Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2453 → Rev 2454

/alcasar.sh
1,14 → 1,14
#!/bin/bash
# $Id$
# $Id$
 
# alcasar.sh
 
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
# Ce programme est un logiciel libre ; This software is free and open source
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
# Voir la Licence Publique Générale GNU pour plus de détails.
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
# Voir la Licence Publique Générale GNU pour plus de détails.
 
# team@alcasar.net
 
18,7 → 18,7
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 
# Options :
39,7 → 39,7
# antivirus : HAVP + libclamav configuration
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Nfsen Netflow grapher
# nfsen : Configuration of Nfsen Netflow grapher
# dnsmasq : Name server configuration
# vnstat : little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
55,7 → 55,7
Lang=`echo $LANG|cut -c 1-2`
mode="install"
# ******* Files parameters - paramètres fichiers *********
DIR_INSTALL=`pwd` # current directory
DIR_INSTALL=`pwd` # current directory
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
135,17 → 135,17
for i in $*
do
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
then
then
DISTRIBUTION=`echo $i|cut -d"=" -f2`
unknown_os=`expr $unknown_os + 1`
fi
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
then
then
CURRENT_VERSION=`echo $i|cut -d"=" -f2`
unknown_os=`expr $unknown_os + 1`
fi
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
then
then
ARCH=`echo $i|cut -d"=" -f2`
unknown_os=`expr $unknown_os + 1`
fi
177,7 → 177,7
fi
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
rm -f /tmp/alcasar-conf*
else
195,7 → 195,7
then
echo
if [ $Lang == "fr" ]
then
then
echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
208,7 → 208,7
fi
else
if [ $Lang == "fr" ]
then
then
echo "L'installation d'ALCASAR ne peut pas être réalisée."
else
echo "The installation of ALCASAR can't be performed."
216,7 → 216,7
fi
echo
if [ $Lang == "fr" ]
then
then
echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
else
echo "The OS must be replaced (Mageia6-64bits)"
245,11 → 245,11
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
for i in $IF_INTERFACES
do
IP_INTERFACE=`/usr/sbin/ip link|grep $i`
IP_INTERFACE=`/usr/sbin/ip link|grep $i`
if [ -z "$IP_INTERFACE" ]
then
rm -f ifcfg-$i
 
if [ $Lang == "fr" ]
then echo "Suppression : ifcfg-$i"
else echo "Deleting : ifcfg-$i"
258,13 → 258,13
done
cd $DIR_INSTALL
echo -n "."
# Test Ethernet NIC links state
# Test Ethernet NIC links state
DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
for i in $DOWN_IF
do
echo $i
if [ $Lang == "fr" ]
then
then
echo "Échec"
echo "Le lien réseau de la carte $i n'est pas actif."
echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
283,7 → 283,7
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
then
if [ $Lang == "fr" ]
then
then
echo "Échec"
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
307,7 → 307,7
# Test if default GW is set on EXTIF (router or ISP provider equipment)
if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
if [ $Lang == "fr" ]
then
then
echo "Échec"
echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
echo "Réglez ce problème puis relancez ce script."
322,9 → 322,9
# Test if default GW is alive
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
if [ $(expr $arp_reply) -eq 0 ]
then
then
if [ $Lang == "fr" ]
then
then
echo "Échec"
echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
echo "Réglez ce problème puis relancez ce script."
342,7 → 342,7
if [ ! -e /tmp/con_ok.html ]
then
if [ $Lang == "fr" ]
then
then
echo "La tentative de connexion vers Internet a échoué (google.fr)."
echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
echo "Vérifiez la validité des adresses IP des DNS."
371,9 → 371,9
ORGANISME=!
PTN='^[a-zA-Z0-9-]*$'
until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
do
do
if [ $Lang == "fr" ]
then echo -n "Entrez le nom de votre organisme : "
then echo -n "Entrez le nom de votre organisme : "
else echo -n "Enter the name of your organism : "
fi
read ORGANISME
388,17 → 388,17
rm -f $PASSWD_FILE
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
grep -v '[eE]nter password:' | \
sed -e "s/PBKDF2 hash of your password is //"`
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
chmod 0600 /boot/grub2/user.cfg
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
grep -v '[eE]nter password:' | \
sed -e "s/PBKDF2 hash of your password is //"`
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
chmod 0600 /boot/grub2/user.cfg
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
echo "GRUB2_user=root" >> $PASSWD_FILE
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
echo "GRUB2_user=root" >> $PASSWD_FILE
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
475,10 → 475,10
read PRIVATE_IP_MASK
done
else
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
fi
else
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
rm -rf conf/etc/alcasar.conf
fi
# Define LAN side global parameters
490,9 → 490,9
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
then
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
fi
fi
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
526,7 → 526,7
SUB=`echo ${i:0:2}`
if [ $SUB = "wl" ]
then WIFIF=$i
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
then LANIF=$i
fi
done
536,8 → 536,8
elif [ -n "$LANIF" ]
then echo "LANIF=$LANIF" >> $CONF_FILE
fi
#########################################################################################################
#########################################################################################################
 
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # IP setting (static or dynamic)
if [ $IP_SETTING == "dhcp" ]
then
590,7 → 590,7
USERCTL=no
MTU=$MTU
EOF
else
else
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
666,7 → 666,7
USERCTL=no
EOF
fi
#########################################################################################################
#########################################################################################################
# Renseignement des fichiers hosts.allow et hosts.deny
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default
cat <<EOF > /etc/hosts.allow
691,7 → 691,7
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
#
#
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
} # End of network ()
 
819,7 → 819,7
do
header_install
if [ $Lang == "fr" ]
then
then
echo ""
echo "Définissez un premier compte d'administration d'ALCASAR :"
echo
869,7 → 869,7
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_all
884,7 → 884,7
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_admin
899,7 → 899,7
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_manager
914,7 → 914,7
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
AuthUserFile $DIR_DEST_ETC/digest/key_backup
930,7 → 930,7
Allow from $PRIVATE_NETWORK_MASK
require valid-user
AuthType digest
AuthName "ALCASAR Control Center (ACC)"
AuthName "ALCASAR Control Center (ACC)"
AuthDigestDomain $HOSTNAME.$DOMAIN
AuthUserFile $DIR_DEST_ETC/digest/key_backup
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1050,7 → 1050,7
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
# Create 'radius' database
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
# Add an empty radius database structure
1088,24 → 1088,24
ipaddr = 127.0.0.1
secret = $secretradius
shortname = chilli
nas_type = other
nas_type = other
}
EOF
# Set Virtual server (remvove all except "alcasar virtual site")
rm -f /etc/raddb/sites-enabled/*
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
chown radius:apache /etc/raddb/sites-available/alcasar
chmod 660 /etc/raddb/sites-available/alcasar
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
 
# Set modules
# Set modules
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
rm -rf /etc/raddb/mods-enabled/*
for mods in sql sqlcounter attr_filter expiration logintime pap expr
do
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
done
rm -rf /etc/raddb/mods-enabled/*
for mods in sql sqlcounter attr_filter expiration logintime pap expr
do
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
done
# Configure SQL mod
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1115,7 → 1115,7
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1152,7 → 1152,7
/usr/bin/systemctl daemon-reload
# Allow apache to change some conf files (ie : ldap on/off)
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
 
} # End freeradius ()
 
#############################################################################
1195,10 → 1195,10
# description: CoovaChilli
### BEGIN INIT INFO
# Provides: chilli
# Required-Start: network
# Should-Start:
# Required-Start: network
# Should-Start:
# Required-Stop: network
# Should-Stop:
# Should-Stop:
# Default-Start: 2 3 5
# Default-Stop:
# Description: CoovaChilli access controller
1217,7 → 1217,7
prog="chilli"
case \$1 in
start)
if [ -f \$pidfile ] ; then
if [ -f \$pidfile ] ; then
gprintf "chilli is already running"
else
gprintf "Starting \$prog: "
1226,9 → 1226,9
/usr/sbin/modprobe tun >/dev/null 2>&1
echo 1 > /proc/sys/net/ipv4/ip_forward
[ -e /dev/net/tun ] || {
(cd /dev;
mkdir net;
cd net;
(cd /dev;
mkdir net;
cd net;
mknod tun c 10 200)
}
ifconfig $INTIF 0.0.0.0
1254,13 → 1254,13
;;
 
stop)
if [ -f \$pidfile ] ; then
if [ -f \$pidfile ] ; then
gprintf "Shutting down \$prog: "
killproc /usr/sbin/chilli
RETVAL=\$?
[ \$RETVAL = 0 ] && rm -f \$pidfile
[ -e \$current_users_file ] && rm -f \$current_users_file
else
else
gprintf "chilli is not running"
fi
;;
1279,7 → 1279,7
#DHCP Options : rfc2132
#dhcp option value will be convert in hexa.
#NTP option (or 'option 42') is like :
#
#
# Code Len Address 1 Address 2
# +-----+-----+-----+-----+-----+-----+-----+-----+--
# | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ...
1346,7 → 1346,7
chilli_exist=`grep -c ^chilli: /etc/passwd`
if [ "$chilli_exist" == "1" ]
then
userdel -r chilli 2>/dev/null
userdel -r chilli 2>/dev/null
fi
groupadd -f chilli
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1363,7 → 1363,7
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
# By default the filter is off
# By default the filter is off
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
# French deny HTML page
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1395,7 → 1395,7
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
# maximum age of a child process before it croaks it
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
 
# on désactive par défaut le contrôle de téléchargement de fichiers
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1417,14 → 1417,14
## Fonction "antivirus" ##
## - configuration of havp, libclamav and freshclam ##
##################################################################
antivirus ()
antivirus ()
{
# create 'havp' user
havp_exist=`grep -c ^havp: /etc/passwd`
if [ "$havp_exist" == "1" ]
then
userdel -r havp 2>/dev/null
groupdel havp 2>/dev/null
userdel -r havp 2>/dev/null
groupdel havp 2>/dev/null
fi
groupadd -f havp
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1471,13 → 1471,13
## Fonction "tinyproxy" ##
## - configuration of tinyproxy (proxy between filterde users and havp) ##
##########################################################################
tinyproxy ()
tinyproxy ()
{
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
if [ "$tinyproxy_exist" == "1" ]
then
userdel -r tinyproxy 2>/dev/null
groupdel tinyproxy 2>/dev/null
userdel -r tinyproxy 2>/dev/null
groupdel tinyproxy 2>/dev/null
fi
groupadd -f tinyproxy
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1596,7 → 1596,7
PIDFile=/var/run/nfsen/nfsen.pid
ExecStartPre=/bin/mkdir -p /var/run/nfsen
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
ExecStart=/usr/bin/nfsen start
ExecStart=/usr/bin/nfsen start
ExecStop=/usr/bin/nfsen stop
ExecReload=/usr/bin/nfsen restart
TimeoutSec=0
1605,7 → 1605,7
WantedBy=multi-user.target
EOF
# Add the listen port to collect netflow packet (nfcapd)
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
# expire delay for the profile "live"
/usr/bin/systemctl start nfsen
/bin/nfsen -m live -e 62d 2>/dev/null
1643,8 → 1643,8
{
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
cat << EOF > /etc/dnsmasq.conf
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
cat << EOF > /etc/dnsmasq.conf
# Configuration file for "dnsmasq in forward mode"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
listen-address=$PRIVATE_IP
1712,7 → 1712,7
bogus-priv
filterwin2k
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
EOF
# 4th dnsmasq listen on udp 56 ("blackhole")
cat << EOF > /etc/dnsmasq-blackhole.conf
1826,8 → 1826,8
EOF
[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
cat <<EOF >> /etc/anacrontab
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
7 10 cron.logExport nice /etc/cron.d/alcasar-archive
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
7 10 cron.logExport nice /etc/cron.d/alcasar-archive
7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
EOF
 
1841,16 → 1841,16
# Archive des logs et de la base de données (tous les lundi à 5h35)
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
EOF
cat << EOF > /etc/cron.d/alcasar-ticket-clean
cat <<EOF > /etc/cron.d/alcasar-ticket-clean
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
EOF
cat << EOF > /etc/cron.d/alcasar-distrib-updates
cat <<EOF > /etc/cron.d/alcasar-distrib-updates
# mise à jour automatique de la distribution tous les jours 3h30
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
EOF
 
cat << EOF > /etc/cron.d/alcasar-connections-stats
cat <<EOF > /etc/cron.d/alcasar-connections-stats
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1863,7 → 1863,7
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
EOF
cat << EOF > /etc/cron.d/alcasar-watchdog
cat <<EOF > /etc/cron.d/alcasar-watchdog
# run the "watchdog" every 3'
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1871,7 → 1871,7
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
EOF
# Enabling the watchdog every 18'
cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
# activate the daemon-watchdog after boot process
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
# activate the daemon-watchdog every 18'
1879,8 → 1879,8
EOF
 
# Enabling category update from rsync
cat << EOF > /etc/cron.d/alcasar-rsync-bl
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
cat <<EOF > /etc/cron.d/alcasar-rsync-bl
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
EOF
 
1959,7 → 1959,7
;ResetFrequency = 300
;HardResetFrequency = 120
 
CheckSecurity = 1
CheckSecurity = 1
CheckSignal = 1
CheckBattery = 0
EOF
2011,7 → 2011,7
/var/log/netflow/porttracker root.apache 770
/var/log/netflow/porttracker/* root.apache 660
EOF
# apply now hourly & daily checks
# apply now hourly & daily checks
/usr/sbin/msec
/etc/cron.weekly/msec
 
2099,12 → 2099,12
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
echo "LDAP_FILTER=" >> $CONF_FILE
echo "LDAP_USER=alcasar" >> $CONF_FILE
echo "LDAP_PASSWORD=" >> $CONF_FILE
echo "MULTIWAN=off" >> $CONF_FILE
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
echo "LDAP_FILTER=" >> $CONF_FILE
echo "LDAP_USER=alcasar" >> $CONF_FILE
echo "LDAP_PASSWORD=" >> $CONF_FILE
echo "MULTIWAN=off" >> $CONF_FILE
echo "FAILOVER=30" >> $CONF_FILE
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2125,7 → 2125,7
# actualisation des fichiers logs compressés
for dir in firewall dansguardian httpd
do
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
done
# create the alcasar-load_balancing unit
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2157,13 → 2157,13
do
/usr/bin/systemctl -q enable $i.service
done
 
# disable processes at boot time (Systemctl)
for i in ulogd gpm
do
/usr/bin/systemctl -q disable $i.service
done
 
# Apply French Security Agency (ANSSI) rules
# ignore ICMP broadcast (smurf attack)
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2180,7 → 2180,7
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
# set conntrack timer to 1h (3600s) instead of 5 weeks
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
# disable log_martians (ALCASAR is often installed between two private network addresses)
# disable log_martians (ALCASAR is often installed between two private network addresses)
echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
# disable iptables_helpers
echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2199,21 → 2199,21
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
if [ $vm_vga == 0 ] # is not a VM
if [ $vm_vga == 0 ] # is not a VM
then
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
echo >> /etc/mageia-release
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
fi
if [ $Lang == "fr" ]
then
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
else
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
fi
/usr/bin/update-grub2
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
echo >> /etc/mageia-release
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
fi
if [ $Lang == "fr" ]
then
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
else
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
fi
/usr/bin/update-grub2
# Load and apply the previous conf file
if [ "$mode" = "update" ]
then
2222,7 → 2222,7
PARENT_SCRIPT=`basename $0`
export PARENT_SCRIPT # to avoid stop&start process during the installation process
$DIR_DEST_BIN/alcasar-conf.sh --apply
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
fi
2249,7 → 2249,7
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
echo
echo " Appuyez sur 'Entrée' pour continuer"
else
else
echo "# End of ALCASAR install process #"
echo "# #"
echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
2321,7 → 2321,7
# Uninstall the running version
$DIR_SCRIPTS/alcasar-uninstall.sh -update
fi
# Test if manual update
# Test if manual update
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
then
header_install
2338,13 → 2338,13
else echo -n "Do you want to use it (Y/n)?";
fi
read response
if [ "$response" = "n" ] || [ "$response" = "N" ]
if [ "$response" = "n" ] || [ "$response" = "N" ]
then rm -f /tmp/alcasar-conf*
fi
done
fi
# Test if update
if [ -e /tmp/alcasar-conf* ]
if [ -e /tmp/alcasar-conf* ]
then
if [ $Lang == "fr" ]
then echo "#### Installation avec mise à jour ####";
2351,7 → 2351,7
else echo "#### Installation with update ####";
fi
# Extract the central configuration file
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2387,7 → 2387,7
if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
then
$DIR_SCRIPTS/alcasar-conf.sh --create
else
else
rm -f /tmp/alcasar-conf*
fi
# Uninstall the running version