Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2839 → Rev 2840

/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
 
# Options :
# -i or --install
35,8 → 35,7
# freeradius : FreeRadius initialisation
# chilli : coovachilli initialisation (+authentication page)
# e2guardian : E2Guardian filtering HTTP proxy configuration
# antivirus : HAVP + libclamav configuration
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# antivirus : clamav & freshclam configuration
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
# unbound : Name server configuration
1271,29 → 1270,42
# Adapt the main conf file
# French deny HTML page
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
# Listen only on LAN side
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# E2guardian listens on 8080 (HTTP)
# 2 filtergroups (8080 & 8090)
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
# Listen on 8080 (HTTP for BL users) only on LAN side
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
# E2guardian listens transparently on 8443 (HTTPS)
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
# DG send its flow to HAVP (127.0.0.1:8090)
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
# Disable HTML content control (weighted & banned)
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
# Enable authport plugin
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
# Enable clamd scanner
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
 
# RAZ bannedphraselist
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 
# Disable URL control with regex
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
# Adapt the first group file (only one for instance)
 
# Adapt the first group conf file
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
# Reporting (deny page) in HTML
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 
# Copy the fist group conf file to the second
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf
 
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1349,47 → 1361,16
 
##################################################################
## Function "antivirus" ##
## - Set the parameters of havp, libclamav and freshclam ##
## - Set the parameters of clamav and freshclam ##
##################################################################
antivirus()
{
# create 'havp' user
havp_exist=`grep -c ^havp: /etc/passwd`
if [ "$havp_exist" == "1" ]
then
userdel -r havp 2>/dev/null
groupdel havp 2>/dev/null
fi
groupadd -f havp
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
chown -R clamav:clamav /var/log/clamav /var/lib/clamav
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config # Use our special tmp FS (memfs)
$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config # Use our special tmp FS (memfs)
# skip checking of youtube flow (too heavy load / risk too low)
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
echo "# Whitelist youtube flow" >> /etc/havp/whitelist
echo "*.youtube.com/*" >> /etc/havp/whitelist
# adapt init script and systemd unit
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
cp -f $DIR_CONF/havp-init /etc/init.d/havp
cp -f $DIR_CONF/havp.service /lib/systemd/system/
# replace of the intercept page (template)
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
# Clamd adaptation to e2guardian
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
chmod 775 /var/log/clamav /var/lib/clamav
chmod 664 /var/log/clamav/*
# update virus database every 4 hours (24h/6)
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1396,65 → 1377,12
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam
# update now
/usr/bin/freshclam --no-warnings --quiet
} # End of antivirus()
 
################################################################################
## Function "tinyproxy" ##
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
################################################################################
tinyproxy()
{
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
if [ "$tinyproxy_exist" == "1" ]
then
userdel -r tinyproxy 2>/dev/null
groupdel tinyproxy 2>/dev/null
fi
groupadd -f tinyproxy
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
mkdir -p /run/tinyproxy /var/log/tinyproxy
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
# Create the systemd unit
cat << EOF > /lib/systemd/system/tinyproxy.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
 
# This unit launches tinyproxy (a very light proxy).
# The "sleep 2" is needed because the pid file isn't ready for systemd
[Unit]
Description=Tinyproxy Web Proxy Server
After=network-online.target iptables.service
 
[Service]
Type=forking
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
ExecStartPre=/bin/sleep 2
PIDFile=/run/tinyproxy/tinyproxy.pid
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
ExecStop=/usr/bin/killall -9 tinyproxy
[Install]
WantedBy=multi-user.target
EOF
 
} # end of tinyproxy()
 
##############################################################
## function "ulogd" ##
## - Ulog config for multi-log files ##
1907,7 → 1835,7
fail2ban()
{
/usr/bin/sh $DIR_CONF/fail2ban.sh
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
# allow reading of 2 log files (fail2ban & watchdog).
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
chmod 644 /var/log/fail2ban.log
2112,7 → 2040,7
##################################################################
post_install()
{
# change the SSH banner
# change the SSHD options
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2119,13 → 2047,15
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# sshd listens on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
# sshd authorized certificate for root login
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
 
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
# sshd liste on EXTIF & INTIF
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
# sshd authorized certificate for root login
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
# ALCASAR conf file
echo "HTTPS_LOGIN=off" >> $CONF_FILE
echo "HTTPS_CHILLI=off" >> $CONF_FILE
2196,7 → 2126,7
EOF
/usr/bin/systemctl daemon-reload
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
2241,7 → 2171,7
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM
if [ $vm_vga == 0 ] # is not a VM
then
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2425,7 → 2355,7
fi
mode="update"
fi
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]