2,7 → 2,7 |
# $Id$ |
|
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump |
# contact : info@alcasar.net |
|
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
27,7 → 27,6 |
# ulogd : Log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : Little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
1497,40 → 1496,6 |
$SED "s?^ReadWritePaths=.*?ReadWritePaths=/var/log?g" /etc/systemd/system/vnstat.service |
} # End of vnstat() |
|
################################################################### |
## "dnsmasq" ## |
## - creation of the conf files of dnsmasq (whitelist for ipset )## |
################################################################### |
dnsmasq() |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
# dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
cat << EOF > /etc/dnsmasq-whitelist.conf |
# Configuration file for "dnsmasq with whitelist" |
# ADD Toulouse university whitelist domains |
pid-file=/run/dnsmasq-whitelist.pid |
listen-address=127.0.0.1 |
port=55 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=1024 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules |
server=$DNS1 |
server=$DNS2 |
EOF |
|
# Don't run dnsmasq service. Create dnsmasq-whitelist unit |
systemctl disable dnsmasq.service |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service |
} # End of dnsmasq() |
|
######################################################### |
## "unbound" ## |
## - create the conf files for 4 unbound services ## |
1657,6 → 1622,7 |
# Configuration file for whitelist unbound |
cat << EOF > /etc/unbound/unbound-whitelist.conf |
server: |
module-config: "ipset validator iterator" |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
1665,13 → 1631,14 |
define-tag: "whitelist" |
local-zone: "." transparent |
local-zone-tag: "." "whitelist" |
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/whitelist/* |
include: /usr/local/share/unbound-wl-enabled/* |
forward-zone: |
name: "." |
forward-addr: 127.0.0.1@55 |
username: "" |
ipset: |
name-v4: "wl_ip_allowed" |
EOF |
|
# Configuration file for $INTIF of blackhole unbound |
1705,7 → 1672,7 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service |
done |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound-whitelist.service |
} # End of unbound() |
|
################################################## |
1823,7 → 1790,7 |
EOF |
cat <<EOF > /etc/cron.d/alcasar-watchdog |
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10') |
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am) |
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with unbound-whitelist hook (every sunday at 0:05 am) |
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily") |
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory |
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1 |
2232,7 → 2199,7 |
done |
/usr/bin/systemctl daemon-reload |
# processes started at boot time (Systemctl) |
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd |
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
2477,7 → 2444,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |