/scripts/alcasar-activity_report.sh |
---|
164,7 → 164,7 |
#get timestamp of X day ago. Then we get every packets chich have been updated since this date. |
if [ "$(rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | wc -l)" -gt 1 ] |
then |
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|tinyproxy|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|havp|ipt-netflow|wget' |
PACKAGE='php|lighttpd|iptables|dnsmasq|unbound|radius|nfdump|e2guardian|clamav|ulogd|chilli|fail2ban|openssh|ipt-netflow|wget|mariadb|gnupg|openssl' |
rpm -qa --queryformat '%{installtime} %{name} %{version}\n' | awk -v seuil="$SECS_AGO" '$1 > seuil' | sort -n | grep -E "$PACKAGE" | while read RPM_ALCASAR |
do |
RPM_TIMESTAMP=$(echo $RPM_ALCASAR | cut -d' ' -f1) |
/scripts/alcasar-conf.sh |
---|
275,7 → 275,7 |
$DIR_BIN/alcasar-logout.sh all |
# Services stop |
echo -n "Stop services : " |
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
for i in ntpd e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
do |
/usr/bin/systemctl stop $i && echo -n "$i, " |
done |
433,8 → 433,6 |
} |
EOF |
$DIR_BIN/alcasar-dns-local.sh -hosts_to_unbound # add local name resolution to unbound (forward & blackhole) |
# tinyproxy |
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf |
# DG + BL |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf |
# Watchdog |
448,7 → 446,7 |
# Services start |
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli |
for i in unbound unbound-blackhole tinyproxy ntpd |
for i in unbound unbound-blackhole ntpd |
do |
sleep 1 |
/usr/bin/systemctl start $i && echo -n ", $i" |
/scripts/alcasar-daemon.sh |
---|
16,7 → 16,7 |
LDAP=${LDAP:=off} |
INTIF=`grep ^INTIF= $conf_file|cut -d"=" -f2` # INTIF name |
EXTIF=`grep ^EXTIF= $conf_file|cut -d"=" -f2` # EXTIF name |
SERVICES="mysqld lighttpd php-fpm ntpd havp unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd tinyproxy nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
SERVICES="mysqld lighttpd php-fpm ntpd unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban sshd vnstat gammu-smsd" |
nb_available_srv=`echo $SERVICES|wc -w` |
function ServiceTest () { |
/scripts/alcasar-iptables.sh |
---|
164,46 → 164,56 |
# PREROUTING # |
############################# |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to TCP port 8090 (e2guardian) in order to REJECT them in INPUT rules |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to TCP port 8090 (tinyproxy) in order to REJECT them in INPUT rules |
# 8090 = ipset havp_wl + havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2 |
# 8443 = tranparent HTTPS for ipsets havp_bl + havp_wl + havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8443 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8443 -j MARK --set-mark 6 |
# Marquage des paquets qui tentent d'accéder directement au port 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to port 54 (DNS-blacklist) in order to REJECT them in INPUT rules |
# Marquage des paquets qui tentent d'accéder directement aux ports d'écoute DNS (UNBOUND) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to DNS ports (UNBOUND) in order to REJECT them in INPUT rules |
# 54 = ipset havp_bl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j MARK --set-mark 3 |
# Marquage des paquets qui tentent d'accéder directement au port 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to port 55 (DNS-whitelist) in order to REJECT them in INPUT rules |
# 55 = ipset havp_wl |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 55 -j MARK --set-mark 4 |
# Marquage des paquets qui tentent d'accéder directement au port 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT |
# Mark the direct attempts to port 56 (DNS-blackhole) in order to REJECT them in INPUT rules |
# 56 = blackall |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p udp --dport 56 -j MARK --set-mark 5 |
# redirection DNS des usagers 'havp_bl' vers le port local 54 (en évitant le contournement) |
# redirect DNS of 'havp_bl' users to the local port 54 (avoiding bypass) |
# redirection DNS des usagers |
# users DNS redirection |
# 54 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p udp --dport domain -j REDIRECT --to-port 54 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -p tcp --dport domain -j REDIRECT --to-port 54 |
# redirection DNS des usagers 'havp_wl' vers le port local 55 (en évitant le contournement) |
# redirect DNS of 'havp_wl' users to the local port 55 (avoiding bypass) |
# 55 = ipset havp_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# redirection des requêtes DNS de contournement vers le port local 53 |
# redirect of bypass DNS requests to the local port 53 |
# 53 = all other users |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
# Redirection des requêtes HTTP des usagers vers E2guardian |
# Redirect outbound users HTTP requests to E2guardian |
# 8080 = ipset havp_bl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset havp_wl & havp |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# Redirection des requêtes HTTPS sortantes des usagers havp_bl + havp_wl + havp vers E2Guardian |
# Redirect outbound HTTPS requests of havp_bl + havp_wl + havp users to E2Guardian |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow. |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT " |
216,15 → 226,6 |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers E2Guardian |
# Redirect outbound HTTP requests of "BL" users to E2Guardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy |
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
# Redirection des requêtes NTP vers le serveur NTP local |
# Redirect NTP request in local NTP server |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
262,53 → 263,40 |
# Conntrack on INPUT |
$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
# On interdit les connexions directes au port utilisé par E2Guardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian port (8080). The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes aux ports d'écoute d'E2Guardian. Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on E2Guardian listen ports. The concerned paquets have been marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset # havp_bl |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset # havp_wl+havp |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8443 -m mark --mark 6 -j REJECT --reject-with tcp-reset # havp_bl+havp_wl+havp |
# Autorisation des connexions légitimes à E2Guardian |
# Allow connections for E2Guardian |
# On autorise les connexions HTTP/HTTPS légitimes vers E2Guardian |
# Allow HTTP connections to E2Guardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m conntrack --ctstate NEW --syn -j ACCEPT |
# On interdit les connexions directes au port utilisé par tinyproxy (8090). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on tinyproxy port (8090). The concerned paquets have been marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset |
# Autorisation des connexions légitimes vers tinyproxy |
# Allow connections to tinyproxy |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m conntrack --ctstate NEW --syn -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8443 -m conntrack --ctstate NEW --syn -j ACCEPT |
# On interdit les connexions directes au port 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on port 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING) |
# On interdit les connexions directes aux ports d'écoupe DNS (UNBOUND). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections to DNS ports (UNBOUND). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes au port 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on port 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes au port 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on port 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p udp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 3 -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
# autorisation des connexion légitime à Unbound (avec blacklist) |
# Allow connections for Unbound (with blacklist) |
# On autorise les connexion DNS légitime |
# Allow DNS connections |
# ipset = havp_bl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 54 -j ACCEPT |
# autorisation des connexion légitime à Unbound (avec whitelist) |
# Allow connections for Unbound (with whitelist) |
# ipset = havp_wl |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 55 -j ACCEPT |
# autorisation des connexion légitime à Unbound (mode blackhole) |
# Allow connections for Unbound (blackhole mode) |
# blackall |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 56 -j ACCEPT |
# Accès direct aux services internes |
# On accepte l'accès aux services internes |
# Internal services access |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS |
501,7 → 489,6 |
# Dynamic NAT on EXTIF |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
############################# |
# FAIL2BAN # |
############################# |
/scripts/alcasar-rpm-download.sh |
---|
13,7 → 13,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-5.3.7-4.mga7-1-1.mga7" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamav perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch tinyproxy vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional" |
PACKAGES="arp-scan vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm e2guardian postfix mariadb ntp bind-utils openssh-server php-xml php-ldap php-mysqli php-mbstring php-sockets php-cli php-curl php-pdo_sqlite php-json rng-utils rsync clamd perl-rrdtool perl-MailTools perl-Socket6 fail2ban gnupg ulogd pm-fallback-policy ipset cronie-anacron usbutils locales-en usb_modeswitch vnstat php-gd sudo iftop man dos2unix p7zip bc msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server netcat-traditional" |
rpm_repository_sync () |
{ |
/scripts/alcasar-uninstall.sh |
---|
96,7 → 96,7 |
e2guardian () |
{ |
echo -en "(14) : " |
echo -en "(15) : " |
[ -d /var/e2guardian ] && rm -rf /var/e2guardian |
[ -d /var/dansguardian ] && rm -rf /var/dansguardian |
[ -e /lib/systemd/system/e2guardian.service.default ] && mv /lib/systemd/system/e2guardian.service.default /lib/systemd/system/e2guardian.service && echo -n "1, " |
103,45 → 103,26 |
[ -e /etc/e2guardian/e2guardian.conf.default ] && mv /etc/e2guardian/e2guardian.conf.default /etc/e2guardian/e2guardian.conf && echo -n "2, " |
[ -e /etc/e2guardian/lists/bannedphraselist.default ] && mv /etc/e2guardian/lists/bannedphraselist.default /etc/e2guardian/lists/bannedphraselist && echo -n "3, " |
[ -e /etc/e2guardian/e2guardianf1.conf.default ] && mv /etc/e2guardian/e2guardianf1.conf.default /etc/e2guardian/e2guardianf1.conf && echo -n "4, " |
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "5, " |
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "6, " |
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "7, " |
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "8, " |
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "9, " |
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "10, " |
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "11, " |
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "12, " |
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "13, " |
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "14" |
[ -e /etc/e2guardian/e2guardianf2.conf ] && rm -f /etc/e2guardian/e2guardianf2.conf && echo -n "5, " |
[ -e /usr/share/e2guardian/languages/french/template.html.default ] && mv /usr/share/e2guardian/languages/french/template.html.default /usr/share/e2guardian/languages/french/template.html && echo -n "6, " |
[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] && mv /usr/share/e2guardian/languages/ukenglish/template.html.default /usr/share/e2guardian/languages/ukenglish/template.html && echo -n "7, " |
[ -e /etc/e2guardian/lists/bannedextensionlist.default ] && mv /etc/e2guardian/lists/bannedextensionlist.default /etc/e2guardian/lists/bannedextensionlist && echo -n "8, " |
[ -e /etc/e2guardian/lists/bannedmimetypelist.default ] && mv /etc/e2guardian/lists/bannedmimetypelist.default /etc/e2guardian/lists/bannedmimetypelist && echo -n "9, " |
[ -e /etc/e2guardian/lists/exceptioniplist.default ] && mv /etc/e2guardian/lists/exceptioniplist.default /etc/e2guardian/lists/exceptioniplist && echo -n "10, " |
[ -e /etc/e2guardian/lists/bannedsitelist.default ] && mv /etc/e2guardian/lists/bannedsitelist.default /etc/e2guardian/lists/bannedsitelist && echo -n "11, " |
[ -e /etc/e2guardian/lists/bannedurllist.default ] && mv /etc/e2guardian/lists/bannedurllist.default /etc/e2guardian/lists/bannedurllist && echo -n "12, " |
[ -e /etc/e2guardian/lists/exceptionsitelist.default ] && mv /etc/e2guardian/lists/exceptionsitelist.default /etc/e2guardian/lists/exceptionsitelist && echo -n "13, " |
[ -e /etc/e2guardian/lists/exceptionurllist.default ] && mv /etc/e2guardian/lists/exceptionurllist.default /etc/e2guardian/lists/exceptionurllist && echo -n "14, " |
[ -e /etc/e2guardian/lists/urlregexplist.default ] && mv /etc/e2guardian/lists/urlregexplist.default /etc/e2guardian/lists/urlregexplist && echo -n "15" |
} |
antivirus () |
{ |
echo -en "(6) : " |
if [ -e /etc/init.d/havp ] |
then |
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, " |
[ -d /run/havp ] && rm -rf /run/havp && echo -n "2, " |
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, " |
[ -e /lib/systemd/system/havp.service ] && rm /lib/systemd/system/havp.service && echo -n "4, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "5, " |
userdel -r havp 2>/dev/null ; echo -n "6" |
else echo -n "already uninstalled" |
fi |
echo -en "(2) : " |
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "1, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "2" |
} |
tinyproxy () |
{ |
echo -en "(3) : " |
if [ -e /etc/init.d/tinyproxy ] |
then |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] && mv /etc/tinyproxy/tinyproxy.conf.default /etc/tinyproxy/tinyproxy.conf && echo -n "1, " |
[ -d /run/tinyproxy ] && rm -rf /run/tinyproxy && echo -n "2, " |
userdel -r tinyproxy 2>/dev/null && echo -n "3" |
else echo -n "already uninstalled" |
fi |
} |
ulogd () |
{ |
echo -en "(6) : " |
294,7 → 275,7 |
echo "----------------------------------------------------------------------------" |
echo "** Uninstall/Désinstallation d'ALCASAR **" |
echo "----------------------------------------------------------------------------" |
services="alcasar-load_balancing vnstat havp clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli" |
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli" |
/usr/local/bin/alcasar-logout.sh all # logout everybody |
else |
echo "--------------------------------------------------------------------------" |
301,7 → 282,7 |
echo "** update/mise à jour d'ALCASAR **" |
echo "--------------------------------------------------------------------------" |
# unbound, iptables & sshd should stay on to allow remote update |
services="alcasar-load_balancing vnstat havp clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole tinyproxy nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update |
fi |
335,7 → 316,7 |
/usr/bin/systemctl reload sshd |
fi |
echo "Reset ALCASAR main functions : " |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat unbound dnsmasq dhcpd cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init ACC CA time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dnsmasq dhcpd cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
echo -en "\n- $func " |
$func |
/scripts/alcasar-urpmi.sh |
---|
17,7 → 17,7 |
# (old) perl-Socket6 : needed by nfsen |
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf |
# "lsscsi" & nvme-cli" : needed by phpsysinfo |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch tinyproxy vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli" |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli" |
rpm_repository_sync () |
{ |