106,7 → 106,7 |
then |
exit 1 |
fi |
} |
} # End of license() |
|
header_install () |
{ |
115,7 → 115,7 |
echo " ALCASAR V$VERSION Installation" |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau" |
echo "-----------------------------------------------------------------------------" |
} |
} # End of header_install() |
|
######################################################## |
## Function "testing" ## |
255,7 → 255,7 |
|
if [ -z "$INTIF" ]; then |
interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$") |
interfacesCount=$(echo "$interfacesList" | wc -l) |
interfacesCount=$(echo "$interfacesList" | wc -w) |
if [ $interfacesCount -eq 0 ]; then |
if [ "$Lang" == 'fr' ] |
then echo "Aucune interface de disponible pour le réseau interne" |
267,7 → 267,6 |
else |
interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1) |
interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1) |
|
if [ "$Lang" == 'fr' ] |
then echo 'Liste des interfaces disponible :' |
else echo 'List of available interfaces:' |
416,7 → 415,7 |
exit 1 |
fi |
echo ". : ok" |
} # end of testing () |
} # End of testing() |
|
####################################################################### |
## Function "init" ## |
941,6 → 940,7 |
$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf |
$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed |
[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !) |
[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos) |
/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1 |
/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking" |
/usr/bin/systemctl start mysqld |
957,7 → 957,6 |
fi |
# Secure the server |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
|
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
1049,7 → 1048,7 |
/usr/bin/systemctl daemon-reload |
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
} # End freeradius () |
} # End of freeradius() |
|
############################################################################# |
## Function "chilli" ## |
1417,11 → 1416,12 |
WantedBy=multi-user.target |
EOF |
|
} # end of tinyproxy |
############################################################################## |
} # end of tinyproxy() |
|
############################################################## |
## function "ulogd" ## |
## - Ulog config for multi-log files ## |
############################################################################## |
############################################################## |
ulogd () |
{ |
# Three instances of ulogd (three different logfiles) |
1446,7 → 1446,6 |
chmod 640 /var/log/firewall/* |
} # End of ulogd () |
|
|
########################################################## |
## Function "nfsen" ## |
## - install the nfsen grapher ## |
1512,7 → 1511,7 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/ |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/ |
# cd /tmp/ |
# /usr/bin/sh SURFmap/install.sh |
# /usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API) |
# clear the installation |
# rm -rf /tmp/SURFmap* |
rm -rf /tmp/nfsen-* |
1533,18 → 1532,17 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php |
/usr/bin/vnstat -i $EXTIF -u --force |
} # End of vnstat |
} # End of vnstat() |
|
################################################################## |
################################################################### |
## Function "dnsmasq" ## |
## - creation of the conf files of the 4 intances of dnsmasq ## |
## - creation of the file managing domain name (local & remote) ## |
################################################################## |
## - creation of the conf files of dnsmasq (whitelist for ipset )## |
################################################################### |
dnsmasq () |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
# dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
cat << EOF > /etc/dnsmasq-whitelist.conf |
# Configuration file for "dnsmasq with whitelist" |
# ADD Toulouse university whitelist domains |
1562,17 → 1560,18 |
server=$DNS1 |
server=$DNS2 |
EOF |
|
# Create dnsmasq-whitelist unit |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
} # End dnsmasq |
} # End of dnsmasq() |
|
################################################## |
######################################################### |
## Function "unbound" ## |
################################################## |
## - create the conf files for 4 unbound services ## |
## - create the systemd files for 4 unbound services ## |
######################################################### |
unbound () |
{ |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d |
1585,7 → 1584,6 |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; } |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default |
|
# Local static DNS configuration |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf |
|
1661,7 → 1659,6 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
|
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
1689,12 → 1686,10 |
chroot: "" |
define-tag: "blacklist" |
log-local-actions: yes |
|
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/blacklist/* |
|
include: /usr/local/share/unbound-bl-enabled/* |
EOF |
|
1717,15 → 1712,12 |
do-ip6: no |
do-not-query-localhost: no |
define-tag: "whitelist" |
|
local-zone: "." transparent |
local-zone-tag: "." "whitelist" |
|
include: /usr/local/share/unbound-wl-enabled/* |
include: /etc/unbound/conf.d/whitelist/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
|
forward-zone: |
name: "." |
forward-addr: 127.0.0.1@55 |
1750,7 → 1742,6 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
|
include: /etc/unbound/conf.d/blackhole/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
1762,7 → 1753,6 |
fi |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service |
|
for list in blacklist blackhole whitelist |
do |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service |
1769,9 → 1759,8 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
done |
|
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service |
} # End unbound |
} # End of unbound() |
|
################################################## |
## Function "dhcpd" ## |
1779,7 → 1768,6 |
dhcpd () |
{ |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default |
|
cat <<EOF > /etc/dhcpd.conf |
ddns-update-style none; |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK { |
1786,13 → 1774,12 |
option routers $PRIVATE_IP; |
option subnet-mask $PRIVATE_NETMASK; |
option domain-name-servers $PRIVATE_IP; |
|
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
default-lease-time 21600; |
max-lease-time 43200; |
} |
EOF |
} |
} # End of dhcpd() |
|
########################################################## |
## Function "BL" ## |
1857,7 → 1844,7 |
# enable the default categories |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice |
rm -rf /tmp/blacklists |
} # End BL() |
} # End of BL() |
|
####################################################### |
## Function "cron" ## |
1939,7 → 1926,7 |
|
# removing the users crons |
rm -f /var/spool/cron/* |
} # End cron() |
} # End of cron() |
|
###################################################################### |
## Fonction "Fail2Ban" ## |
1960,7 → 1947,7 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service |
} # End fail2ban() |
} # End of fail2ban() |
|
######################################################### |
## Fonction "gammu_smsd" ## |
2049,7 → 2036,7 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time) |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/ |
|
} # End gammu_smsd() |
} # End of gammu_smsd() |
|
############################################################ |
## Fonction "msec" ## |
2084,9 → 2071,8 |
/usr/sbin/msec |
/etc/cron.weekly/msec |
|
} # End msec() |
} # End of msec() |
|
|
################################################################## |
## Fonction "letsencrypt" ## |
## - Install Let's Encrypt client ## |
2138,7 → 2124,7 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; } |
rm -rf /tmp/acme.sh-* |
|
} # END letsencrypt() |
} # End of letsencrypt() |
|
################################################################## |
## Fonction "post_install" ## |
2352,7 → 2338,7 |
fi |
clear |
reboot |
} # End post_install () |
} # End of post_install() |
|
##################################################################################### |
# Main Install loop # |
2386,10 → 2372,16 |
exit 0 |
;; |
-i | --install) |
for func in license testing |
do |
header_install |
license |
header_install |
testing |
$func |
if [ $DEBUG_ALCASAR == "on" ] |
then |
echo "*** 'debug' : end of install '$func' ***" |
read |
fi |
done |
# RPMs install |
$DIR_SCRIPTS/alcasar-urpmi.sh |
if [ "$?" != "0" ] |