18,7 → 18,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
|
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump |
|
# Options : |
# -i or --install |
35,8 → 35,7 |
# freeradius : FreeRadius initialisation |
# chilli : coovachilli initialisation (+authentication page) |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# antivirus : clamav & freshclam configuration |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
1271,29 → 1270,42 |
# Adapt the main conf file |
# French deny HTML page |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
# Listen only on LAN side |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
# E2guardian listens on 8080 (HTTP) |
# 2 filtergroups (8080 & 8090) |
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
# Listen on 8080 (HTTP for BL users) only on LAN side |
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
# Listen on 8090 (HTTP for WL/AV users) only on LAN side |
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf |
# E2guardian listens transparently on 8443 (HTTPS) |
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
# DG send its flow to HAVP (127.0.0.1:8090) |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
# Disable HTML content control (weighted & banned) |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
# Enable authport plugin |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
# Enable clamd scanner |
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf |
|
# RAZ bannedphraselist |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
|
# Disable URL control with regex |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
# Adapt the first group file (only one for instance) |
|
# Adapt the first group conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
# Reporting (deny page) in HTML |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
|
# Copy the fist group conf file to the second |
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf |
|
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
1349,47 → 1361,16 |
|
################################################################## |
## Function "antivirus" ## |
## - Set the parameters of havp, libclamav and freshclam ## |
## - Set the parameters of clamav and freshclam ## |
################################################################## |
antivirus() |
{ |
# create 'havp' user |
havp_exist=`grep -c ^havp: /etc/passwd` |
if [ "$havp_exist" == "1" ] |
then |
userdel -r havp 2>/dev/null |
groupdel havp 2>/dev/null |
fi |
groupadd -f havp |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp |
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav |
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp |
chown -R clamav:clamav /var/log/clamav /var/lib/clamav |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback) |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format |
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV |
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches |
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously |
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files |
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files |
$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config # Use our special tmp FS (memfs) |
$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config # Use our special tmp FS (memfs) |
# skip checking of youtube flow (too heavy load / risk too low) |
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default |
echo "# Whitelist youtube flow" >> /etc/havp/whitelist |
echo "*.youtube.com/*" >> /etc/havp/whitelist |
# adapt init script and systemd unit |
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default |
cp -f $DIR_CONF/havp-init /etc/init.d/havp |
cp -f $DIR_CONF/havp.service /lib/systemd/system/ |
# replace of the intercept page (template) |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html |
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html |
# Clamd adaptation to e2guardian |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf |
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav |
chmod 775 /var/log/clamav /var/lib/clamav |
chmod 664 /var/log/clamav/* |
# update virus database every 4 hours (24h/6) |
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
1396,65 → 1377,12 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam |
|
# update now |
/usr/bin/freshclam --no-warnings --quiet |
} # End of antivirus() |
|
################################################################################ |
## Function "tinyproxy" ## |
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ## |
################################################################################ |
tinyproxy() |
{ |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd` |
if [ "$tinyproxy_exist" == "1" ] |
then |
userdel -r tinyproxy 2>/dev/null |
groupdel tinyproxy 2>/dev/null |
fi |
groupadd -f tinyproxy |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy |
mkdir -p /run/tinyproxy /var/log/tinyproxy |
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default |
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port |
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif) |
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged |
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP |
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode |
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN |
# Create the systemd unit |
cat << EOF > /lib/systemd/system/tinyproxy.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
# under the terms of the GNU General Public License as published by |
# the Free Software Foundation; either version 2 of the License, or |
# (at your option) any later version. |
|
# This unit launches tinyproxy (a very light proxy). |
# The "sleep 2" is needed because the pid file isn't ready for systemd |
[Unit] |
Description=Tinyproxy Web Proxy Server |
After=network-online.target iptables.service |
|
[Service] |
Type=forking |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy |
ExecStartPre=/bin/sleep 2 |
PIDFile=/run/tinyproxy/tinyproxy.pid |
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf |
ExecStop=/usr/bin/killall -9 tinyproxy |
[Install] |
WantedBy=multi-user.target |
EOF |
|
} # end of tinyproxy() |
|
############################################################## |
## function "ulogd" ## |
## - Ulog config for multi-log files ## |
1907,7 → 1835,7 |
fail2ban() |
{ |
/usr/bin/sh $DIR_CONF/fail2ban.sh |
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section |
# allow reading of 2 log files (fail2ban & watchdog). |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log |
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log |
chmod 644 /var/log/fail2ban.log |
2112,7 → 2040,7 |
################################################################## |
post_install() |
{ |
# change the SSH banner |
# change the SSHD options |
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh |
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh |
2119,13 → 2047,15 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# sshd listens on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config |
|
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# sshd liste on EXTIF & INTIF |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
2196,7 → 2126,7 |
EOF |
/usr/bin/systemctl daemon-reload |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
2241,7 → 2171,7 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM |
if [ $vm_vga == 0 ] # is not a VM |
then |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art |
2425,7 → 2355,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |