Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2687 → Rev 2688

/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 
# Options :
# -i or --install
39,9 → 39,10
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Nfsen Netflow grapher
# dnsmasq : Name server configuration
# unbound : Name server configuration
# dnsmasq : Name server configuration (for whitelist ipset support)
# vnstat : little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
# cron : Logs export + watchdog + connexion statistics
# fail2ban : Fail2ban IDS installation and configuration
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
65,7 → 66,7
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (unbound for instance)
CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
# ******* DBMS parameters - paramètres SGBD ********
132,7 → 133,7
old="$IFS"
IFS=","
set $fic
for i in $*
for i in "$@"
do
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
then
160,7 → 161,7
fi
IFS="$old"
if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
then
then
if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
then
echo
187,7 → 188,7
then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
else echo "The OS must be replaced (Mageia6-64bits)"
fi
exit 0
exit 1
fi
 
# Test if ALCASAR is already installed
215,8 → 216,8
# Retrieve former NICname
EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-` # EXTernal InterFace
INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-` # INTernal InterFace
[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
# Create the current conf file
$DIR_SCRIPTS/alcasar-conf.sh --create
mode="update"
225,7 → 226,7
# Test free space on /var
if [ ! -d /var/log/netflow/porttracker ]
then
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
if [ $free_space -lt 10 ]
then
if [ $Lang == "fr" ]
283,7 → 284,7
[ -z "$response" ] && response="$interfacePreferred"
 
# Check if interface exist
if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then
if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
INTIF="$response"
break
else
305,11 → 306,11
else echo -n "Network parameters tests: "
fi
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
cd /etc/sysconfig/network-scripts/
cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
for i in $IF_INTERFACES
do
if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
rm -f ifcfg-$i
 
if [ $Lang == "fr" ]
318,7 → 319,7
fi
fi
done
cd $DIR_INSTALL
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
echo -n "."
# Test Ethernet NIC links state
interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
342,7 → 343,7
PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
then
if [ $Lang == "fr" ]
then
367,7 → 368,7
fi
echo -n "."
# Test if default GW is set on EXTIF (router or ISP provider equipment)
if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then
if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
if [ $Lang == "fr" ]
then
echo -e "\nÉchec"
383,7 → 384,7
echo -n "."
# Test if default GW is alive
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
if [ $(expr $arp_reply) -eq 0 ]
if [ "$(expr $arp_reply)" -eq 0 ]
then
if [ $Lang == "fr" ]
then
438,7 → 439,7
fi
read ORGANISME
if [ "$ORGANISME" == "" ]
then
then
ORGANISME=!
fi
done
447,7 → 448,7
# We create random passwords and shared secrets
rm -f $PASSWD_FILE
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
grep -v '[eE]nter password:' | \
459,17 → 460,17
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
echo "GRUB2_user=root" >> $PASSWD_FILE
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
echo "db_user=$DB_USER" >> $PASSWD_FILE
echo "db_password=$radiuspwd" >> $PASSWD_FILE
secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
echo "secret_uam=$secretuam" >> $PASSWD_FILE
secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
echo "secret_radius=$secretradius" >> $PASSWD_FILE
chmod 640 $PASSWD_FILE
535,7 → 536,7
read PRIVATE_IP_MASK
done
else
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
fi
else
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
549,7 → 550,7
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24)
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
then
then
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
fi
558,10 → 559,6
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4` # last octet of LAN broadcast
PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF
# Define Internet parameters
if [ "$mode" != "update" ]
611,7 → 608,7
#########################################################################################################
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
if [ $IP_SETTING == "dhcp" ]
then
then
echo "PUBLIC_IP=dhcp" >> $CONF_FILE
echo "GW=dhcp" >> $CONF_FILE
else
644,7 → 641,7
# write EXTIF (Internet) config
[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
if [ $IP_SETTING == "dhcp" ]
then
then
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=dhcp
661,7 → 658,7
USERCTL=no
MTU=$MTU
EOF
else
else
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
DEVICE=$EXTIF
BOOTPROTO=static
758,10 → 755,10
# load ipt_NETFLOW module
echo "ipt_NETFLOW" >> /etc/modprobe.preload
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
#
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
} # End of network ()
823,8 → 820,8
rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 
845,15 → 842,16
 
[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
 
[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 
chown -R apache:apache /var/log/lighttpd
/usr/bin/systemctl start lighttpd
/usr/bin/systemctl start php-fpm
860,16 → 858,16
 
# Creation of the first account (in 'admin' profile)
if [ "$mode" = "install" ]
then
header_install
then
header_install
# Creation of keys file for the admin account ("admin")
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
mkdir -p $DIR_DEST_ETC/digest
chmod 755 $DIR_DEST_ETC/digest
until [ -s $DIR_DEST_ETC/digest/key_admin ]
do
$DIR_DEST_BIN/alcasar-profil.sh --add admin
done
[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
mkdir -p $DIR_DEST_ETC/digest
chmod 755 $DIR_DEST_ETC/digest
until [ -s $DIR_DEST_ETC/digest/key_admin ]
do
$DIR_DEST_BIN/alcasar-profil.sh --add admin
done
fi
 
# Run after coova (in order to wait tun0 to be up)
919,7 → 917,7
EOF
chown -R ntp:ntp /var/lib/ntp
# Synchronize now
ntpd -q -g &
ntpd -4 -q -g &
} # End of time_server ()
 
#####################################################################
932,7 → 930,7
#####################################################################
init_db ()
{
if [ `systemctl is-active mysqld` == "active" ]
if [ "`systemctl is-active mysqld`" == "active" ]
then
systemctl stop mysqld
fi
957,16 → 955,16
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
exit
fi
MYSQL="/usr/bin/mysql --execute"
# Secure the server
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
 
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
# Create 'radius' database
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
# Add an empty radius database structure
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
# modify the start script in order to close accounting connexion when the system is comming down or up
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1051,7 → 1049,6
/usr/bin/systemctl daemon-reload
# Allow apache to change some conf files (ie : ldap on/off)
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
 
} # End freeradius ()
 
#############################################################################
1186,7 → 1183,7
#
#Code : 42 => 2a
#Len : 4 => 04
PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
cat <<EOF > /etc/chilli.conf
# coova config for ALCASAR
cmdsocket /var/run/chilli.sock
1468,7 → 1465,7
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
DirTmp=$(pwd)
cd /tmp/nfsen-*/
cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
/usr/bin/perl install.pl etc/nfsen.conf
/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
# Create RRD DB for porttracker (only in it still doesn't exist)
1505,7 → 1502,7
WantedBy=multi-user.target
EOF
# Add the listen port to collect netflow packet (nfcapd)
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
# expire delay for the profile "live"
/usr/bin/systemctl start nfsen
/bin/nfsen -m live -e 62d 2>/dev/null
1515,11 → 1512,11
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
# cd /tmp/
# /usr/bin/sh SURFmap/install.sh
# /usr/bin/sh SURFmap/install.sh
# clear the installation
# rm -rf /tmp/SURFmap*
rm -rf /tmp/nfsen-*
cd $DirTmp
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
} # End of nfsen ()
 
1531,7 → 1528,7
{
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1546,67 → 1543,14
dnsmasq ()
{
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
cat << EOF > /etc/dnsmasq.conf
# Configuration file for "dnsmasq in forward mode"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
listen-address=$PRIVATE_IP
pid-file=/var/run/dnsmasq.pid
listen-address=127.0.0.1
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=2048
domain-needed
expand-hosts
bogus-priv
filterwin2k
server=$DNS1
server=$DNS2
# DHCP service is configured. It will be enabled in "bypass" mode
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
#dhcp-option=option:router,$PRIVATE_IP
#dhcp-option=option:ntp-server,$PRIVATE_IP
 
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
EOF
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
cat << EOF > /etc/dnsmasq-blacklist.conf
# Configuration file for "dnsmasq with blacklist"
# Add Toulouse University blacklist domains
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
pid-file=/var/run/dnsmasq-blacklist.pid
listen-address=$PRIVATE_IP
port=54
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=2048
domain-needed
expand-hosts
bogus-priv
filterwin2k
log-queries
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
server=$DNS1
server=$DNS2
EOF
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
cat << EOF > /etc/dnsmasq-whitelist.conf
# Configuration file for "dnsmasq with whitelist"
# ADD Toulouse university whitelist domains
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
pid-file=/var/run/dnsmasq-whitelist.pid
listen-address=$PRIVATE_IP
listen-address=127.0.0.1
port=55
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=1024
1614,60 → 1558,228
expand-hosts
bogus-priv
filterwin2k
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
server=$DNS1
server=$DNS2
EOF
# 4th dnsmasq listen on udp 56 ("blackhole")
cat << EOF > /etc/dnsmasq-blackhole.conf
# Configuration file for "dnsmasq as a blackhole"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local & remote DNS domain name resolutions
address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
pid-file=/var/run/dnsmasq-blackhole.pid
listen-address=$PRIVATE_IP
port=56
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
no-dhcp-interface=lo
bind-interfaces
cache-size=256
domain-needed
expand-hosts
bogus-priv
filterwin2k
 
# Create dnsmasq-whitelist unit
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
} # End dnsmasq
 
##################################################
## Function "unbound" ##
##################################################
unbound ()
{
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
 
# Local static DNS configuration
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
 
# Forward zone configuration file for all unbound dns servers
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
forward-zone:
name: "."
forward-addr: $DNS1
forward-addr: $DNS2
EOF
# file managing domain name resolution (local & remote)
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
# Here you can define your local domain name ('localdomain' by default)
local=/localdomain/
domain=localdomain
 
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
## Add one line for each domain name managed by an other DNS server
## server=/<your_domain>/<@IP_domain_server>
## Exemple for an A.D. domain : server=/Your.Domain.AD/110.120.100.100
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
 
# Custom configuration file for manual DNS configuration
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
## Add one block for each domain name managed by an other DNS server
##
## Example:
##
## server:
## local-zone: "<your_domain>." transparent
## forward-zone:
## name: "<your_domain>."
## forward-addr: <@IP_domain_server>
##
## INFO : local hostnames are resolved in /etc/hosts file
EOF
 
# the main instance should start after network and chilli (which create tun0)
[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
for list in blacklist whitelist blackhole
# Configuration file of ALCASAR main domains for $INTIF
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
server:
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
EOF
 
# Configuration file for lo of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
server:
interface: 127.0.0.1@53
access-control-view: 127.0.0.1/8 lo
 
view:
name: "lo"
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A 127.0.0.1"
local-zone: "$DOMAIN." static
local-data: "$DOMAIN. A"
view-first: yes
EOF
 
# Configuration file for $INTIF of forward unbound
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@53
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
 
view:
name: "$INTIF"
local-zone: "$HOSTNAME.$DOMAIN" static
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
local-zone: "$HOSTNAME" static
local-data: "$HOSTNAME A $PRIVATE_IP"
view-first: yes
EOF
 
# Configuration file for forward unbound
cat << EOF > /etc/unbound/unbound.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
 
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/forward/*
EOF
 
# Configuration file for $INTIF of blacklist unbound
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@54
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "blacklist"
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
EOF
 
# Configuration file for blacklist unbound
cat << EOF > /etc/unbound/unbound-blacklist.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
logfile: "/var/log/unbound/unbound-blacklist.log"
chroot: ""
define-tag: "blacklist"
log-local-actions: yes
 
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/blacklist/*
 
include: /usr/local/share/unbound-bl-enabled/*
EOF
 
# Configuration file for $INTIF of whitelist unbound
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@55
access-control: $PRIVATE_IP_MASK allow
access-control-tag: $PRIVATE_IP_MASK "whitelist"
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
EOF
 
# Configuration file for whitelist unbound
cat << EOF > /etc/unbound/unbound-whitelist.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
do-not-query-localhost: no
define-tag: "whitelist"
 
local-zone: "." transparent
local-zone-tag: "." "whitelist"
 
include: /usr/local/share/unbound-wl-enabled/*
include: /etc/unbound/conf.d/whitelist/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/common/local-forward/*
 
forward-zone:
name: "."
forward-addr: 127.0.0.1@55
EOF
 
# Configuration file for $INTIF of blackhole unbound
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
server:
interface: ${PRIVATE_IP}@56
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
 
view:
name: "$INTIF"
local-zone: "." redirect
local-data: ". A $PRIVATE_IP"
EOF
 
# Configuration file for blackhole unbound
cat << EOF > /etc/unbound/unbound-blackhole.conf
server:
verbosity: 1
hide-version: yes
hide-identity: yes
do-ip6: no
 
include: /etc/unbound/conf.d/blackhole/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/common/local-forward/*
EOF
 
if [ ! -e /lib/systemd/system/unbound.service.default ]
then
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
fi
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
 
for list in blacklist blackhole whitelist
do
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
done
} # End dnsmasq
 
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
} # End unbound
 
##########################################################
## Function "BL" ##
## - copy Toulouse BL ##
## - adapt this BL to ALCASAR architecture ##
## - domain names for dnsmasq-bl & dnasmasq-wl ##
## - domain names for unbound-bl & unbound-wl ##
## - URLs for E²guardian ##
## - IPs for NetFilter ##
##########################################################
1845,9 → 1957,9
 
# Create 'gammu' database
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
# Add a gammu database structure
mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
 
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
cat << EOF > /etc/gammurc
1972,7 → 2084,7
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
 
pwdInstall=$(pwd)
cd /tmp/acme.sh-*
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
 
acmesh_installDir="/opt/acme.sh"
acmesh_confDir="/usr/local/etc/letsencrypt"
2004,7 → 2116,7
dateNextRenewal=
EOF
 
cd $pwdInstall
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
rm -rf /tmp/acme.sh-*
 
} # END letsencrypt()
2027,7 → 2139,7
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
# sshd liste on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2052,6 → 2164,9
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
echo "BL_PUREIP=on" >> $CONF_FILE
echo "BL_SAFESEARCH=off" >> $CONF_FILE
echo "WL_SAFESEARCH=off" >> $CONF_FILE
# Prompt customisation (colors)
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2068,7 → 2183,7
# actualisation des fichiers logs compressés
for dir in firewall e2guardian lighttpd
do
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
done
# create the alcasar-load_balancing unit
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2097,13 → 2212,13
EOF
/usr/bin/systemctl daemon-reload
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
 
# disable processes at boot time (Systemctl)
for i in ulogd gpm
for i in ulogd gpm dhcpd
do
/usr/bin/systemctl -q disable $i.service
done
2152,10 → 2267,10
if [ $Lang == "fr" ]
then
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
else
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
fi
/usr/bin/update-grub2
# Load and apply the previous conf file
2174,7 → 2289,7
chown -R root:apache $DIR_DEST_ETC/*
chmod -R 660 $DIR_DEST_ETC/*
chmod ug+x $DIR_DEST_ETC/digest
cd $DIR_INSTALL
cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
echo ""
echo "#############################################################################"
if [ $Lang == "fr" ]
2190,7 → 2305,7
echo
echo "- Lisez attentivement la documentation d'exploitation"
echo
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
echo
echo " Appuyez sur 'Entrée' pour continuer"
else
2205,7 → 2320,7
echo
echo "- Read the exploitation documentation"
echo
echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
echo
echo " Hit 'Enter' to continue"
fi
2212,7 → 2327,7
sleep 2
if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
then
read a
read
fi
clear
reboot
2228,10 → 2343,10
echo "Launch this program from the ALCASAR archive directory"
exit 0
fi
if [[ $EUID > 0 ]]
if [ $EUID -gt 0 ]
then
echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
echo "You must be "root" to install ALCASAR ('su' command)"
echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
echo "You must be \"root\" to install ALCASAR ('su' command)"
exit 0
fi
VERSION=`cat $DIR_INSTALL/VERSION`
2273,7 → 2388,7
if [ $DEBUG_ALCASAR == "on" ]
then
echo "*** 'debug' : end of cleaning ***"
read a
read
fi
# Test if manual update
if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2313,13 → 2428,13
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
mode="update"
fi
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]
then
then
echo "*** 'debug' : end of install '$func' ***"
read a
read
fi
done
;;
2359,4 → 2474,3
;;
esac
# end of script