29,11 → 29,11 |
# testing : connectivity tests, free space test and mageia version test |
# init : Installation of RPM and scripts |
# network : Network parameters |
# time : NTPd configuration |
# ACC : ALCASAR Control Center installation |
# CA : Certification Authority initialization |
# init_db : Initilization of radius database managed with MariaDB |
# radius : FreeRadius initialisation |
# radius_web : copy ans modifiy original "freeradius web" in ACC |
# chilli : coovachilli initialisation (+authentication page) |
# dansguardian : DansGuardian filtering HTTP proxy configuration |
# antivirus : HAVP + libclamav configuration |
407,7 → 407,6 |
## - Nommage DNS du système ## |
## - Configuration de l'interface INTIF (réseau de consultation)## |
## - Modification du fichier /etc/hosts ## |
## - Configuration du serveur de temps (NTP) ## |
## - Renseignement des fichiers hosts.allow et hosts.deny ## |
################################################################## |
network () |
586,29 → 585,6 |
ACCOUNTING=no |
USERCTL=no |
EOF |
# Mise à l'heure du serveur |
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default |
cat <<EOF > /etc/ntp/step-tickers |
0.fr.pool.ntp.org # adapt to your country |
1.fr.pool.ntp.org |
2.fr.pool.ntp.org |
EOF |
# Configuration du serveur de temps (sur lui même) |
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default |
cat <<EOF > /etc/ntp.conf |
server 0.fr.pool.ntp.org # adapt to your country |
server 1.fr.pool.ntp.org |
server 2.fr.pool.ntp.org |
server 127.127.1.0 # local clock si NTP internet indisponible ... |
fudge 127.127.1.0 stratum 10 |
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
restrict 127.0.0.1 |
driftfile /var/lib/ntp/drift |
logfile /var/log/ntp.log |
disable monitor |
EOF |
|
chown -R ntp:ntp /var/lib/ntp |
# Renseignement des fichiers hosts.allow et hosts.deny |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
cat <<EOF > /etc/hosts.allow |
632,12 → 608,42 |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies) |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
# |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
|
################################################################## |
## Function "time" ## |
## - Configuring NTP server ## |
################################################################## |
time () |
{ |
# Set the Internet time server |
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default |
cat <<EOF > /etc/ntp/step-tickers |
0.fr.pool.ntp.org # adapt to your country |
1.fr.pool.ntp.org |
2.fr.pool.ntp.org |
EOF |
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default |
cat <<EOF > /etc/ntp.conf |
server 0.fr.pool.ntp.org # adapt to your country |
server 1.fr.pool.ntp.org |
server 2.fr.pool.ntp.org |
server 127.127.1.0 # local clock si NTP internet indisponible ... |
fudge 127.127.1.0 stratum 10 |
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
restrict 127.0.0.1 |
driftfile /var/lib/ntp/drift |
logfile /var/log/ntp.log |
disable monitor |
EOF |
chown -R ntp:ntp /var/lib/ntp |
# Synchronize now |
ntpd -q -g & |
} # End of time () |
################################################################## |
## Function "ACC" ## |
## - installation du centre de gestion (ALCASAR Control Center) ## |
## - configuration du serveur web (Apache) ## |
648,7 → 654,7 |
{ |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
mkdir $DIR_WEB |
# Copie et configuration des fichiers du centre de gestion |
# Copy & adapt ACC files |
cp -rf $DIR_INSTALL/web/* $DIR_WEB/ |
echo "$VERSION" > $DIR_WEB/VERSION |
$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php |
657,16 → 663,30 |
$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php |
chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php |
chown -R apache:apache $DIR_WEB/* |
# create the backup structure : |
# copy & adapt "freeradius-web" files |
cp -rf $DIR_CONF/freeradius-web/ /etc/ |
[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default |
$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf |
cat <<EOF > /etc/freeradius-web/naslist.conf |
nas1_name: alcasar-$ORGANISME |
nas1_model: Network Access Controler |
nas1_ip: $PRIVATE_IP |
nas1_port_num: 0 |
nas1_community: public |
EOF |
chown -R apache:apache /etc/freeradius-web/ |
# create the log & backup structure : |
# - base = users database |
# - archive = tarball of "base + http firewall + netflow" |
# - security = watchdog disconnection) |
# - security = watchdog log |
for i in base archive security; |
do |
[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i |
done |
chown -R root:apache $DIR_SAVE |
# Configuration et sécurisation php |
# Configuring & securing php |
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default |
timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2` |
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini |
674,7 → 694,7 |
$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini |
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
# Configuration et sécurisation Apache |
# Configuring & sécuring Apache |
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default |
$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf |
736,10 → 756,8 |
</html> |
EOF |
# Définition du premier compte lié au profil 'admin' |
|
# !! remove when > V2.9.2 (we need to create new accounts) |
# if [ "$mode" = "install" ] |
# then |
if [ "$mode" = "install" ] |
then |
header_install |
admin_portal=! |
PTN='^[a-zA-Z0-9-]*$' |
773,12 → 791,8 |
/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal |
done |
$DIR_DEST_BIN/alcasar-profil.sh --list |
# !! remove if > V2.9.2 |
# fi |
|
# synchronisation horaire |
ntpd -q -g & |
# Sécurisation du centre |
fi |
# ACC partitioning |
rm -f /etc/httpd/conf/webapps.d/alcasar* |
cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf |
<Directory $DIR_ACC> |
856,8 → 870,17 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
<Directory $DIR_WEB/pass> |
SSLRequireSSL |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN |
</Directory> |
EOF |
# Launch after coova |
# Launch after coova (in order to wait tun0 to be up) |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service |
} # End of ACC () |
|
890,7 → 913,6 |
ErrorLogFormat "[%t] [%m:%l] [client %a] %M" |
</VirtualHost> |
EOF |
|
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End of CA () |
998,60 → 1020,6 |
/usr/bin/systemctl daemon-reload |
} # End radius () |
|
########################################################################## |
## Function "radius_web" ## |
## - Import, modification et paramètrage de l'interface "freeradius-WEB ## |
## - Création du lien vers la page de changement de mot de passe ## |
########################################################################## |
radius_web () |
{ |
# copy "freeradius-web" files and conf files in the manager arae of ACC |
cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/ |
cp -rf $DIR_CONF/freeradius-web/ /etc/ |
chown -R apache:apache $DIR_ACC/manager/ |
# adapt the main conf file to Alcasar behaviour |
[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default |
$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf |
$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf |
$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf |
$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf |
$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf |
cat <<EOF > /etc/freeradius-web/naslist.conf |
nas1_name: alcasar-$ORGANISME |
nas1_model: Portail captif |
nas1_ip: $PRIVATE_IP |
nas1_port_num: 0 |
nas1_community: public |
EOF |
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe |
[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default |
cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs |
# Ajout du mappage des attributs chillispot |
[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default |
cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap |
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port) |
[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default |
$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs |
$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs |
chown -R apache:apache /etc/freeradius-web |
# Ajout de l'alias vers la page de "changement de mot de passe usager" |
cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf |
<Directory $DIR_WEB/pass> |
SSLRequireSSL |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN |
</Directory> |
EOF |
} # End of radius_web () |
|
################################################################################## |
## Fonction "chilli" ## |
## - Création du fichier d'initialisation et de configuration de coova-chilli ## |
2103,7 → 2071,7 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3` |
mode="update" |
fi |
for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install |
for func in init network time ACC CA init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install |
do |
$func |
# echo "*** 'debug' : end of function $func ***"; read a |