Subversion Repositories ALCASAR

Compare Revisions

Regard whitespace Rev 2688 → Rev 2687

/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 
# Options :
# -i or --install
39,10 → 39,9
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Nfsen Netflow grapher
# unbound : Name server configuration
# dnsmasq : Name server configuration (for whitelist ipset support)
# dnsmasq : Name server configuration
# vnstat : little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
# cron : Logs export + watchdog + connexion statistics
# fail2ban : Fail2ban IDS installation and configuration
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
66,7 → 65,7
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance)
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
# ******* DBMS parameters - paramètres SGBD ********
133,7 → 132,7
old="$IFS"
IFS=","
set $fic
for i in "$@"
for i in $*
do
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
then
188,7 → 187,7
then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
else echo "The OS must be replaced (Mageia6-64bits)"
fi
exit 1
exit 0
fi
 
# Test if ALCASAR is already installed
216,8 → 215,8
# Retrieve former NICname
EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-` # EXTernal InterFace
INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-` # INTernal InterFace
[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
# Create the current conf file
$DIR_SCRIPTS/alcasar-conf.sh --create
mode="update"
226,7 → 225,7
# Test free space on /var
if [ ! -d /var/log/netflow/porttracker ]
then
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
if [ $free_space -lt 10 ]
then
if [ $Lang == "fr" ]
284,7 → 283,7
[ -z "$response" ] && response="$interfacePreferred"
 
# Check if interface exist
if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then
INTIF="$response"
break
else
306,11 → 305,11
else echo -n "Network parameters tests: "
fi
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
cd /etc/sysconfig/network-scripts/
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
for i in $IF_INTERFACES
do
if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
rm -f ifcfg-$i
 
if [ $Lang == "fr" ]
319,7 → 318,7
fi
fi
done
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
cd $DIR_INSTALL
echo -n "."
# Test Ethernet NIC links state
interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
343,7 → 342,7
PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
then
if [ $Lang == "fr" ]
then
368,7 → 367,7
fi
echo -n "."
# Test if default GW is set on EXTIF (router or ISP provider equipment)
if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then
if [ $Lang == "fr" ]
then
echo -e "\nÉchec"
384,7 → 383,7
echo -n "."
# Test if default GW is alive
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
if [ "$(expr $arp_reply)" -eq 0 ]
if [ $(expr $arp_reply) -eq 0 ]
then
if [ $Lang == "fr" ]
then
448,7 → 447,7
# We create random passwords and shared secrets
rm -f $PASSWD_FILE
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
grep -v '[eE]nter password:' | \
460,17 → 459,17
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
echo "GRUB2_user=root" >> $PASSWD_FILE
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
echo "db_user=$DB_USER" >> $PASSWD_FILE
echo "db_password=$radiuspwd" >> $PASSWD_FILE
secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
echo "secret_uam=$secretuam" >> $PASSWD_FILE
secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
echo "secret_radius=$secretradius" >> $PASSWD_FILE
chmod 640 $PASSWD_FILE
559,6 → 558,10
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4` # last octet of LAN broadcast
PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF
# Define Internet parameters
if [ "$mode" != "update" ]
820,8 → 823,8
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 
842,16 → 845,15
 
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
 
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 
chown -R apache:apache /var/log/lighttpd
/usr/bin/systemctl start lighttpd
/usr/bin/systemctl start php-fpm
917,7 → 919,7
EOF
chown -R ntp:ntp /var/lib/ntp
# Synchronize now
ntpd -4 -q -g &
ntpd -q -g &
} # End of time_server ()
 
#####################################################################
930,7 → 932,7
#####################################################################
init_db ()
{
if [ "`systemctl is-active mysqld`" == "active" ]
if [ `systemctl is-active mysqld` == "active" ]
then
systemctl stop mysqld
fi
955,16 → 957,16
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
exit
fi
MYSQL="/usr/bin/mysql --execute"
# Secure the server
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
 
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
# Create 'radius' database
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
# Add an empty radius database structure
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
# modify the start script in order to close accounting connexion when the system is comming down or up
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1049,6 → 1051,7
/usr/bin/systemctl daemon-reload
# Allow apache to change some conf files (ie : ldap on/off)
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
 
} # End freeradius ()
 
#############################################################################
1183,7 → 1186,7
#
#Code : 42 => 2a
#Len : 4 => 04
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
cat <<EOF > /etc/chilli.conf
# coova config for ALCASAR
cmdsocket /var/run/chilli.sock
1465,7 → 1468,7
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
DirTmp=$(pwd)
cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
cd /tmp/nfsen-*/
/usr/bin/perl install.pl etc/nfsen.conf
/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
# Create RRD DB for porttracker (only in it still doesn't exist)
1502,7 → 1505,7
WantedBy=multi-user.target
EOF
# Add the listen port to collect netflow packet (nfcapd)
$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
# expire delay for the profile "live"
/usr/bin/systemctl start nfsen
/bin/nfsen -m live -e 62d 2>/dev/null
1516,7 → 1519,7
# clear the installation
# rm -rf /tmp/SURFmap*
rm -rf /tmp/nfsen-*
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
cd $DirTmp
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
} # End of nfsen ()
 
1543,14 → 1546,67
dnsmasq ()
{
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
cat << EOF > /etc/dnsmasq.conf
# Configuration file for "dnsmasq in forward mode"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
listen-address=$PRIVATE_IP
pid-file=/var/run/dnsmasq.pid
listen-address=127.0.0.1
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=2048
domain-needed
expand-hosts
bogus-priv
filterwin2k
server=$DNS1
server=$DNS2
# DHCP service is configured. It will be enabled in "bypass" mode
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
#dhcp-option=option:router,$PRIVATE_IP
#dhcp-option=option:ntp-server,$PRIVATE_IP
 
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
EOF
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
cat << EOF > /etc/dnsmasq-blacklist.conf
# Configuration file for "dnsmasq with blacklist"
# Add Toulouse University blacklist domains
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
pid-file=/var/run/dnsmasq-blacklist.pid
listen-address=$PRIVATE_IP
port=54
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=2048
domain-needed
expand-hosts
bogus-priv
filterwin2k
log-queries
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
server=$DNS1
server=$DNS2
EOF
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
cat << EOF > /etc/dnsmasq-whitelist.conf
# Configuration file for "dnsmasq with whitelist"
# ADD Toulouse university whitelist domains
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
pid-file=/var/run/dnsmasq-whitelist.pid
listen-address=127.0.0.1
listen-address=$PRIVATE_IP
port=55
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=1024
1558,228 → 1614,60
expand-hosts
bogus-priv
filterwin2k
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
server=$DNS1
server=$DNS2
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
EOF
# 4th dnsmasq listen on udp 56 ("blackhole")
cat << EOF > /etc/dnsmasq-blackhole.conf
# Configuration file for "dnsmasq as a blackhole"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
pid-file=/var/run/dnsmasq-blackhole.pid
listen-address=$PRIVATE_IP
port=56
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=256
domain-needed
expand-hosts
bogus-priv
filterwin2k
EOF
# file managing domain name resolution (local & remote)
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
# Here you can define your local domain name ('localdomain' by default)
local=/localdomain/
domain=localdomain
 
# Create dnsmasq-whitelist unit
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
} # End dnsmasq
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
## Add one line for each domain name managed by an other DNS server
## server=/<your_domain>/<@IP_domain_server>
## Exemple for an A.D. domain : server=/Your.Domain.AD/110.120.100.100
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
 
##################################################
## Function "unbound" ##
##################################################
unbound ()
{
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
 
# Local static DNS configuration
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
 
# Forward zone configuration file for all unbound dns servers
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
name: "."
forward-addr: $DNS1
forward-addr: $DNS2
EOF
 
# Custom configuration file for manual DNS configuration
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
## Add one block for each domain name managed by an other DNS server
##
## Example:
##
## server:
## local-zone: "<your_domain>." transparent
## forward-zone:
## name: "<your_domain>."
## forward-addr: <@IP_domain_server>
##
## INFO : local hostnames are resolved in /etc/hosts file
EOF
 
# Configuration file of ALCASAR main domains for $INTIF
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
server:
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
EOF
 
# Configuration file for lo of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
access-control-view: 127.0.0.1/8 lo
 
view:
name: "lo"
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A 127.0.0.1"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
view-first: yes
EOF
 
# Configuration file for $INTIF of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
 
view:
name: "$INTIF"
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
view-first: yes
EOF
 
# Configuration file for forward unbound
cat << EOF > /etc/unbound/unbound.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
 
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/forward/*
EOF
 
# Configuration file for $INTIF of blacklist unbound
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "blacklist"
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
 
# Configuration file for blacklist unbound
cat << EOF > /etc/unbound/unbound-blacklist.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
logfile: "/var/log/unbound/unbound-blacklist.log"
chroot: ""
define-tag: "blacklist"
log-local-actions: yes
 
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/blacklist/*
 
include: /usr/local/share/unbound-bl-enabled/*
EOF
 
# Configuration file for $INTIF of whitelist unbound
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "whitelist"
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
 
# Configuration file for whitelist unbound
cat << EOF > /etc/unbound/unbound-whitelist.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
do-not-query-localhost: no
define-tag: "whitelist"
 
local-zone: "." transparent
local-zone-tag: "." "whitelist"
 
include: /usr/local/share/unbound-wl-enabled/*
include: /etc/unbound/conf.d/whitelist/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/common/local-forward/*
 
forward-zone:
name: "."
forward-addr: 127.0.0.1@55
EOF
 
# Configuration file for $INTIF of blackhole unbound
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
 
view:
name: "$INTIF"
local-zone: "." redirect
local-data: ". A $PRIVATE_IP"
EOF
 
# Configuration file for blackhole unbound
cat << EOF > /etc/unbound/unbound-blackhole.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
 
include: /etc/unbound/conf.d/blackhole/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/common/local-forward/*
EOF
 
if [ ! -e /lib/systemd/system/unbound.service.default ]
then
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
fi
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
 
for list in blacklist blackhole whitelist
# the main instance should start after network and chilli (which create tun0)
[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
for list in blacklist whitelist blackhole
do
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
done
} # End dnsmasq
 
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
} # End unbound
 
##########################################################
## Function "BL" ##
## - copy Toulouse BL ##
## - adapt this BL to ALCASAR architecture ##
## - domain names for unbound-bl & unbound-wl ##
## - domain names for dnsmasq-bl & dnasmasq-wl ##
## - URLs for E²guardian ##
## - IPs for NetFilter ##
##########################################################
1957,9 → 1845,9
 
# Create 'gammu' database
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
# Add a gammu database structure
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
 
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
cat << EOF > /etc/gammurc
2084,7 → 1972,7
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
 
pwdInstall=$(pwd)
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
cd /tmp/acme.sh-*
 
acmesh_installDir="/opt/acme.sh"
acmesh_confDir="/usr/local/etc/letsencrypt"
2116,7 → 2004,7
dateNextRenewal=
EOF
 
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
cd $pwdInstall
rm -rf /tmp/acme.sh-*
 
} # END letsencrypt()
2139,7 → 2027,7
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
# sshd liste on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2164,9 → 2052,6
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
echo "BL_PUREIP=on" >> $CONF_FILE
echo "BL_SAFESEARCH=off" >> $CONF_FILE
echo "WL_SAFESEARCH=off" >> $CONF_FILE
# Prompt customisation (colors)
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2183,7 → 2068,7
# actualisation des fichiers logs compressés
for dir in firewall e2guardian lighttpd
do
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
done
# create the alcasar-load_balancing unit
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2212,13 → 2097,13
EOF
/usr/bin/systemctl daemon-reload
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
 
# disable processes at boot time (Systemctl)
for i in ulogd gpm dhcpd
for i in ulogd gpm
do
/usr/bin/systemctl -q disable $i.service
done
2267,10 → 2152,10
if [ $Lang == "fr" ]
then
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
else
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
fi
/usr/bin/update-grub2
# Load and apply the previous conf file
2289,7 → 2174,7
chown -R root:apache $DIR_DEST_ETC/*
chmod -R 660 $DIR_DEST_ETC/*
chmod ug+x $DIR_DEST_ETC/digest
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
cd $DIR_INSTALL
echo ""
echo "#############################################################################"
if [ $Lang == "fr" ]
2305,7 → 2190,7
echo
echo "- Lisez attentivement la documentation d'exploitation"
echo
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
echo
echo " Appuyez sur 'Entrée' pour continuer"
else
2320,7 → 2205,7
echo
echo "- Read the exploitation documentation"
echo
echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
echo
echo " Hit 'Enter' to continue"
fi
2327,7 → 2212,7
sleep 2
if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
then
read
read a
fi
clear
reboot
2343,10 → 2228,10
echo "Launch this program from the ALCASAR archive directory"
exit 0
fi
if [ $EUID -gt 0 ]
if [[ $EUID > 0 ]]
then
echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
echo "You must be \"root\" to install ALCASAR ('su' command)"
echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
echo "You must be "root" to install ALCASAR ('su' command)"
exit 0
fi
VERSION=`cat $DIR_INSTALL/VERSION`
2388,7 → 2273,7
if [ $DEBUG_ALCASAR == "on" ]
then
echo "*** 'debug' : end of cleaning ***"
read
read a
fi
# Test if manual update
if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2428,13 → 2313,13
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
mode="update"
fi
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]
then
echo "*** 'debug' : end of install '$func' ***"
read
read a
fi
done
;;
2474,3 → 2359,4
;;
esac
# end of script