18,7 → 18,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
|
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
|
# Options : |
# -i or --install |
60,7 → 60,7 |
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files) |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
DIR_WEB="/var/www/html" # directory of APACHE |
DIR_WEB="/var/www/html" # directory of Lighttpd |
DIR_DG="/etc/dansguardian" # directory of DansGuardian |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
714,7 → 714,7 |
################################################################## |
## Function "ACC" ## |
## - installation of then ALCASAR Control Center (ACC) ) ## |
## - configuration of the web server (Apache) ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the access ## |
################################################################## |
764,196 → 764,53 |
$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini |
# Configuring & sécuring Apache |
# Configuring & securing Lighttpd |
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default |
$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf |
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf |
$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf |
echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf |
echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf |
[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default |
$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf |
$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf |
$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf |
$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf |
$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf |
$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf |
[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default |
echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF |
echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf # exclude vulnerable protocols |
echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite |
echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite |
echo "SSLPassPhraseDialog builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin |
echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size |
echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds |
# Error page management |
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default |
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf |
Alias /error/ "/var/www/html/" |
<Directory "/usr/share/httpd/error"> |
AllowOverride None |
Options IncludesNoExec |
AddOutputFilter Includes html |
AddHandler type-map var |
Require all granted |
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr |
ForceLanguagePriority Prefer Fallback |
</Directory> |
ErrorDocument 400 /error/error.php?error=400 |
ErrorDocument 401 /error/error.php?error=401 |
ErrorDocument 403 /error/error.php?error=403 |
ErrorDocument 404 /error/index.php |
ErrorDocument 405 /error/error.php?error=405 |
ErrorDocument 408 /error/error.php?error=408 |
ErrorDocument 410 /error/error.php?error=410 |
ErrorDocument 411 /error/error.php?error=411 |
ErrorDocument 412 /error/error.php?error=412 |
ErrorDocument 413 /error/error.php?error=413 |
ErrorDocument 414 /error/error.php?error=414 |
ErrorDocument 415 /error/error.php?error=415 |
ErrorDocument 500 /error/error.php?error=500 |
ErrorDocument 501 /error/error.php?error=501 |
ErrorDocument 502 /error/error.php?error=502 |
ErrorDocument 503 /error/error.php?error=503 |
ErrorDocument 506 /error/error.php?error=506 |
EOF |
[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default |
$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html |
[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default |
cat <<EOF > /usr/share/httpd/error/include/bottom.html |
</body> |
</html> |
EOF |
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default |
[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default |
[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default |
[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default |
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d |
|
cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf |
cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf |
|
$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf |
$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf |
$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf |
|
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf |
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf |
|
$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf |
$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf |
$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf |
$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf |
|
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
|
/usr/bin/systemctl start lighttpd |
|
# Définition du premier compte lié au profil 'admin' |
if [ "$mode" = "install" ] |
then |
header_install |
admin_portal=! |
PTN='^[a-zA-Z0-9-]*$' |
until [[ $(expr $admin_portal : $PTN) -gt 0 ]] |
do |
header_install |
if [ $Lang == "fr" ] |
then |
echo "" |
echo "Définissez un premier compte d'administration d'ALCASAR :" |
echo |
echo -n "Nom : " |
else |
echo "" |
echo "Define the first account allow to administrate ALCASAR :" |
echo |
echo -n "Account : " |
fi |
read admin_portal |
if [ "$admin_portal" == "" ] |
then |
admin_portal=! |
fi |
done |
# Creation of keys file for the admin account ("admin") |
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest |
mkdir -p $DIR_DEST_ETC/digest |
chmod 755 $DIR_DEST_ETC/digest |
until [ -s $DIR_DEST_ETC/digest/key_admin ] |
do |
/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal |
done |
$DIR_DEST_BIN/alcasar-profil.sh --list |
do |
$DIR_DEST_BIN/alcasar-profil.sh --add admin |
done |
fi |
# ACC partitioning |
rm -f /etc/httpd/conf/webapps.d/alcasar* |
cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf |
<Directory $DIR_WEB> |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
<Directory $DIR_WEB/certs> |
AddType application/x-x509-ca-cert crt |
</Directory> |
<Directory $DIR_ACC> |
SSLRequireSSL |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_all |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
<Directory $DIR_ACC/admin> |
SSLRequireSSL |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_admin |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
<Directory $DIR_ACC/manager> |
SSLRequireSSL |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_manager |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
<Directory $DIR_ACC/backup> |
SSLRequireSSL |
AllowOverride None |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
Alias /save/ "$DIR_SAVE/" |
<Directory $DIR_SAVE> |
SSLRequireSSL |
Options Indexes |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
require valid-user |
AuthType digest |
AuthName "ALCASAR Control Center (ACC)" |
AuthDigestDomain $HOSTNAME.$DOMAIN |
AuthUserFile $DIR_DEST_ETC/digest/key_backup |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/ |
</Directory> |
EOF |
|
# Launch after coova (in order to wait tun0 to be up) |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service |
# Log file for ACC access imputability |
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log |
chown root:apache /var/Save/security/acc_access.log |
962,33 → 819,12 |
|
########################################################################## |
## Fonction "CA" ## |
## - Creating the CA and the server certificate (apache) ## |
## - Creating the CA and the server certificate (lighttpd) ## |
########################################################################## |
CA () |
{ |
$DIR_DEST_BIN/alcasar-CA.sh |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf` |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default |
cat <<EOF > $FIC_VIRTUAL_SSL |
# default SSL virtual host, used for all HTTPS requests that do not |
# match a ServerName or ServerAlias in any <VirtualHost> block. |
|
<VirtualHost _default_:443> |
# general configuration |
ServerAdmin root@localhost |
ServerName $HOSTNAME.$DOMAIN |
|
# SSL configuration |
SSLEngine on |
SSLCertificateFile /etc/pki/tls/certs/alcasar.crt |
SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key |
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt |
CustomLog logs/ssl_request_log \ |
"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b" |
ErrorLog logs/ssl_error_log |
ErrorLogFormat "[%t] [%m:%l] [client %a] %M" |
</VirtualHost> |
EOF |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End of CA () |
1935,7 → 1771,7 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service |
} # End fail2ban() |
|
################################################################## |
2146,7 → 1982,7 |
# Log compression |
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf |
# actualisation des fichiers logs compressés |
for dir in firewall dansguardian httpd |
for dir in firewall dansguardian lighttpd |
do |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \; |
done |
2176,7 → 2012,7 |
WantedBy=multi-user.target |
EOF |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
for i in alcasar-load_balancing mysqld lighttpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |