BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /alcasar.sh @ 1158

  → /alcasar.sh @ 1159

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 1158 → Rev 1159

/alcasar.sh
20,7 → 20,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
#
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
# Options :
# -i or --install
39,7 → 39,7
# param_squid : Configuration du proxy squid en mode 'cache'
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
# antivirus : Installation havp + libclamav
# param_awstats : Configuration de l'interface des statistiques de consultation WEB
# param_nfsen : Configuration du grapheur nfsen pour apache
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
# BL : Configuration de la BlackList
# cron : Mise en place des exports de logs (+ chiffrement)
497,6 → 497,8
# load conntrack ftp module
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
echo "ip_conntrack_ftp" >> /etc/modprobe.preload
# load ipt_NETFLOW module
echo "ipt_NETFLOW" >> /etc/modprobe.preload
#
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
} # End of network ()
1035,21 → 1037,9
$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
# Configuration du cache local
$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
# emplacement et formatage standard des logs
echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf
echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf
echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf
# compatibilité des logs avec awstats
echo "emulate_httpd_log on" >> /etc/squid/squid.conf
echo "half_closed_clients off" >> /etc/squid/squid.conf
echo "server_persistent_connections off" >> /etc/squid/squid.conf
echo "client_persistent_connections on" >> /etc/squid/squid.conf
echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf
echo "request_timeout 5 minutes" >> /etc/squid/squid.conf
echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf
echo "cache_mem 256 MB" >> /etc/squid/squid.conf
echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf
echo "maximum_object_size 4096 KB" >> /etc/squid/squid.conf
# désactivation des "access log"
echo '#Disable access log' >> /etc/squid/squid.conf
echo "access_log none" >> /etc/squid/squid.conf
# anonymisation of squid version
echo "via off" >> /etc/squid/squid.conf
# remove the 'X_forwarded' http option
1191,62 → 1181,73
cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
} # End of param_ulogd ()
##################################################################################
## Fonction param_awstats ##
## - configuration de l'interface des logs de consultation WEB (AWSTAT) ##
##################################################################################
param_awstats()
##########################################################
## Fonction param_nfsen ##
##########################################################
param_nfsen()
{
cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/
chown -R apache:apache $DIR_ACC/awstats
cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default
$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf
$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf
$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf
$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf
$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf
$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf
$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf
$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf
$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf
$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf
$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf
$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf
$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf
$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf
$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf
$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf
cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
<Directory $DIR_ACC/awstats>
SSLRequireSSL
Options ExecCGI
AddHandler cgi-script .pl
DirectoryIndex awstats.pl
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_admin
ErrorDocument 404 https://$HOSTNAME/
#Decompression tarball
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
#Création groupe et utilisteur
if grep "^www-data:" /etc/group > /dev/null; then
echo "Group already exists !"
else
groupadd www-data
echo "Group 'www-data' created !"
fi
if grep "^nfsen:" /etc/passwd > /dev/null; then
echo "User already exists !"
else
useradd -m nfsen
echo "User 'nfsen' created !"
fi
usermod -G www-data nfsen
#Ajout du plugin nfsen : PortTracker
mkdir -p /var/www/nfsen/plugins
chown -R nfsen:www-data /var/www/nfsen
#Ajout du plugin PortTracker
mkdir -p /var/log/netflow/porttracker
mkdir -p /usr/share/nfsen/plugins
chown -R apache:apache /usr/share/nfsen
cp -f ./conf/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
chown apache /var/log/netflow/porttracker
#Copie du fichier de conf modifié de nfsen
cp ./conf/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
#Copie du script d'initialisation de nfsen
cp ./conf/nfsen/nfsen-init /etc/init.d/nfsen
#Installation de nfsen via le scrip Perl
cd /tmp/nfsen-1.3.6p1/
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
#Création de la DB pour rrdtool
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
chown -R apache:www-data /var/log/netflow/porttracker/
chmod -R 775 /var/log/netflow/porttracker
#Configuration du fichier de conf d'apache
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
rm -f /etc/httpd/conf.d/nfsen.conf
fi
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
Alias /nfsen /var/www/nfsen
<Directory /var/www/nfsen/>
DirectoryIndex nfsen.php
Options -Indexes
AllowOverride all
order allow,deny
allow from all
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc on
php_flag track_vars on
</Directory>
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
EOF
} # End of param_awstats ()
#Configuration du délais d'expiration des captures du profile "ALCASAR"
nfsen -m ALCASAR -e 365d
#Suppression des sources de nfsen
rm -rf /tmp/nfsen-1.3.6p1/
} # End of param_nfsen
##########################################################
## Fonction param_dnsmasq ##
1410,10 → 1411,6
# Archive des logs et de la base de données (tous les lundi à 5h35)
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
EOF
cat << EOF > /etc/cron.d/awstats
# mise à jour des stats de consultation WEB toutes les 30'
*/30 * * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1
EOF
cat << EOF > /etc/cron.d/alcasar-clean_import
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
1422,6 → 1419,11
# mise à jour automatique de la distribution tous les jours 3h30
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
EOF
cat << EOF > /etc/cron.d/alcasar-netflow
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
05 0 * * 5 root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/ALCASAR/ipt_netflow/ -t 1y -w 90
EOF
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
1515,7 → 1517,7
# export des logs en 'retard' dans /var/Save/logs
/usr/local/bin/alcasar-log.sh --export
# processus lancés par défaut au démarrage
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen
do
/sbin/chkconfig --add $i
done
1743,6 → 1745,8
fi
# RPMs install
$DIR_SCRIPTS/alcasar-urpmi.sh
echo "Mise à jour des modules noyau installés"
#depmod -a
if [ "$?" != "0" ]
then
exit 0
1792,7 → 1796,7
else
mode="install"
fi
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron post_install
do
$func
# echo "*** 'debug' : end of function $func ***"; read a