Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1218 → Rev 1219

/scripts/alcasar-netflow.sh
1,12 → 1,11
#!/bin/bash
 
NOW=$(date +%G%m%d)
DIR_SAVE="var/Save/logs/firwall/"
NOW=$(date +%G%m%d-%Hh%M)
DIR_LOG="/var/log/nfsen/profiles-data/live/ipt_netflow"
DIR_SAVE="/var/Save/logs/firewall"
EXPIRE_DELAY=7
 
cd $DIR_SAVE
find $DIR_LOG -mtime $EXPIRE_DELAY -name 'nfcapd.*' | xargs tar -czf tracability.log-$NOW.tar.gz;
cd $DIR_LOG
find . -mtime 0 -mtime -$EXPIRE_DELAY -name 'nfcapd.[0-9]*' | xargs tar -czf $DIR_SAVE/tracability.log-$NOW.tar.gz;
 
exit 0
/alcasar.sh
20,7 → 20,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
#
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav
 
# Options :
# -i or --install
1191,48 → 1191,51
param_nfsen()
{
#Decompression tarball
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
#Création groupe et utilisteur
if grep "^www-data:" /etc/group > /dev/null; then
echo "Group already exists !"
else
groupadd www-data
echo "Group 'www-data' created !"
fi
if grep "^nfsen:" /etc/passwd > /dev/null; then
echo "User already exists !"
else
useradd -m nfsen
echo "User 'nfsen' created !"
fi
usermod -G www-data nfsen
if grep "^www-data:" /etc/group > /dev/null; then
echo "Group already exists !"
else
groupadd www-data
echo "Group 'www-data' created !"
fi
if grep "^nfsen:" /etc/passwd > /dev/null; then
echo "User already exists !"
else
useradd -m nfsen
echo "User 'nfsen' created !"
fi
usermod -G www-data nfsen
#Ajout du plugin nfsen : PortTracker
mkdir -p /var/www/nfsen/plugins
chown -R nfsen:www-data /var/www/nfsen
mkdir -p /var/www/nfsen/plugins
chown -R nfsen:www-data /var/www/nfsen
#Ajout du plugin PortTracker
mkdir -p /var/log/netflow/porttracker /usr/share/nfsen/plugins
chown -R apache:apache /var/log/netflow/porttracker /usr/share/nfsen
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
mkdir -p /var/log/netflow/porttracker
mkdir -p /usr/share/nfsen/plugins
chown -R apache:apache /usr/share/nfsen
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
chown apache /var/log/netflow/porttracker
#Copie du fichier de conf modifié de nfsen
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
#Copie du script d'initialisation de nfsen
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
systemctl enable nfsen.service
#Installation de nfsen via le scrip Perl
DirTmp=$(pwd)
cd /tmp/nfsen-1.3.6p1/
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
DirTmp=$(pwd)
cd /tmp/nfsen-1.3.6p1/
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
#Création de la DB pour rrdtool
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
chown -R apache:www-data /var/log/netflow/porttracker/
chmod -R 775 /var/log/netflow/porttracker
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
chown -R apache:www-data /var/log/netflow/porttracker/
chmod -R 775 /var/log/netflow/porttracker
#Configuration du fichier de conf d'apache
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
rm -f /etc/httpd/conf.d/nfsen.conf
fi
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
rm -f /etc/httpd/conf.d/nfsen.conf
fi
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
Alias /nfsen /var/www/nfsen
<Directory /var/www/nfsen/>
DirectoryIndex nfsen.php
1246,10 → 1249,10
</Directory>
EOF
#Configuration du délais d'expiration des captures du profile "live"
nfsen -m live -e 62d
nfsen -m live -e 62d
#Suppression des sources de nfsen
cd $DirTmp
rm -rf /tmp/nfsen-1.3.6p1/
cd $DirTmp
rm -rf /tmp/nfsen-1.3.6p1/
} # End of param_nfsen
 
##########################################################
1305,18 → 1308,18
EOF
 
# Init file modification
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
# Start and stop a 2nd process for the "DNS blackhole"
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
# Start after chilli (65) which create tun0
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
# Optionnellement on pré-active les logs DNS des clients
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
# Optionnellement, exemple de configuration avec un A.D.
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
} # End dnsmasq
 
##########################################################
1423,7 → 1426,7
EOF
cat << EOF > /etc/cron.d/alcasar-netflow
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
05 0 * * 5 root $DIR_DEST_BIN/alcasar-netflow.sh
15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
EOF
 
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1533,8 → 1536,13
done
# export des logs en 'retard' dans /var/Save/logs
/usr/local/bin/alcasar-log.sh --export
# creation of the unit of alcasar-load_balancing
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
# processus lancés par défaut au démarrage
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen
do
/sbin/chkconfig --add $i
done
 
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
1558,27 → 1566,17
[Install]
WantedBy=multi-user.target
EOF
# process launch at boot time
for service in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
do
/sbin/chkconfig --add $service
done
for service in alcasar-load_balancing.service nfsen.service
systemctl enable alcasar-load_balancing.service
 
do
/bin/systemctl enable $service
done
 
# On applique les préconisations ANSSI
# Apply French Security Agency rules
# ignorer les broadcast ICMP. (attaque smurf)
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# ignorer les erreurs ICMP bogus
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# désactiver l'envoi et la réponse aux ICMP redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
sysctl -w net.ipv4.conf.all.accept_redirects=0
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
if [ "$accept_redirect" == "0" ]
then
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
1837,7 → 1835,7
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
do
$func
# echo "*** 'debug' : end of function $func ***"; read a
echo "*** 'debug' : end of function $func ***"; read a
done
;;
-u | --uninstall)