18,7 → 18,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
|
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
|
# Options : |
# -i or --install |
39,9 → 39,10 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Nfsen Netflow grapher |
# dnsmasq : Name server configuration |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter) |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
65,7 → 66,7 |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance) |
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance) |
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file |
PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets |
# ******* DBMS parameters - paramètres SGBD ******** |
132,7 → 133,7 |
old="$IFS" |
IFS="," |
set $fic |
for i in $* |
for i in "$@" |
do |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ] |
then |
160,7 → 161,7 |
fi |
IFS="$old" |
if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]] |
then |
then |
if [ -e /var/tmp/alcasar-conf.tar.gz ] # update |
then |
echo |
187,7 → 188,7 |
then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)" |
else echo "The OS must be replaced (Mageia6-64bits)" |
fi |
exit 0 |
exit 1 |
fi |
|
# Test if ALCASAR is already installed |
215,8 → 216,8 |
# Retrieve former NICname |
EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-` # EXTernal InterFace |
INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-` # INTernal InterFace |
[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network." |
[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network." |
[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network." |
[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network." |
# Create the current conf file |
$DIR_SCRIPTS/alcasar-conf.sh --create |
mode="update" |
225,7 → 226,7 |
# Test free space on /var |
if [ ! -d /var/log/netflow/porttracker ] |
then |
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G` |
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'` |
if [ $free_space -lt 10 ] |
then |
if [ $Lang == "fr" ] |
283,7 → 284,7 |
[ -z "$response" ] && response="$interfacePreferred" |
|
# Check if interface exist |
if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then |
if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then |
INTIF="$response" |
break |
else |
305,11 → 306,11 |
else echo -n "Network parameters tests: " |
fi |
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles) |
cd /etc/sysconfig/network-scripts/ |
cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; } |
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1` |
for i in $IF_INTERFACES |
do |
if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then |
if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then |
rm -f ifcfg-$i |
|
if [ $Lang == "fr" ] |
318,7 → 319,7 |
fi |
fi |
done |
cd $DIR_INSTALL |
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
echo -n "." |
# Test Ethernet NIC links state |
interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1) |
342,7 → 343,7 |
PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'` |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1` |
PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'` |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ] |
if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ] |
then |
if [ $Lang == "fr" ] |
then |
367,7 → 368,7 |
fi |
echo -n "." |
# Test if default GW is set on EXTIF (router or ISP provider equipment) |
if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then |
if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then |
if [ $Lang == "fr" ] |
then |
echo -e "\nÉchec" |
383,7 → 384,7 |
echo -n "." |
# Test if default GW is alive |
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2` |
if [ $(expr $arp_reply) -eq 0 ] |
if [ "$(expr $arp_reply)" -eq 0 ] |
then |
if [ $Lang == "fr" ] |
then |
438,7 → 439,7 |
fi |
read ORGANISME |
if [ "$ORGANISME" == "" ] |
then |
then |
ORGANISME=! |
fi |
done |
447,7 → 448,7 |
# We create random passwords and shared secrets |
rm -f $PASSWD_FILE |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8` |
grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8` |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \ |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \ |
grep -v '[eE]nter password:' | \ |
459,17 → 460,17 |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE |
echo "GRUB2_user=root" >> $PASSWD_FILE |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE |
echo "db_user=$DB_USER" >> $PASSWD_FILE |
echo "db_password=$radiuspwd" >> $PASSWD_FILE |
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE |
echo "secret_uam=$secretuam" >> $PASSWD_FILE |
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16` |
secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16` |
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE |
echo "secret_radius=$secretradius" >> $PASSWD_FILE |
chmod 640 $PASSWD_FILE |
535,7 → 536,7 |
read PRIVATE_IP_MASK |
done |
else |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK |
fi |
else |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2` |
549,7 → 550,7 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24) |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side) |
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address |
then |
then |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` |
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX` |
fi |
558,10 → 559,6 |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24 |
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4` # last octet of LAN broadcast |
PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1) |
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
# Define Internet parameters |
if [ "$mode" != "update" ] |
611,7 → 608,7 |
######################################################################################################### |
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic |
if [ $IP_SETTING == "dhcp" ] |
then |
then |
echo "PUBLIC_IP=dhcp" >> $CONF_FILE |
echo "GW=dhcp" >> $CONF_FILE |
else |
644,7 → 641,7 |
# write EXTIF (Internet) config |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF |
if [ $IP_SETTING == "dhcp" ] |
then |
then |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=dhcp |
661,7 → 658,7 |
USERCTL=no |
MTU=$MTU |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
758,10 → 755,10 |
# load ipt_NETFLOW module |
echo "ipt_NETFLOW" >> /etc/modprobe.preload |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush) |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
# |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
823,8 → 820,8 |
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
|
845,15 → 842,16 |
|
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/ |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf |
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf |
|
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd |
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log |
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log |
|
chown -R apache:apache /var/log/lighttpd |
/usr/bin/systemctl start lighttpd |
/usr/bin/systemctl start php-fpm |
860,16 → 858,16 |
|
# Creation of the first account (in 'admin' profile) |
if [ "$mode" = "install" ] |
then |
header_install |
then |
header_install |
# Creation of keys file for the admin account ("admin") |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
chmod 755 $DIR_DEST_ETC/digest |
until [ -s $DIR_DEST_ETC/digest/key_admin ] |
do |
$DIR_DEST_BIN/alcasar-profil.sh --add admin |
done |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
chmod 755 $DIR_DEST_ETC/digest |
until [ -s $DIR_DEST_ETC/digest/key_admin ] |
do |
$DIR_DEST_BIN/alcasar-profil.sh --add admin |
done |
fi |
|
# Run after coova (in order to wait tun0 to be up) |
919,7 → 917,7 |
EOF |
chown -R ntp:ntp /var/lib/ntp |
# Synchronize now |
ntpd -q -g & |
ntpd -4 -q -g & |
} # End of time_server () |
|
##################################################################### |
932,7 → 930,7 |
##################################################################### |
init_db () |
{ |
if [ `systemctl is-active mysqld` == "active" ] |
if [ "`systemctl is-active mysqld`" == "active" ] |
then |
systemctl stop mysqld |
fi |
957,16 → 955,16 |
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !" |
exit |
fi |
MYSQL="/usr/bin/mysql --execute" |
# Secure the server |
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';" |
|
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;" |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" |
# Create 'radius' database |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;" |
# Add an empty radius database structure |
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
# modify the start script in order to close accounting connexion when the system is comming down or up |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
1051,7 → 1049,6 |
/usr/bin/systemctl daemon-reload |
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
|
} # End freeradius () |
|
############################################################################# |
1186,7 → 1183,7 |
# |
#Code : 42 => 2a |
#Len : 4 => 04 |
PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4)) |
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)") |
cat <<EOF > /etc/chilli.conf |
# coova config for ALCASAR |
cmdsocket /var/run/chilli.sock |
1468,7 → 1465,7 |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/ |
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version) |
DirTmp=$(pwd) |
cd /tmp/nfsen-*/ |
cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; } |
/usr/bin/perl install.pl etc/nfsen.conf |
/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable" |
# Create RRD DB for porttracker (only in it still doesn't exist) |
1505,7 → 1502,7 |
WantedBy=multi-user.target |
EOF |
# Add the listen port to collect netflow packet (nfcapd) |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm |
$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm |
# expire delay for the profile "live" |
/usr/bin/systemctl start nfsen |
/bin/nfsen -m live -e 62d 2>/dev/null |
1515,11 → 1512,11 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/ |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/ |
# cd /tmp/ |
# /usr/bin/sh SURFmap/install.sh |
# /usr/bin/sh SURFmap/install.sh |
# clear the installation |
# rm -rf /tmp/SURFmap* |
rm -rf /tmp/nfsen-* |
cd $DirTmp |
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; } |
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen |
} # End of nfsen () |
|
1531,7 → 1528,7 |
{ |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php |
1546,67 → 1543,14 |
dnsmasq () |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on. |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
cat << EOF > /etc/dnsmasq.conf |
# Configuration file for "dnsmasq in forward mode" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
listen-address=$PRIVATE_IP |
pid-file=/var/run/dnsmasq.pid |
listen-address=127.0.0.1 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=2048 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
server=$DNS1 |
server=$DNS2 |
# DHCP service is configured. It will be enabled in "bypass" mode |
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h |
#dhcp-option=option:router,$PRIVATE_IP |
#dhcp-option=option:ntp-server,$PRIVATE_IP |
|
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail> |
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m |
EOF |
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist") |
cat << EOF > /etc/dnsmasq-blacklist.conf |
# Configuration file for "dnsmasq with blacklist" |
# Add Toulouse University blacklist domains |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled |
pid-file=/var/run/dnsmasq-blacklist.pid |
listen-address=$PRIVATE_IP |
port=54 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=2048 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
log-queries |
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log |
server=$DNS1 |
server=$DNS2 |
EOF |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist") |
cat << EOF > /etc/dnsmasq-whitelist.conf |
# Configuration file for "dnsmasq with whitelist" |
# ADD Toulouse university whitelist domains |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled |
pid-file=/var/run/dnsmasq-whitelist.pid |
listen-address=$PRIVATE_IP |
listen-address=127.0.0.1 |
port=55 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=1024 |
1614,60 → 1558,228 |
expand-hosts |
bogus-priv |
filterwin2k |
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules |
server=$DNS1 |
server=$DNS2 |
EOF |
# 4th dnsmasq listen on udp 56 ("blackhole") |
cat << EOF > /etc/dnsmasq-blackhole.conf |
# Configuration file for "dnsmasq as a blackhole" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions |
address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address |
pid-file=/var/run/dnsmasq-blackhole.pid |
listen-address=$PRIVATE_IP |
port=56 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=256 |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
|
# Create dnsmasq-whitelist unit |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
} # End dnsmasq |
|
################################################## |
## Function "unbound" ## |
################################################## |
unbound () |
{ |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d |
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common |
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward |
[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns |
[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; } |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default |
|
# Local static DNS configuration |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf |
|
# Forward zone configuration file for all unbound dns servers |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
forward-zone: |
name: "." |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
# file managing domain name resolution (local & remote) |
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name |
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut) |
# Here you can define your local domain name ('localdomain' by default) |
local=/localdomain/ |
domain=localdomain |
|
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS |
## Add one line for each domain name managed by an other DNS server |
## server=/<your_domain>/<@IP_domain_server> |
## Exemple for an A.D. domain : server=/Your.Domain.AD/110.120.100.100 |
## Exemple for an other domain : server=/an_other_domain/10.20.30.40 |
|
# Custom configuration file for manual DNS configuration |
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf |
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS |
## Add one block for each domain name managed by an other DNS server |
## |
## Example: |
## |
## server: |
## local-zone: "<your_domain>." transparent |
## forward-zone: |
## name: "<your_domain>." |
## forward-addr: <@IP_domain_server> |
## |
## INFO : local hostnames are resolved in /etc/hosts file |
EOF |
|
# the main instance should start after network and chilli (which create tun0) |
[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service |
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit |
for list in blacklist whitelist blackhole |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
|
# Configuration file for lo of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
access-control-view: 127.0.0.1/8 lo |
|
view: |
name: "lo" |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A 127.0.0.1" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
view-first: yes |
EOF |
|
# Configuration file for $INTIF of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@53 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
|
view: |
name: "$INTIF" |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
view-first: yes |
EOF |
|
# Configuration file for forward unbound |
cat << EOF > /etc/unbound/unbound.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
|
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/forward/* |
EOF |
|
# Configuration file for $INTIF of blacklist unbound |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@54 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "blacklist" |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
|
# Configuration file for blacklist unbound |
cat << EOF > /etc/unbound/unbound-blacklist.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
logfile: "/var/log/unbound/unbound-blacklist.log" |
chroot: "" |
define-tag: "blacklist" |
log-local-actions: yes |
|
include: /etc/unbound/conf.d/common/forward-zone.conf |
include: /etc/unbound/conf.d/common/local-forward/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/blacklist/* |
|
include: /usr/local/share/unbound-bl-enabled/* |
EOF |
|
# Configuration file for $INTIF of whitelist unbound |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@55 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "whitelist" |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
|
# Configuration file for whitelist unbound |
cat << EOF > /etc/unbound/unbound-whitelist.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
do-not-query-localhost: no |
define-tag: "whitelist" |
|
local-zone: "." transparent |
local-zone-tag: "." "whitelist" |
|
include: /usr/local/share/unbound-wl-enabled/* |
include: /etc/unbound/conf.d/whitelist/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
|
forward-zone: |
name: "." |
forward-addr: 127.0.0.1@55 |
EOF |
|
# Configuration file for $INTIF of blackhole unbound |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
|
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
|
# Configuration file for blackhole unbound |
cat << EOF > /etc/unbound/unbound-blackhole.conf |
server: |
verbosity: 1 |
hide-version: yes |
hide-identity: yes |
do-ip6: no |
|
include: /etc/unbound/conf.d/blackhole/* |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/common/local-forward/* |
EOF |
|
if [ ! -e /lib/systemd/system/unbound.service.default ] |
then |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default |
fi |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service |
|
for list in blacklist blackhole whitelist |
do |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
done |
} # End dnsmasq |
|
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service |
} # End unbound |
|
########################################################## |
## Function "BL" ## |
## - copy Toulouse BL ## |
## - adapt this BL to ALCASAR architecture ## |
## - domain names for dnsmasq-bl & dnasmasq-wl ## |
## - domain names for unbound-bl & unbound-wl ## |
## - URLs for E²guardian ## |
## - IPs for NetFilter ## |
########################################################## |
1845,9 → 1957,9 |
|
# Create 'gammu' database |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute" |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;" |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;" |
# Add a gammu database structure |
mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql |
|
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port) |
cat << EOF > /etc/gammurc |
1972,7 → 2084,7 |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/ |
|
pwdInstall=$(pwd) |
cd /tmp/acme.sh-* |
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; } |
|
acmesh_installDir="/opt/acme.sh" |
acmesh_confDir="/usr/local/etc/letsencrypt" |
2004,7 → 2116,7 |
dateNextRenewal= |
EOF |
|
cd $pwdInstall |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; } |
rm -rf /tmp/acme.sh-* |
|
} # END letsencrypt() |
2027,7 → 2139,7 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# sshd liste on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
2052,6 → 2164,9 |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE |
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE |
echo "BL_PUREIP=on" >> $CONF_FILE |
echo "BL_SAFESEARCH=off" >> $CONF_FILE |
echo "WL_SAFESEARCH=off" >> $CONF_FILE |
# Prompt customisation (colors) |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc |
2068,7 → 2183,7 |
# actualisation des fichiers logs compressés |
for dir in firewall e2guardian lighttpd |
do |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \; |
done |
# create the alcasar-load_balancing unit |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
2097,13 → 2212,13 |
EOF |
/usr/bin/systemctl daemon-reload |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
|
# disable processes at boot time (Systemctl) |
for i in ulogd gpm |
for i in ulogd gpm dhcpd |
do |
/usr/bin/systemctl -q disable $i.service |
done |
2152,10 → 2267,10 |
if [ $Lang == "fr" ] |
then |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release |
else |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release |
echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release |
fi |
/usr/bin/update-grub2 |
# Load and apply the previous conf file |
2174,7 → 2289,7 |
chown -R root:apache $DIR_DEST_ETC/* |
chmod -R 660 $DIR_DEST_ETC/* |
chmod ug+x $DIR_DEST_ETC/digest |
cd $DIR_INSTALL |
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; } |
echo "" |
echo "#############################################################################" |
if [ $Lang == "fr" ] |
2190,7 → 2305,7 |
echo |
echo "- Lisez attentivement la documentation d'exploitation" |
echo |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain" |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN" |
echo |
echo " Appuyez sur 'Entrée' pour continuer" |
else |
2205,7 → 2320,7 |
echo |
echo "- Read the exploitation documentation" |
echo |
echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain" |
echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN" |
echo |
echo " Hit 'Enter' to continue" |
fi |
2212,7 → 2327,7 |
sleep 2 |
if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ] |
then |
read a |
read |
fi |
clear |
reboot |
2228,10 → 2343,10 |
echo "Launch this program from the ALCASAR archive directory" |
exit 0 |
fi |
if [[ $EUID > 0 ]] |
if [ $EUID -gt 0 ] |
then |
echo "Vous devez être "root" pour installer ALCASAR (commande 'su')" |
echo "You must be "root" to install ALCASAR ('su' command)" |
echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')" |
echo "You must be \"root\" to install ALCASAR ('su' command)" |
exit 0 |
fi |
VERSION=`cat $DIR_INSTALL/VERSION` |
2273,7 → 2388,7 |
if [ $DEBUG_ALCASAR == "on" ] |
then |
echo "*** 'debug' : end of cleaning ***" |
read a |
read |
fi |
# Test if manual update |
if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ] |
2313,13 → 2428,13 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1` |
mode="update" |
fi |
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |
then |
then |
echo "*** 'debug' : end of install '$func' ***" |
read a |
read |
fi |
done |
;; |
2359,4 → 2474,3 |
;; |
esac |
# end of script |
|