,7 |
# init_db : Initilization of radius database managed with MariaDB |
# freeradius : FreeRadius initialisation |
# chilli : coovachilli initialisation (+authentication page) |
# dansguardian : DansGuardian filtering HTTP proxy configuration |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
41,7 → 41,7 |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter) |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
61,7 → 61,7 |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
DIR_WEB="/var/www/html" # directory of Lighttpd |
DIR_DG="/etc/dansguardian" # directory of DansGuardian |
DIR_DG="/etc/e2guardian" # directory of E2Guardian |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
1225,52 → 1225,52 |
} # End of chilli () |
|
################################################################## |
## Function "dansguardian" ## |
## Function "e2guardian" ## |
## - Set the parameters of this HTML proxy (as controler) ## |
################################################################## |
dansguardian () |
e2guardian () |
{ |
mkdir -p /var/dansguardian /var/log/dansguardian |
chown -R dansguardian /var/dansguardian /var/log/dansguardian |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service |
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default |
mkdir -p /var/e2guardian /var/log/e2guardian |
chown -R e2guardian /var/e2guardian /var/log/e2guardian |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
# By default the filter is off |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf |
# French deny HTML page |
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf |
$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf |
# Listen only on LAN side |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
# DG send its flow to HAVP |
$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf |
$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
# replace the default deny HTML page |
cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/ |
cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html |
cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/ |
cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
# # Change the default report page |
$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/dansguardian.conf |
$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf |
# Disable HTML content control |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas) |
# Disable URL control with regex |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas) |
# Configure Dansguardian for large site |
# Configure E2guardian for large site |
# Minimum number of processus to handle connections |
$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf |
$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf |
# Maximum number of processus to handle connections |
$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf |
$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf |
# Run at least 8 daemons |
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf |
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf |
# minimum number of processes to spawn |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf |
# maximum age of a child process before it croaks it |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf |
# Disable download files control |
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf |
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default |
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default |
touch $DIR_DG/lists/bannedextensionlist |
1283,7 → 1283,7 |
# Keep a copy of URL & domain filter configuration files |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
} # End of dansguardian () |
} # End of e2guardian () |
|
################################################################## |
## Function "antivirus" ## |
1631,12 → 1631,12 |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
touch $DIR_DG/lists/exceptionsitelist |
touch $DIR_DG/lists/exceptionurllist |
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian |
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian |
cat <<EOF > $DIR_DG/lists/bannedurllist |
# Dansguardian filter config for ALCASAR |
# E2guardian filter config for ALCASAR |
EOF |
cat <<EOF > $DIR_DG/lists/bannedsitelist |
# Dansguardian domain filter config for ALCASAR |
# E2guardian domain filter config for ALCASAR |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée) |
#** |
# block all SSL and CONNECT tunnels |
1667,7 → 1667,7 |
cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains |
echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled |
done |
chown -R dansguardian:apache $DIR_DG |
chown -R e2guardian:apache $DIR_DG |
chown -R root:apache $DIR_DEST_SHARE |
chmod -R g+rw $DIR_DG $DIR_DEST_SHARE |
# adapt the Toulouse BL to ALCASAR architecture |
1995,7 → 1995,7 |
# Log compression |
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf |
# actualisation des fichiers logs compressés |
for dir in firewall dansguardian lighttpd |
for dir in firewall e2guardian lighttpd |
do |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
done |
2025,7 → 2025,7 |
WantedBy=multi-user.target |
EOF |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
2241,7 → 2241,7 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3` |
mode="update" |
fi |
for func in init network ACC CA time_server init_db freeradius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |