28,8 → 28,8 |
# testing : connectivity tests, free space test and mageia version test |
# init : Installation of RPM and scripts |
# network : Network parameters |
# ACC : ALCASAR Control Center installation |
# CA : Certification Authority initialization |
# ACC : ALCASAR Control Center installation |
# CA : Certification Authority initialization |
# time_server : NTPd configuration |
# init_db : Initilization of radius database managed with MariaDB |
# freeradius : FreeRadius initialisation |
41,13 → 41,13 |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter) |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
# msec : Mandriva security package configuration |
# letsencrypt : Let's Encrypt client |
# post_install : Security, log rotation, etc. |
# post_install : Security, log rotation, etc. |
|
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
DATE=`date '+%d %B %Y - %Hh%M'` |
55,27 → 55,27 |
Lang=`echo $LANG|cut -c 1-2` |
mode="install" |
# ******* Files parameters - paramètres fichiers ********* |
DIR_INSTALL=`pwd` # current directory |
DIR_INSTALL=`pwd` # current directory |
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
DIR_WEB="/var/www/html" # directory of Lighttpd |
DIR_DG="/etc/e2guardian" # directory of E2Guardian |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
DIR_WEB="/var/www/html" # directory of Lighttpd |
DIR_DG="/etc/e2guardian" # directory of E2Guardian |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance) |
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets |
# ******* DBMS parameters - paramètres SGBD ******** |
DB_RADIUS="radius" # database name used by FreeRadius server |
DB_USER="radius" # user name allows to request the users database |
DB_GAMMU="gammu" # database name used by Gammu-smsd |
DB_RADIUS="radius" # database name used by FreeRadius server |
DB_USER="radius" # user name allows to request the users database |
DB_GAMMU="gammu" # database name used by Gammu-smsd |
# ******* Network parameters - paramètres réseau ******* |
HOSTNAME="alcasar" # default hostname |
DOMAIN="localdomain" # default local domain |
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI) |
HOSTNAME="alcasar" # default hostname |
DOMAIN="localdomain" # default local domain |
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI) |
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"` # INTIF is connected to the consultation network |
MTU="1500" |
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address |
116,13 → 116,13 |
echo "-----------------------------------------------------------------------------" |
} |
|
################################################################## |
## Function "testing" ## |
## - Test of Mageia version ## |
## - Test of ALCASAR version (if already installed) ## |
## - Test of free space on /var (>10G) ## |
## - Test of Internet access ## |
################################################################## |
######################################################## |
## Function "testing" ## |
## - Test Mageia version ## |
## - Test ALCASAR version (if already installed) ## |
## - Test free space on /var (>10G) ## |
## - Test Internet access ## |
######################################################## |
testing () |
{ |
# Test of Mageia version |
359,11 → 359,11 |
echo ". : ok" |
} # end of testing () |
|
################################################################## |
## Function "init" ## |
## - Création du fichier "/root/ALCASAR_parametres.tx ## |
## - Installation et modification des scripts du portail ## |
################################################################## |
####################################################################### |
## Function "init" ## |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
## - Creation of random password for GRUB, mariadb (admin and user) ## |
####################################################################### |
init () |
{ |
if [ "$mode" != "update" ] |
437,14 → 437,14 |
chmod o-rwx $CONF_FILE |
} # End of init () |
|
################################################################## |
## Function "network" ## |
## - Définition du plan d'adressage du réseau de consultation ## |
## - Nommage DNS du système ## |
## - Configuration de l'interface INTIF (réseau de consultation)## |
## - Modification du fichier /etc/hosts ## |
## - Renseignement des fichiers hosts.allow et hosts.deny ## |
################################################################## |
######################################################### |
## Function "network" ## |
## - Define the several network address ## |
## - Define the DNS naming ## |
## - INTIF parameters (consultation network) ## |
## - Write "/etc/hosts" file ## |
## - write "hosts.allow" & "hosts.deny" files ## |
######################################################### |
network () |
{ |
header_install |
531,12 → 531,11 |
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2` |
PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2` |
# Wrtie the conf file |
# Write network parameters in the conf file |
echo "EXTIF=$EXTIF" >> $CONF_FILE |
echo "INTIF=$INTIF" >> $CONF_FILE |
######## Récupération des interfaces du ou des réseaux de consultation supplémentaires ################# |
INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"` |
|
for i in $INTERFACES |
do |
SUB=`echo ${i:0:2}` |
546,7 → 545,6 |
then LANIF=$i |
fi |
done |
|
if [ -n "$WIFIF" ] |
then echo "WIFIF=$WIFIF" >> $CONF_FILE |
elif [ -n "$LANIF" ] |
553,8 → 551,7 |
then echo "LANIF=$LANIF" >> $CONF_FILE |
fi |
######################################################################################################### |
|
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # IP setting (static or dynamic) |
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic |
if [ $IP_SETTING == "dhcp" ] |
then |
echo "PUBLIC_IP=dhcp" >> $CONF_FILE |
580,13 → 577,13 |
NETWORKING=yes |
FORWARD_IPV4=true |
EOF |
# /etc/hosts config |
# write "/etc/hosts" |
[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default |
cat <<EOF > /etc/hosts |
127.0.0.1 localhost |
$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME |
EOF |
# EXTIF (Internet) config |
# write EXTIF (Internet) config |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF |
if [ $IP_SETTING == "dhcp" ] |
then |
626,7 → 623,7 |
MTU=$MTU |
EOF |
fi |
# Config INTIF (consultation LAN) in normal mode |
# write INTIF (consultation LAN) in normal mode |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF |
DEVICE=$INTIF |
BOOTPROTO=static |
639,7 → 636,7 |
USERCTL=no |
EOF |
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
# Config of INTIF in bypass mode (see "alcasar-bypass.sh") |
# write INTIF in bypass mode (see "alcasar-bypass.sh") |
cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
DEVICE=$INTIF |
BOOTPROTO=static |
683,7 → 680,7 |
EOF |
fi |
######################################################################################################### |
# Renseignement des fichiers hosts.allow et hosts.deny |
# write hosts.allow & hosts.deny |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
cat <<EOF > /etc/hosts.allow |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
711,13 → 708,13 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
|
################################################################## |
## Function "ACC" ## |
## - installation of then ALCASAR Control Center (ACC) ) ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the access ## |
################################################################## |
################################################### |
## Function "ACC" ## |
## - copy ALCASAR Control Center (ACC) files ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the ACC access ## |
################################################### |
ACC () |
{ |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
796,7 → 793,7 |
/usr/bin/systemctl start lighttpd |
/usr/bin/systemctl start php-fpm |
|
# Définition du premier compte lié au profil 'admin' |
# Creation of the first account (in 'admin' profile) |
if [ "$mode" = "install" ] |
then |
header_install |
818,10 → 815,10 |
chmod 664 /var/Save/security/acc_access.log |
} # End of ACC () |
|
########################################################################## |
## Fonction "CA" ## |
## - Creating the CA and the server certificate (lighttpd) ## |
########################################################################## |
################################################################## |
## Fonction "CA" ## |
## - Creating the CA and the server certificate (lighttpd) ## |
################################################################## |
CA () |
{ |
$DIR_DEST_BIN/alcasar-CA.sh |
830,10 → 827,10 |
chmod -R 750 /etc/pki |
} # End of CA () |
|
################################################################## |
## Function "time_server" ## |
## - Configuring NTP server ## |
################################################################## |
############################################################# |
## Function "time_server" ## |
## - Configuring NTP server ## |
############################################################# |
time_server () |
{ |
# Set the Internet time server |
1026,7 → 1023,7 |
} # End freeradius () |
|
############################################################################# |
## Function "chilli" ## |
## Function "chilli" ## |
## - Creation of the conf file and init file (systemd) for coova-chilli ## |
## - Adapt the authentication web page (intercept.php) ## |
############################################################################# |
1339,7 → 1336,7 |
|
################################################################################ |
## Function "tinyproxy" ## |
## - Set the parameters of tinyproxy (proxy between filterde users and havp) ## |
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ## |
################################################################################ |
tinyproxy () |
{ |
1492,10 → 1489,10 |
rm -rf /tmp/SURFmap* |
} # End of nfsen () |
|
################################################## |
## Function "vnstat" ## |
## - Initialization of Vnstat and vnstat phpFE ## |
################################################## |
########################################################### |
## Function "vnstat" ## |
## - Initialization of Vnstat and vnstat phpFrontEnd ## |
########################################################### |
vnstat () |
{ |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default |
1507,7 → 1504,7 |
} # End of vnstat |
|
################################################################ |
## Function "dnsmasq" ## |
## Function "dnsmasq" ## |
## - creation of the conf files of the 4 intances of dnsmasq ## |
################################################################ |
dnsmasq () |
1616,9 → 1613,14 |
done |
} # End dnsmasq |
|
####################################################### |
## Function "BL" ## |
####################################################### |
########################################################## |
## Function "BL" ## |
## - copy Toulouse BL ## |
## - adapt this BL to ALCASAR architecture ## |
## - domain names for dnsmasq-bl & dnasmasq-wl ## |
## - URLs for E²guardian ## |
## - IPs for NetFilter ## |
########################################################## |
BL () |
{ |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt) |
1675,9 → 1677,10 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice |
} # End BL() |
|
########################################################## |
## Function "cron" ## |
########################################################## |
####################################################### |
## Function "cron" ## |
## - write all cron & anacron files ## |
####################################################### |
cron () |
{ |
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00 |
1764,11 → 1767,11 |
rm -f /var/spool/cron/* |
} # End cron() |
|
################################################################## |
## Fonction "Fail2Ban" ## |
##- Modification de la configuration de fail2ban ## |
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ## |
################################################################## |
###################################################################### |
## Fonction "Fail2Ban" ## |
##- Adapt conf file to ALCASAR ## |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ## |
###################################################################### |
fail2ban() |
{ |
/usr/bin/sh $DIR_CONF/fail2ban.sh |
1785,11 → 1788,11 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service |
} # End fail2ban() |
|
################################################################## |
## Fonction "gammu_smsd" ## |
## - Creation de la base de donnée Gammu ## |
## - Creation du fichier de config: gammu_smsd_conf ## |
################################################################## |
######################################################### |
## Fonction "gammu_smsd" ## |
## - Creating of SMS management database ## |
## - Write the gammu a gammu_smsd conf files ## |
######################################################### |
gammu_smsd() |
{ |
# Create 'gammu' databse |
1798,18 → 1801,20 |
# Add a gammu database structure |
mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql |
|
# Config file for the daemon |
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port) |
cat << EOF > /etc/gammurc |
[gammu] |
device = /dev/ttyUSB0 |
connection = at115200 |
EOF |
|
cat << EOF > /etc/gammu_smsd_conf |
[gammu] |
port = /dev/ttyUSB0 |
connection = at115200 |
|
;######################################################## |
|
[smsd] |
|
PIN = 1234 |
|
logfile = /var/log/gammu-smsd/gammu-smsd.log |
logformat = textall |
debuglevel = 0 |
1834,7 → 1839,7 |
CheckBattery = 0 |
EOF |
|
chmod 755 /etc/gammu_smsd_conf |
chmod 755 /etc/gammu_smsd_conf /etc/gammurc |
|
# Log folder for gammu-smsd |
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd |
1844,21 → 1849,23 |
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh |
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh |
|
# Udev rule for Huawei GSM MODEM (idVendor: 12d1) --> run "modeswitch" to switch from "mass_storage" mode to "ttyUSB" (modem) mode |
# normally not needed now since modeswitch is managed by udev (see RPM) |
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1) |
# normally not needed now since modeswitch is managed by udev (see Mageia RPM) |
#cat << EOF > /lib/udev/rules.d/66-huawei.rules |
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode" |
#EOF |
|
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time) |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/ |
|
} # End gammu_smsd() |
|
|
################################################################## |
## Fonction "msec" ## |
## - Apply the "fileserver" security level ## |
## - remove the "system request" for rebboting ## |
## - Fix several file permissions ## |
################################################################## |
############################################################ |
## Fonction "msec" ## |
## - Apply the "fileserver" security level ## |
## - remove the "system request" for rebboting ## |
## - Fix several file permissions ## |
############################################################ |
msec() |
{ |
|
1890,9 → 1897,9 |
|
|
################################################################## |
## Fonction "letsencrypt" ## |
## - Install Let's Encrypt client ## |
## - Prepare Let's Encrypt ALCASAR configuration file ## |
## Fonction "letsencrypt" ## |
## - Install Let's Encrypt client ## |
## - Prepare Let's Encrypt ALCASAR configuration file ## |
################################################################## |
letsencrypt() |
{ |
1940,13 → 1947,13 |
} # END letsencrypt() |
|
################################################################## |
## Fonction "post_install" ## |
## - Modifying banners (locals et ssh) & prompts ## |
## - SSH config ## |
## - sudoers config & files security ## |
## - log rotate & ANSSI security parameters ## |
## - Apply former conf in case of an update ## |
########################################################## |
## Fonction "post_install" ## |
## - Modifying banners (locals et ssh) & prompts ## |
## - SSH config ## |
## - sudoers config & files security ## |
## - log rotate & ANSSI security parameters ## |
## - Apply former conf in case of an update ## |
################################################################## |
post_install() |
{ |
# change the SSH banner |
2145,9 → 2152,9 |
reboot |
} # End post_install () |
|
################################# |
# Main Install loop # |
################################# |
##################################################################################### |
# Main Install loop # |
##################################################################################### |
dir_exec=`dirname "$0"` |
if [ $dir_exec != "." ] |
then |