50,7 → 50,6 |
DATE=`date '+%d %B %Y - %Hh%M'` |
DATE_SHORT=`date '+%d/%m/%Y'` |
Lang=`echo $LANG|cut -c 1-2` |
mode="install" |
# ******* Files parameters - paramètres fichiers ********* |
DIR_INSTALL=`pwd` # current directory |
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files) |
109,51 → 108,34 |
################################################################## |
testing () |
{ |
# Test if ALCASAR is already installed |
if [ -e $CONF_FILE ] |
then |
current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2` |
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G` |
if [ $free_space -lt 10 ] |
then |
if [ $Lang == "fr" ] |
then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée"; |
else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed"; |
then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)" |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)" |
fi |
response=0 |
PTN='^[oOnNyY]$' |
until [[ $(expr $response : $PTN) -gt 0 ]] |
do |
if [ $Lang == "fr" ] |
then echo -n "Voulez-vous effectuer une mise à jour (O/n)? "; |
else echo -n "Do you want to update (Y/n)?"; |
fi |
read response |
done |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then |
rm -f /tmp/alcasar-conf* |
else |
# Create a backup of running version importants files |
$DIR_SCRIPTS/alcasar-conf.sh --create |
mode="update" |
fi |
else |
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G` |
if [ $free_space -lt 10 ] |
then |
if [ $Lang == "fr" ] |
then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)" |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)" |
fi |
exit 0 |
fi |
fi |
if [ $Lang == "fr" ] |
then echo -n "Tests des paramètres réseau : " |
else echo -n "Network parameters tests : " |
fi |
# We test gw |
if [ "$EXTIF" == "" ] |
then |
if [ $Lang == "fr" ] |
then |
echo "L'adresse du routeur n'est pas configuré" |
else |
echo "The gateway address isn't set" |
fi |
exit 0 |
fi |
# We test EXTIF config files |
PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` |
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` |
if [ "$EXTIF" == "" ] || [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ] |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ] |
then |
if [ $Lang == "fr" ] |
then |
160,12 → 142,12 |
echo "Échec" |
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée." |
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
echo "Appliquez les changements : 'systemctl restart network'" |
echo "Appliquez les changements : 'service network restart'" |
else |
echo "Failed" |
echo "The Internet connected network card ($EXTIF) isn't well configured." |
echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :" |
echo "Apply the new configuration 'systemctl restart network'" |
echo "Apply the new configuration 'service network restart'" |
fi |
echo "DEVICE=$EXTIF" |
echo "IPADDR=" |
1544,25 → 1526,60 |
systemctl -q enable $i |
done |
# Apply French Security Agency (ANSSI) rules |
# ignore ICMP broadcast (smurf attack) |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf |
# ignore ICMP errors bogus |
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf |
# remove ICMP redirects responces |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf |
# enable SYN Cookies (Syn flood attacks) |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf |
# enable kernel antispoofing |
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf |
# ignore source routing |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf |
# set conntrack timer to 1h (3600s) instead of 5 weeks |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf |
# ignorer les broadcast ICMP. (attaque smurf) |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
# ignorer les erreurs ICMP bogus |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
# désactiver l'envoi et la réponse aux ICMP redirects |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
if [ "$accept_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf |
else |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
fi |
sysctl -w net.ipv4.conf.all.send_redirects=0 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l` |
if [ "$send_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
else |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
fi |
# activer les SYN Cookies (attaque syn flood) |
sysctl -w net.ipv4.tcp_syncookies=1 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l` |
if [ "$tcp_syncookies" == "0" ] |
then |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
else |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
fi |
# activer l'antispoofing niveau Noyau |
sysctl -w net.ipv4.conf.all.rp_filter=1 |
# ignorer le source routing |
sysctl -w net.ipv4.conf.all.accept_source_route=0 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l` |
if [ "$accept_source_route" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
else |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
fi |
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines |
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600 |
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l` |
if [ "$timeout_established" == "0" ] |
then |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf |
else |
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf |
fi |
# disable log_martians (ALCASAR is often installed between two private network addresses) |
echo "net.ipv4.conf.all.log_martians = 0" >> etc/sysctl.d/alcasar.conf |
# remove Magic SysReq Keys |
[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.con |
sysctl -w net.ipv4.conf.all.log_martians=0 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys |
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver |
# switch to multi-users runlevel (instead of x11) |
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target |
# GRUB modifications |
1576,12 → 1593,16 |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst |
$SED "/^gfxmenu/d" /boot/grub/menu.lst |
# Remove unused services and users |
for svc in sshd.service |
for old_svc in alsa sound dm |
do |
/bin/systemctl -q disable $svc |
/sbin/chkconfig --del $old_svc |
done |
for rm_users in sysqdin |
for svc in snmpd.service sshd.service |
do |
/bin/systemctl disable $svc |
done |
for rm_users in avahi-autoipd avahi icapd |
do |
user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1` |
if [ "$user" == "$rm_users" ] |
then |
1770,6 → 1791,33 |
license |
header_install |
testing |
# Test if ALCASAR is already installed |
if [ -e $CONF_FILE ] |
then |
current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2` |
if [ $Lang == "fr" ] |
then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée"; |
else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed"; |
fi |
response=0 |
PTN='^[oOnNyY]$' |
until [[ $(expr $response : $PTN) -gt 0 ]] |
do |
if [ $Lang == "fr" ] |
then echo -n "Voulez-vous effectuer une mise à jour (O/n)? "; |
else echo -n "Do you want to update (Y/n)?"; |
fi |
read response |
done |
if [ "$response" = "n" ] || [ "$response" = "N" ] |
then |
rm -f /tmp/alcasar-conf* |
else |
# Create a backup of running version importants files |
$DIR_SCRIPTS/alcasar-conf.sh --create |
mode="update" |
fi |
fi |
# RPMs install |
$DIR_SCRIPTS/alcasar-urpmi.sh |
if [ "$?" != "0" ] |
1782,7 → 1830,7 |
$DIR_SCRIPTS/sbin/alcasar-uninstall.sh |
fi |
# Test if manual update |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ] |
then |
header_install |
if [ $Lang == "fr" ] |
1818,11 → 1866,13 |
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1` |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3` |
mode="update" |
else |
mode="install" |
fi |
for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install |
do |
$func |
# echo "*** 'debug' : end of function $func ***"; read a |
echo "*** 'debug' : end of function $func ***"; read a |
done |
;; |
-u | --uninstall) |