12,8 → 12,7 |
# -i or --install |
# -u or --uninstall |
# Functions : |
# system_testing : Free space test and mageia version test |
# network_testing : Internet connectivity tests |
# testing : connectivity tests, free space test and mageia version test |
# init : Installation of RPM and scripts |
# network : Network parameters |
# ACC : ALCASAR Control Center installation |
21,14 → 20,14 |
# time_server : NTPd configuration |
# init_db : Initilization of radius database managed with MariaDB |
# freeradius : FreeRadius initialisation |
# chilli : Coovachilli initialisation (+authentication page) |
# chilli : coovachilli initialisation (+authentication page) |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : Clamav & freshclam configuration |
# ulogd : Log system in userland (match NFLOG target of iptables) |
# antivirus : clamav & freshclam configuration |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : Little network stat daemon |
# vnstat : little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
35,7 → 34,6 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
# msec : Mageia security package configuration |
# letsencrypt : Let's Encrypt client |
# mail_service : Mail service for email authentification method |
# post_install : Security, log rotation, etc. |
|
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
106,13 → 104,13 |
} # End of header_install() |
|
######################################################## |
## "system_testing" ## |
## Function "testing_system" ## |
## - Test Mageia version ## |
## - Test ALCASAR version (if already installed) ## |
## - Test free space on /var (>10G) ## |
## - Test Internet access ## |
######################################################## |
system_testing() |
testing_system() |
{ |
# Test of Mageia version |
# extract the current Mageia version and hardware architecture (i586 ou X64) |
224,13 → 222,13 |
fi |
exit 0 |
fi |
} # End of system_testing |
} # End of testing_system |
|
######################################################## |
## "network_testing" ## |
## - Internet access test ## |
## Function "testing_network" ## |
## - Test Internet access ## |
######################################################## |
network_testing() |
testing_network() |
{ |
# Detect external/internal interfaces |
if [ -z "$EXTIF" ]; then |
395,10 → 393,10 |
exit 1 |
fi |
echo ". : ok" |
} # End of network_testing() |
} # End of testing_network() |
|
####################################################################### |
## "init" ## |
## Function "init" ## |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
## - Creation of random password for GRUB, mariadb (admin and user) ## |
####################################################################### |
474,7 → 472,7 |
} # End of init() |
|
######################################################### |
## "network" ## |
## Function "network" ## |
## - Define the several network address ## |
## - Define the DNS naming ## |
## - INTIF parameters (consultation network) ## |
755,7 → 753,7 |
} # End of network() |
|
################################################################## |
## "CA" ## |
## Fonction "CA" ## |
## - Creating the CA and the server certificate (lighttpd) ## |
################################################################## |
CA() |
771,13 → 769,13 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
} # End of CA() |
|
###################################################### |
## "ACC" ## |
################################################### |
## Function "ACC" ## |
## - copy ALCASAR Control Center (ACC) files ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the ACC access ## |
###################################################### |
################################################### |
ACC() |
{ |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
893,7 → 891,7 |
} # End of ACC() |
|
############################################################# |
## "time_server" ## |
## Function "time_server" ## |
## - Configuring NTP server ## |
############################################################# |
time_server() |
924,7 → 922,7 |
} # End of time_server() |
|
##################################################################### |
## "init_db" ## |
## Function "init_db" ## |
## - Mysql initialization ## |
## - Set admin (root) password ## |
## - Remove unused users & databases ## |
977,7 → 975,7 |
} # End of init_db() |
|
################################################################### |
## "freeradius" ## |
## Function "freeradius" ## |
## - Set the configuration files ## |
## - Set the shared secret between coova-chilli and freeradius ## |
## - Adapt the Mysql conf file and counters ## |
1063,7 → 1061,7 |
} # End of freeradius() |
|
############################################################################# |
## "chilli" ## |
## Function "chilli" ## |
## - Creation of the conf file and init file (systemd) for coova-chilli ## |
## - Adapt the authentication web page (intercept.php) ## |
############################################################################# |
1264,7 → 1262,7 |
} # End of chilli() |
|
################################################################ |
## "e2guardian" ## |
## Function "e2guardian" ## |
## - Set the parameters of this HTML proxy (as controler) ## |
################################################################ |
e2guardian() |
1375,7 → 1373,7 |
} # End of e2guardian() |
|
################################################################## |
## "antivirus" ## |
## Function "antivirus" ## |
## - Set the parameters of clamav and freshclam ## |
################################################################## |
antivirus() |
1410,7 → 1408,7 |
} # End of antivirus() |
|
############################################################## |
## "ulogd" ## |
## function "ulogd" ## |
## - Ulog config for multi-log files ## |
############################################################## |
ulogd() |
1438,7 → 1436,7 |
} # End of ulogd() |
|
########################################################## |
## "nfsen" ## |
## Function "nfsen" ## |
## - configure NetFlow collector (nfcapd) ## |
## - configure NetFlow grapher (nfsen-ng) ## |
########################################################## |
1477,7 → 1475,7 |
} # End of nfsen() |
|
########################################################### |
## "vnstat" ## |
## Function "vnstat" ## |
## - Initialization of vnstat and vnstat-dashboard ## |
########################################################### |
vnstat() |
1494,7 → 1492,7 |
} # End of vnstat() |
|
################################################################### |
## "dnsmasq" ## |
## Function "dnsmasq" ## |
## - creation of the conf files of dnsmasq (whitelist for ipset )## |
################################################################### |
dnsmasq() |
1519,7 → 1517,6 |
server=$DNS1 |
server=$DNS2 |
EOF |
|
# Don't run dnsmasq service. Create dnsmasq-whitelist unit |
systemctl disable dnsmasq.service |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service |
1528,7 → 1525,7 |
} # End of dnsmasq() |
|
######################################################### |
## "unbound" ## |
## Function "unbound" ## |
## - create the conf files for 4 unbound services ## |
## - create the systemd files for 4 unbound services ## |
######################################################### |
1692,6 → 1689,7 |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/blackhole/* |
EOF |
|
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service |
1705,7 → 1703,7 |
} # End of unbound() |
|
################################################## |
## "dhcpd" ## |
## Function "dhcpd" ## |
################################################## |
dhcpd() |
{ |
1724,7 → 1722,7 |
} # End of dhcpd() |
|
########################################################## |
## "BL" ## |
## Function "BL" ## |
## - copy & adapt Toulouse BL to ALCASAR architecture ## |
## - domain names for unbound-bl & unbound-wl ## |
## - URLs for EĀ²guardian ## |
1762,7 → 1760,7 |
} # End of BL() |
|
####################################################### |
## "cron" ## |
## Function "cron" ## |
## - write all cron & anacron files ## |
####################################################### |
cron() |
1853,7 → 1851,7 |
} # End of cron() |
|
######################################################################## |
## "Fail2Ban" ## |
## Fonction "Fail2Ban" ## |
##- Adapt conf file to ALCASAR ## |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ## |
######################################################################## |
1954,11 → 1952,11 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service |
} # End of fail2ban() |
|
######################################################## |
## "gammu_smsd" ## |
######################################################### |
## Fonction "gammu_smsd" ## |
## - Creating of SMS management database ## |
## - Write the gammu a gammu_smsd conf files ## |
######################################################## |
######################################################### |
gammu_smsd() |
{ |
# Create 'gammu' system user |
2043,12 → 2041,12 |
|
} # End of gammu_smsd() |
|
######################################################## |
## "msec" ## |
############################################################ |
## Fonction "msec" ## |
## - Apply the "fileserver" security level ## |
## - remove the "system request" for rebooting ## |
## - Fix several file permissions ## |
######################################################## |
############################################################ |
msec() |
{ |
|
2129,27 → 2127,6 |
} # End of letsencrypt() |
|
################################################################## |
## "mail_service" ## |
## - Install mail service for email registration method ## |
################################################################## |
mail_service() |
{ |
[ -e /etc/postfix/main.cf.default ] || cp /etc/postfix/main.cf /etc/postfix/main.cf.default |
cat << EOT >> /etc/postfix/main.cf |
myhostname = $HOSTNAME.$DOMAIN |
# Enable SASL authentication |
smtp_sasl_auth_enable = yes |
# Disallow methods that allow anonymous authentication |
smtp_sasl_security_options = noanonymous |
# Location of sasl_passwd |
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd |
EOT |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
} # end of mail_service |
|
################################################################## |
## Fonction "post_install" ## |
## - Modifying banners (locals et ssh) & prompts ## |
## - SSH config ## |
2171,6 → 2148,10 |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config |
|
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
2372,7 → 2353,7 |
exit 0 |
;; |
-i | --install) |
for func in license system_testing network_testing |
for func in license testing_system testing_network |
do |
header_install |
$func |
2459,7 → 2440,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |