Subversion Repositories ALCASAR

Rev

Rev 2290 | Rev 2304 | Go to most recent revision | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2290 Rev 2293
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2290 2017-06-20 10:00:17Z richard $ 
2
#  $Id: alcasar.sh 2293 2017-06-20 15:31:12Z tom.houdayer $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
32
#	ACC			: ALCASAR Control Center installation
32
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
33
#	CA			: Certification Authority initialization
34
#	time_server		: NTPd configuration
34
#	time_server		: NTPd configuration
35
#	init_db			: Initilization of radius database managed with MariaDB
35
#	init_db			: Initilization of radius database managed with MariaDB
36
#	radius			: FreeRadius initialisation
36
#	radius			: FreeRadius initialisation
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	msec			: Mandriva security package configuration
49
#	msec			: Mandriva security package configuration
50
#	post_install		: Security, log rotation, etc.
50
#	post_install		: Security, log rotation, etc.
51
 
51
 
52
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
54
Lang=`echo $LANG|cut -c 1-2`
54
Lang=`echo $LANG|cut -c 1-2`
55
mode="install"
55
mode="install"
56
# ******* Files parameters - paramètres fichiers *********
56
# ******* Files parameters - paramètres fichiers *********
57
DIR_INSTALL=`pwd`				# current directory 
57
DIR_INSTALL=`pwd`				# current directory 
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
61
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
61
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
62
DIR_WEB="/var/www/html"				# directory of APACHE
62
DIR_WEB="/var/www/html"				# directory of APACHE
63
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
63
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
64
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
64
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
# ******* DBMS parameters - paramètres SGBD ********
70
# ******* DBMS parameters - paramètres SGBD ********
71
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_RADIUS="radius"				# database name used by FreeRadius server
72
DB_USER="radius"				# user name allows to request the users database
72
DB_USER="radius"				# user name allows to request the users database
73
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
DB_GAMMU="gammu"				# database name used by Gammu-smsd
74
# ******* Network parameters - paramètres réseau *******
74
# ******* Network parameters - paramètres réseau *******
75
HOSTNAME="alcasar"				# default hostname
75
HOSTNAME="alcasar"				# default hostname
76
DOMAIN="localdomain"				# default local domain
76
DOMAIN="localdomain"				# default local domain
77
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
79
MTU="1500"
79
MTU="1500"
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
# ****** Paths - chemin des commandes *******
81
# ****** Paths - chemin des commandes *******
82
SED="/bin/sed -i"
82
SED="/bin/sed -i"
83
# ****************** End of global parameters *********************
83
# ****************** End of global parameters *********************
84
 
84
 
85
license ()
85
license ()
86
{
86
{
87
	if [ $Lang == "fr" ]
87
	if [ $Lang == "fr" ]
88
	then
88
	then
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
	else
90
	else
91
		cat $DIR_INSTALL/gpl-warning.txt | more
91
		cat $DIR_INSTALL/gpl-warning.txt | more
92
	fi
92
	fi
93
	response=0
93
	response=0
94
	PTN='^[oOyYnN]$'
94
	PTN='^[oOyYnN]$'
95
	until [[ $(expr $response : $PTN) -gt 0 ]]
95
	until [[ $(expr $response : $PTN) -gt 0 ]]
96
	do
96
	do
97
		if [ $Lang == "fr" ]
97
		if [ $Lang == "fr" ]
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
		fi
100
		fi
101
		read response
101
		read response
102
	done
102
	done
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	then
104
	then
105
		exit 1
105
		exit 1
106
	fi
106
	fi
107
}
107
}
108
 
108
 
109
header_install ()
109
header_install ()
110
{
110
{
111
	clear
111
	clear
112
	echo "-----------------------------------------------------------------------------"
112
	echo "-----------------------------------------------------------------------------"
113
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "-----------------------------------------------------------------------------"
115
	echo "-----------------------------------------------------------------------------"
116
}
116
}
117
 
117
 
118
##################################################################
118
##################################################################
119
##			Function "testing"			##
119
##			Function "testing"			##
120
## - Test of Mageia version					##
120
## - Test of Mageia version					##
121
## - Test of ALCASAR version (if already installed)		##
121
## - Test of ALCASAR version (if already installed)		##
122
## - Test of free space on /var  (>10G)				##
122
## - Test of free space on /var  (>10G)				##
123
## - Test of Internet access					##
123
## - Test of Internet access					##
124
##################################################################
124
##################################################################
125
testing ()
125
testing ()
126
{
126
{
127
# Test of Mageia version
127
# Test of Mageia version
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
	fic=`cat /etc/product.id`
129
	fic=`cat /etc/product.id`
130
	unknown_os=0
130
	unknown_os=0
131
	old="$IFS"
131
	old="$IFS"
132
	IFS=","
132
	IFS=","
133
	set $fic
133
	set $fic
134
	for i in $*
134
	for i in $*
135
	do
135
	do
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
			then 
137
			then 
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			unknown_os=`expr $unknown_os + 1`
139
			unknown_os=`expr $unknown_os + 1`
140
		fi
140
		fi
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
			then 
142
			then 
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			unknown_os=`expr $unknown_os + 1`
144
			unknown_os=`expr $unknown_os + 1`
145
		fi
145
		fi
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
			then 
147
			then 
148
			ARCH=`echo $i|cut -d"=" -f2`
148
			ARCH=`echo $i|cut -d"=" -f2`
149
			unknown_os=`expr $unknown_os + 1`
149
			unknown_os=`expr $unknown_os + 1`
150
		fi
150
		fi
151
	done
151
	done
152
	if [ "$ARCH" == "i586" ]
152
	if [ "$ARCH" == "i586" ]
153
		then
153
		then
154
		if [ $Lang == "fr" ]
154
		if [ $Lang == "fr" ]
155
			then echo -n "Votre architecture matérielle doit être en 64bits"
155
			then echo -n "Votre architecture matérielle doit être en 64bits"
156
			else echo -n "You hardware architecture must be 64bits"
156
			else echo -n "You hardware architecture must be 64bits"
157
			exit 0
157
			exit 0
158
		fi
158
		fi
159
	fi
159
	fi
160
	IFS="$old"
160
	IFS="$old"
161
# Test if ALCASAR is already installed
161
# Test if ALCASAR is already installed
162
	if [ -e $CONF_FILE ]
162
	if [ -e $CONF_FILE ]
163
	then
163
	then
164
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
164
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
165
		if [ $Lang == "fr" ]
165
		if [ $Lang == "fr" ]
166
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
166
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
167
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
167
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
168
		fi
168
		fi
169
		response=0
169
		response=0
170
		PTN='^[oOnNyY]$'
170
		PTN='^[oOnNyY]$'
171
		until [[ $(expr $response : $PTN) -gt 0 ]]
171
		until [[ $(expr $response : $PTN) -gt 0 ]]
172
		do
172
		do
173
			if [ $Lang == "fr" ]
173
			if [ $Lang == "fr" ]
174
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
174
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
175
				else echo -n "Do you want to update (Y/n)?";
175
				else echo -n "Do you want to update (Y/n)?";
176
			 fi
176
			 fi
177
			read response
177
			read response
178
		done
178
		done
179
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
179
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
180
		then
180
		then
181
			rm -f /tmp/alcasar-conf*
181
			rm -f /tmp/alcasar-conf*
182
		else
182
		else
183
# Retrieve former NICname
183
# Retrieve former NICname
184
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
184
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
185
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
185
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
186
# Create the current conf file
186
# Create the current conf file
187
			$DIR_SCRIPTS/alcasar-conf.sh --create
187
			$DIR_SCRIPTS/alcasar-conf.sh --create
188
			mode="update"
188
			mode="update"
189
		fi
189
		fi
190
	fi
190
	fi
191
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
191
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
192
		then
192
		then
193
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
193
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
194
			then
194
			then
195
			echo
195
			echo
196
			if [ $Lang == "fr" ]
196
			if [ $Lang == "fr" ]
197
				then	
197
				then	
198
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
198
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
199
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
199
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
200
				echo "2 - Installez Linux-Mageia 5.1-64bits et ALCASAR (cf. doc d'installation)"
200
				echo "2 - Installez Linux-Mageia 5.1-64bits et ALCASAR (cf. doc d'installation)"
201
				echo "3 - Importez votre base des usagers"
201
				echo "3 - Importez votre base des usagers"
202
			else
202
			else
203
				echo "The automatic update of ALCASAR can't be performed."
203
				echo "The automatic update of ALCASAR can't be performed."
204
				echo "1 - Save your traceability files and the user database"
204
				echo "1 - Save your traceability files and the user database"
205
				echo "2 - Install Linux-Mageia 5.1-64bits & ALCASAR (cf. installation doc)"
205
				echo "2 - Install Linux-Mageia 5.1-64bits & ALCASAR (cf. installation doc)"
206
				echo "3 - Import your users database"
206
				echo "3 - Import your users database"
207
			fi
207
			fi
208
		else
208
		else
209
			if [ $Lang == "fr" ]
209
			if [ $Lang == "fr" ]
210
				then	
210
				then	
211
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
211
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
212
			else
212
			else
213
				echo "The installation of ALCASAR can't be performed."
213
				echo "The installation of ALCASAR can't be performed."
214
			fi
214
			fi
215
		fi
215
		fi
216
		echo
216
		echo
217
		if [ $Lang == "fr" ]
217
		if [ $Lang == "fr" ]
218
			then	
218
			then	
219
			echo "Le système d'exploitation doit être remplacé (Mageia5.1-64bits)"
219
			echo "Le système d'exploitation doit être remplacé (Mageia5.1-64bits)"
220
		else
220
		else
221
			echo "The OS must be replaced (Mageia5.1-64bits)"
221
			echo "The OS must be replaced (Mageia5.1-64bits)"
222
		fi
222
		fi
223
		exit 0
223
		exit 0
224
	fi
224
	fi
225
	if [ ! -d /var/log/netflow/porttracker ]
225
	if [ ! -d /var/log/netflow/porttracker ]
226
		then
226
		then
227
# Test free space on /var
227
# Test free space on /var
228
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
228
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
229
		if [ $free_space -lt 10 ]
229
		if [ $free_space -lt 10 ]
230
			then
230
			then
231
			if [ $Lang == "fr" ]
231
			if [ $Lang == "fr" ]
232
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
232
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
233
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
			fi
234
			fi
235
		exit 0
235
		exit 0
236
		fi
236
		fi
237
	fi
237
	fi
238
	if [ $Lang == "fr" ]
238
	if [ $Lang == "fr" ]
239
		then echo -n "Tests des paramètres réseau : "
239
		then echo -n "Tests des paramètres réseau : "
240
		else echo -n "Network parameters tests : "
240
		else echo -n "Network parameters tests : "
241
	fi
241
	fi
242
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
242
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
243
	cd /etc/sysconfig/network-scripts/
243
	cd /etc/sysconfig/network-scripts/
244
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
244
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
245
	for i in $IF_INTERFACES
245
	for i in $IF_INTERFACES
246
	do
246
	do
247
		IP_INTERFACE=`/usr/sbin/ip link|grep $i`	
247
		IP_INTERFACE=`/usr/sbin/ip link|grep $i`	
248
		if [ -z "$IP_INTERFACE" ]
248
		if [ -z "$IP_INTERFACE" ]
249
		then
249
		then
250
			rm -f ifcfg-$i
250
			rm -f ifcfg-$i
251
			
251
			
252
			if [ $Lang == "fr" ]
252
			if [ $Lang == "fr" ]
253
				then echo "Suppression : ifcfg-$i"
253
				then echo "Suppression : ifcfg-$i"
254
				else echo "Deleting : ifcfg-$i"
254
				else echo "Deleting : ifcfg-$i"
255
			fi
255
			fi
256
		fi
256
		fi
257
	done
257
	done
258
	cd $DIR_INSTALL
258
	cd $DIR_INSTALL
259
	echo -n "."
259
	echo -n "."
260
# Test Ethernet NIC links state 
260
# Test Ethernet NIC links state 
261
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
261
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
262
	for i in $DOWN_IF
262
	for i in $DOWN_IF
263
	do
263
	do
264
		echo $i
264
		echo $i
265
		if [ $Lang == "fr" ]
265
		if [ $Lang == "fr" ]
266
		then 
266
		then 
267
			echo "Échec"
267
			echo "Échec"
268
			echo "Le lien réseau de la carte $i n'est pas actif."
268
			echo "Le lien réseau de la carte $i n'est pas actif."
269
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
269
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
270
		else
270
		else
271
			echo "Failed"
271
			echo "Failed"
272
			echo "The link state of $i interface is down."
272
			echo "The link state of $i interface is down."
273
			echo "Make sure that this network card is connected to a switch or an A.P."
273
			echo "Make sure that this network card is connected to a switch or an A.P."
274
		fi
274
		fi
275
		exit 0
275
		exit 0
276
	done
276
	done
277
	echo -n "."
277
	echo -n "."
278
# Test EXTIF config files
278
# Test EXTIF config files
279
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
279
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
280
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
280
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
281
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
281
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
282
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
282
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
283
	then
283
	then
284
		if [ $Lang == "fr" ]
284
		if [ $Lang == "fr" ]
285
		then 
285
		then 
286
			echo "Échec"
286
			echo "Échec"
287
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
287
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
288
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
288
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
289
			echo "Appliquez les changements : 'systemctl restart network'"
289
			echo "Appliquez les changements : 'systemctl restart network'"
290
		else
290
		else
291
			echo "Failed"
291
			echo "Failed"
292
			echo "The Internet connected network card ($EXTIF) isn't well configured."
292
			echo "The Internet connected network card ($EXTIF) isn't well configured."
293
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
293
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
294
			echo "Apply the new configuration 'systemctl restart network'"
294
			echo "Apply the new configuration 'systemctl restart network'"
295
		fi
295
		fi
296
		echo "DEVICE=$EXTIF"
296
		echo "DEVICE=$EXTIF"
297
		echo "IPADDR="
297
		echo "IPADDR="
298
		echo "NETMASK="
298
		echo "NETMASK="
299
		echo "GATEWAY="
299
		echo "GATEWAY="
300
		echo "DNS1="
300
		echo "DNS1="
301
		echo "DNS2="
301
		echo "DNS2="
302
		echo "ONBOOT=yes"
302
		echo "ONBOOT=yes"
303
		exit 0
303
		exit 0
304
	fi
304
	fi
305
	echo -n "."
305
	echo -n "."
306
# Test if default GW is set on EXTIF (router or ISP provider equipment)
306
# Test if default GW is set on EXTIF (router or ISP provider equipment)
307
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
307
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
308
		if [ $Lang == "fr" ]
308
		if [ $Lang == "fr" ]
309
		then 
309
		then 
310
			echo "Échec"
310
			echo "Échec"
311
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
311
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
312
			echo "Réglez ce problème puis relancez ce script."
312
			echo "Réglez ce problème puis relancez ce script."
313
		else
313
		else
314
			echo "Failed"
314
			echo "Failed"
315
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
315
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
316
			echo "Resolv this problem, then restart this script."
316
			echo "Resolv this problem, then restart this script."
317
		fi
317
		fi
318
		exit 0
318
		exit 0
319
	fi
319
	fi
320
	echo -n "."
320
	echo -n "."
321
# Test if default GW is alive
321
# Test if default GW is alive
322
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
322
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
323
	if [ $(expr $arp_reply) -eq 0 ]
323
	if [ $(expr $arp_reply) -eq 0 ]
324
	       	then
324
	       	then
325
		if [ $Lang == "fr" ]
325
		if [ $Lang == "fr" ]
326
		then 
326
		then 
327
			echo "Échec"
327
			echo "Échec"
328
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
328
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
329
			echo "Réglez ce problème puis relancez ce script."
329
			echo "Réglez ce problème puis relancez ce script."
330
		else
330
		else
331
			echo "Failed"
331
			echo "Failed"
332
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
332
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
333
			echo "Resolv this problem, then restart this script."
333
			echo "Resolv this problem, then restart this script."
334
		fi
334
		fi
335
		exit 0
335
		exit 0
336
	fi
336
	fi
337
	echo -n "."
337
	echo -n "."
338
# Test Internet connectivity
338
# Test Internet connectivity
339
	rm -rf /tmp/con_ok.html
339
	rm -rf /tmp/con_ok.html
340
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
340
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
341
	if [ ! -e /tmp/con_ok.html ]
341
	if [ ! -e /tmp/con_ok.html ]
342
	then
342
	then
343
		if [ $Lang == "fr" ]
343
		if [ $Lang == "fr" ]
344
		then 
344
		then 
345
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
345
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
346
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
346
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
347
			echo "Vérifiez la validité des adresses IP des DNS."
347
			echo "Vérifiez la validité des adresses IP des DNS."
348
		else
348
		else
349
			echo "The Internet connection try failed (google.fr)."
349
			echo "The Internet connection try failed (google.fr)."
350
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
350
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
351
			echo "Verify the DNS IP addresses"
351
			echo "Verify the DNS IP addresses"
352
		fi
352
		fi
353
		exit 0
353
		exit 0
354
	fi
354
	fi
355
	rm -rf /tmp/con_ok.html
355
	rm -rf /tmp/con_ok.html
356
	echo ". : ok"
356
	echo ". : ok"
357
} # end of testing ()
357
} # end of testing ()
358
 
358
 
359
##################################################################
359
##################################################################
360
##			Function "init"				##
360
##			Function "init"				##
361
## - Création du fichier "/root/ALCASAR_parametres.tx		##
361
## - Création du fichier "/root/ALCASAR_parametres.tx		##
362
## - Installation et modification des scripts du portail	##
362
## - Installation et modification des scripts du portail	##
363
##################################################################
363
##################################################################
364
init ()
364
init ()
365
{
365
{
366
	if [ "$mode" != "update" ]
366
	if [ "$mode" != "update" ]
367
	then
367
	then
368
# On affecte le nom d'organisme
368
# On affecte le nom d'organisme
369
		header_install
369
		header_install
370
		ORGANISME=!
370
		ORGANISME=!
371
		PTN='^[a-zA-Z0-9-]*$'
371
		PTN='^[a-zA-Z0-9-]*$'
372
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
372
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
373
                do
373
                do
374
			if [ $Lang == "fr" ]
374
			if [ $Lang == "fr" ]
375
			       	then echo -n "Entrez le nom de votre organisme : "
375
			       	then echo -n "Entrez le nom de votre organisme : "
376
				else echo -n "Enter the name of your organism : "
376
				else echo -n "Enter the name of your organism : "
377
			fi
377
			fi
378
			read ORGANISME
378
			read ORGANISME
379
			if [ "$ORGANISME" == "" ]
379
			if [ "$ORGANISME" == "" ]
380
				then
380
				then
381
				ORGANISME=!
381
				ORGANISME=!
382
			fi
382
			fi
383
		done
383
		done
384
	fi
384
	fi
385
# On crée aléatoirement les mots de passe et les secrets partagés
385
# On crée aléatoirement les mots de passe et les secrets partagés
386
	rm -f $PASSWD_FILE
386
	rm -f $PASSWD_FILE
387
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
387
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
388
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
388
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
389
	echo "$grubpwd" >> $PASSWD_FILE
389
	echo "$grubpwd" >> $PASSWD_FILE
390
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
390
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
391
	$SED "/^password.*/d" /boot/grub/menu.lst
391
	$SED "/^password.*/d" /boot/grub/menu.lst
392
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
392
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
393
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
393
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
394
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
394
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
395
	echo "root / $mysqlpwd" >> $PASSWD_FILE
395
	echo "root / $mysqlpwd" >> $PASSWD_FILE
396
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
396
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
397
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
397
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
398
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
398
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
399
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
399
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
400
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
400
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
401
	echo "$secretuam" >> $PASSWD_FILE
401
	echo "$secretuam" >> $PASSWD_FILE
402
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
402
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
403
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
403
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
404
	echo "$secretradius" >> $PASSWD_FILE
404
	echo "$secretradius" >> $PASSWD_FILE
405
	chmod 640 $PASSWD_FILE
405
	chmod 640 $PASSWD_FILE
406
#  copy scripts in in /usr/local/bin
406
#  copy scripts in in /usr/local/bin
407
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
407
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
408
#  copy conf files in /usr/local/etc
408
#  copy conf files in /usr/local/etc
409
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
409
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
410
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
410
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
411
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
411
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
412
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
412
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
413
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
413
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
414
# generate central conf file
414
# generate central conf file
415
	cat <<EOF > $CONF_FILE
415
	cat <<EOF > $CONF_FILE
416
##########################################
416
##########################################
417
##                                      ##
417
##                                      ##
418
##          ALCASAR Parameters          ##
418
##          ALCASAR Parameters          ##
419
##                                      ##
419
##                                      ##
420
##########################################
420
##########################################
421
 
421
 
422
INSTALL_DATE=$DATE
422
INSTALL_DATE=$DATE
423
VERSION=$VERSION
423
VERSION=$VERSION
424
ORGANISM=$ORGANISME
424
ORGANISM=$ORGANISME
425
HOSTNAME=$HOSTNAME
425
HOSTNAME=$HOSTNAME
426
DOMAIN=$DOMAIN
426
DOMAIN=$DOMAIN
427
EOF
427
EOF
428
	chmod o-rwx $CONF_FILE
428
	chmod o-rwx $CONF_FILE
429
} # End of init ()
429
} # End of init ()
430
 
430
 
431
##################################################################
431
##################################################################
432
##			Function "network"			##
432
##			Function "network"			##
433
## - Définition du plan d'adressage du réseau de consultation	##
433
## - Définition du plan d'adressage du réseau de consultation	##
434
## - Nommage DNS du système 					##
434
## - Nommage DNS du système 					##
435
## - Configuration de l'interface INTIF (réseau de consultation)##
435
## - Configuration de l'interface INTIF (réseau de consultation)##
436
## - Modification du fichier /etc/hosts				##
436
## - Modification du fichier /etc/hosts				##
437
## - Renseignement des fichiers hosts.allow et hosts.deny	##
437
## - Renseignement des fichiers hosts.allow et hosts.deny	##
438
##################################################################
438
##################################################################
439
network ()
439
network ()
440
{
440
{
441
	header_install
441
	header_install
442
	if [ "$mode" != "update" ]
442
	if [ "$mode" != "update" ]
443
		then
443
		then
444
		if [ $Lang == "fr" ]
444
		if [ $Lang == "fr" ]
445
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
445
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
446
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
446
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
447
		fi
447
		fi
448
		response=0
448
		response=0
449
		PTN='^[oOyYnN]$'
449
		PTN='^[oOyYnN]$'
450
		until [[ $(expr $response : $PTN) -gt 0 ]]
450
		until [[ $(expr $response : $PTN) -gt 0 ]]
451
		do
451
		do
452
			if [ $Lang == "fr" ]
452
			if [ $Lang == "fr" ]
453
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
453
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
454
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
454
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
455
			fi
455
			fi
456
			read response
456
			read response
457
		done
457
		done
458
		if [ "$response" = "n" ] || [ "$response" = "N" ]
458
		if [ "$response" = "n" ] || [ "$response" = "N" ]
459
		then
459
		then
460
			PRIVATE_IP_MASK="0"
460
			PRIVATE_IP_MASK="0"
461
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
461
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
462
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
462
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
463
			do
463
			do
464
				if [ $Lang == "fr" ]
464
				if [ $Lang == "fr" ]
465
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
465
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
466
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
466
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
467
				fi
467
				fi
468
				read PRIVATE_IP_MASK
468
				read PRIVATE_IP_MASK
469
			done
469
			done
470
		else
470
		else
471
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
471
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
472
		fi
472
		fi
473
	else
473
	else
474
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
474
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
475
		rm -rf conf/etc/alcasar.conf
475
		rm -rf conf/etc/alcasar.conf
476
	fi
476
	fi
477
# Define LAN side global parameters
477
# Define LAN side global parameters
478
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
478
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
479
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
479
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
480
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
480
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
481
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
481
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
482
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
482
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
483
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
483
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
484
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
484
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
485
		then
485
		then
486
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
486
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
487
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
487
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
488
	fi	
488
	fi	
489
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
489
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
490
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
490
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
491
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
491
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
492
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
492
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
493
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
493
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
494
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
494
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
495
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
495
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
496
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
496
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
497
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
497
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
498
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
498
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
499
# Define Internet parameters
499
# Define Internet parameters
500
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
500
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
501
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
501
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
502
	if [ $nb_dns == 2 ]
502
	if [ $nb_dns == 2 ]
503
		then
503
		then
504
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
504
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
505
	fi
505
	fi
506
	DNS1=${DNS1:=208.67.220.220}
506
	DNS1=${DNS1:=208.67.220.220}
507
	DNS2=${DNS2:=208.67.222.222}
507
	DNS2=${DNS2:=208.67.222.222}
508
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
508
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
509
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
509
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
510
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
510
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
511
# Wrtie the conf file
511
# Wrtie the conf file
512
	echo "EXTIF=$EXTIF" >> $CONF_FILE
512
	echo "EXTIF=$EXTIF" >> $CONF_FILE
513
	echo "INTIF=$INTIF" >> $CONF_FILE
513
	echo "INTIF=$INTIF" >> $CONF_FILE
514
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
514
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
515
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
515
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
516
 
516
 
517
	for i in $INTERFACES
517
	for i in $INTERFACES
518
	do
518
	do
519
		SUB=`echo ${i:0:2}`
519
		SUB=`echo ${i:0:2}`
520
		if [ $SUB = "wl" ]
520
		if [ $SUB = "wl" ]
521
			then WIFIF=$i
521
			then WIFIF=$i
522
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] 
522
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ] 
523
			then LANIF=$i
523
			then LANIF=$i
524
		fi
524
		fi
525
	done
525
	done
526
 
526
 
527
	if [ -n "$WIFIF" ]
527
	if [ -n "$WIFIF" ]
528
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
528
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
529
	elif [ -n "$LANIF" ]
529
	elif [ -n "$LANIF" ]
530
		then echo "LANIF=$LANIF" >> $CONF_FILE
530
		then echo "LANIF=$LANIF" >> $CONF_FILE
531
	fi
531
	fi
532
	#########################################################################################################	
532
	#########################################################################################################	
533
	
533
	
534
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
534
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
535
	if [ $IP_SETTING == "dhcp" ]
535
	if [ $IP_SETTING == "dhcp" ]
536
		then
536
		then
537
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
537
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
538
		echo "GW=dhcp" >> $CONF_FILE
538
		echo "GW=dhcp" >> $CONF_FILE
539
	else
539
	else
540
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
540
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
541
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
541
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
542
	fi
542
	fi
543
	echo "DNS1=$DNS1" >> $CONF_FILE
543
	echo "DNS1=$DNS1" >> $CONF_FILE
544
	echo "DNS2=$DNS2" >> $CONF_FILE
544
	echo "DNS2=$DNS2" >> $CONF_FILE
545
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
545
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
546
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
546
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
547
	echo "DHCP=on" >> $CONF_FILE
547
	echo "DHCP=on" >> $CONF_FILE
548
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
548
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
549
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
549
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
550
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
550
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
551
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
551
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
552
	echo "INT_DNS_IP=none" >> $CONF_FILE
552
	echo "INT_DNS_IP=none" >> $CONF_FILE
553
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
553
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
554
# network default
554
# network default
555
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
555
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
556
	cat <<EOF > /etc/sysconfig/network
556
	cat <<EOF > /etc/sysconfig/network
557
NETWORKING=yes
557
NETWORKING=yes
558
FORWARD_IPV4=true
558
FORWARD_IPV4=true
559
EOF
559
EOF
560
# /etc/hosts config
560
# /etc/hosts config
561
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
561
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
562
	cat <<EOF > /etc/hosts
562
	cat <<EOF > /etc/hosts
563
127.0.0.1	localhost
563
127.0.0.1	localhost
564
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
564
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
565
EOF
565
EOF
566
# EXTIF (Internet) config
566
# EXTIF (Internet) config
567
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
567
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
568
	if [ $IP_SETTING == "dhcp" ]
568
	if [ $IP_SETTING == "dhcp" ]
569
		then
569
		then
570
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
570
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
571
DEVICE=$EXTIF
571
DEVICE=$EXTIF
572
BOOTPROTO=dhcp
572
BOOTPROTO=dhcp
573
DNS1=127.0.0.1
573
DNS1=127.0.0.1
574
PEERDNS=no
574
PEERDNS=no
575
RESOLV_MODS=yes
575
RESOLV_MODS=yes
576
ONBOOT=yes
576
ONBOOT=yes
577
NOZEROCONF=yes
577
NOZEROCONF=yes
578
METRIC=10
578
METRIC=10
579
MII_NOT_SUPPORTED=yes
579
MII_NOT_SUPPORTED=yes
580
IPV6INIT=no
580
IPV6INIT=no
581
IPV6TO4INIT=no
581
IPV6TO4INIT=no
582
ACCOUNTING=no
582
ACCOUNTING=no
583
USERCTL=no
583
USERCTL=no
584
MTU=$MTU
584
MTU=$MTU
585
EOF
585
EOF
586
		else	
586
		else	
587
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
587
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
588
DEVICE=$EXTIF
588
DEVICE=$EXTIF
589
BOOTPROTO=static
589
BOOTPROTO=static
590
IPADDR=$PUBLIC_IP
590
IPADDR=$PUBLIC_IP
591
NETMASK=$PUBLIC_NETMASK
591
NETMASK=$PUBLIC_NETMASK
592
GATEWAY=$PUBLIC_GATEWAY
592
GATEWAY=$PUBLIC_GATEWAY
593
DNS1=127.0.0.1
593
DNS1=127.0.0.1
594
RESOLV_MODS=yes
594
RESOLV_MODS=yes
595
ONBOOT=yes
595
ONBOOT=yes
596
METRIC=10
596
METRIC=10
597
NOZEROCONF=yes
597
NOZEROCONF=yes
598
MII_NOT_SUPPORTED=yes
598
MII_NOT_SUPPORTED=yes
599
IPV6INIT=no
599
IPV6INIT=no
600
IPV6TO4INIT=no
600
IPV6TO4INIT=no
601
ACCOUNTING=no
601
ACCOUNTING=no
602
USERCTL=no
602
USERCTL=no
603
MTU=$MTU
603
MTU=$MTU
604
EOF
604
EOF
605
	fi
605
	fi
606
# Config INTIF (consultation LAN) in normal mode
606
# Config INTIF (consultation LAN) in normal mode
607
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
607
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
608
DEVICE=$INTIF
608
DEVICE=$INTIF
609
BOOTPROTO=static
609
BOOTPROTO=static
610
ONBOOT=yes
610
ONBOOT=yes
611
NOZEROCONF=yes
611
NOZEROCONF=yes
612
MII_NOT_SUPPORTED=yes
612
MII_NOT_SUPPORTED=yes
613
IPV6INIT=no
613
IPV6INIT=no
614
IPV6TO4INIT=no
614
IPV6TO4INIT=no
615
ACCOUNTING=no
615
ACCOUNTING=no
616
USERCTL=no
616
USERCTL=no
617
EOF
617
EOF
618
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
618
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
619
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
619
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
620
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
620
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
621
DEVICE=$INTIF
621
DEVICE=$INTIF
622
BOOTPROTO=static
622
BOOTPROTO=static
623
IPADDR=$PRIVATE_IP
623
IPADDR=$PRIVATE_IP
624
NETMASK=$PRIVATE_NETMASK
624
NETMASK=$PRIVATE_NETMASK
625
ONBOOT=yes
625
ONBOOT=yes
626
METRIC=10
626
METRIC=10
627
NOZEROCONF=yes
627
NOZEROCONF=yes
628
MII_NOT_SUPPORTED=yes
628
MII_NOT_SUPPORTED=yes
629
IPV6INIT=no
629
IPV6INIT=no
630
IPV6TO4INIT=no
630
IPV6TO4INIT=no
631
ACCOUNTING=no
631
ACCOUNTING=no
632
USERCTL=no
632
USERCTL=no
633
EOF
633
EOF
634
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
634
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
635
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
635
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
636
	then
636
	then
637
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
637
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
638
DEVICE=$WIFIF
638
DEVICE=$WIFIF
639
BOOTPROTO=static
639
BOOTPROTO=static
640
ONBOOT=yes
640
ONBOOT=yes
641
NOZEROCONF=yes
641
NOZEROCONF=yes
642
MII_NOT_SUPPORTED=yes
642
MII_NOT_SUPPORTED=yes
643
IPV6INIT=no
643
IPV6INIT=no
644
IPV6TO4INIT=no
644
IPV6TO4INIT=no
645
ACCOUNTING=no
645
ACCOUNTING=no
646
USERCTL=no
646
USERCTL=no
647
EOF
647
EOF
648
	elif [ -n "$LANIF" ]
648
	elif [ -n "$LANIF" ]
649
	then
649
	then
650
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
650
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
651
DEVICE=$LANIF
651
DEVICE=$LANIF
652
BOOTPROTO=static
652
BOOTPROTO=static
653
ONBOOT=yes
653
ONBOOT=yes
654
NOZEROCONF=yes
654
NOZEROCONF=yes
655
MII_NOT_SUPPORTED=yes
655
MII_NOT_SUPPORTED=yes
656
IPV6INIT=no
656
IPV6INIT=no
657
IPV6TO4INIT=no
657
IPV6TO4INIT=no
658
ACCOUNTING=no
658
ACCOUNTING=no
659
USERCTL=no
659
USERCTL=no
660
EOF
660
EOF
661
	fi
661
	fi
662
	#########################################################################################################	
662
	#########################################################################################################	
663
# Renseignement des fichiers hosts.allow et hosts.deny
663
# Renseignement des fichiers hosts.allow et hosts.deny
664
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
664
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
665
	cat <<EOF > /etc/hosts.allow
665
	cat <<EOF > /etc/hosts.allow
666
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
666
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
667
sshd: ALL
667
sshd: ALL
668
ntpd: $PRIVATE_NETWORK_SHORT
668
ntpd: $PRIVATE_NETWORK_SHORT
669
EOF
669
EOF
670
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
670
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
671
	cat <<EOF > /etc/hosts.deny
671
	cat <<EOF > /etc/hosts.deny
672
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
672
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
673
EOF
673
EOF
674
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
674
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
675
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
675
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
676
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
676
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
677
# load conntrack ftp module
677
# load conntrack ftp module
678
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
678
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
679
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
679
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
680
# load ipt_NETFLOW module
680
# load ipt_NETFLOW module
681
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
681
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
682
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
682
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
683
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
683
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
684
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
684
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
685
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
685
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
686
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
686
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
687
# 
687
# 
688
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
688
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
689
} # End of network ()
689
} # End of network ()
690
 
690
 
691
##################################################################
691
##################################################################
692
##			Function "ACC"				##
692
##			Function "ACC"				##
693
## - installation of then ALCASAR Control Center (ACC)	)	##
693
## - installation of then ALCASAR Control Center (ACC)	)	##
694
## - configuration of the web server (Apache)			##
694
## - configuration of the web server (Apache)			##
695
## - creation of the first ACC admin account 			##
695
## - creation of the first ACC admin account 			##
696
## - secure the access						##
696
## - secure the access						##
697
##################################################################
697
##################################################################
698
ACC ()
698
ACC ()
699
{
699
{
700
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
700
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
701
	mkdir $DIR_WEB
701
	mkdir $DIR_WEB
702
# Copy & adapt ACC files
702
# Copy & adapt ACC files
703
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
703
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
704
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
704
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
705
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
705
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
706
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
706
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
707
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
707
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
708
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
708
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
709
	chown -R apache:apache $DIR_WEB/*
709
	chown -R apache:apache $DIR_WEB/*
710
# copy & adapt "freeradius-web" files
710
# copy & adapt "freeradius-web" files
711
	cp -rf $DIR_CONF/freeradius-web/ /etc/
711
	cp -rf $DIR_CONF/freeradius-web/ /etc/
712
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
712
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
713
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
713
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
714
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
714
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
715
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
715
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
716
	cat <<EOF > /etc/freeradius-web/naslist.conf
716
	cat <<EOF > /etc/freeradius-web/naslist.conf
717
nas1_name: alcasar-$ORGANISME
717
nas1_name: alcasar-$ORGANISME
718
nas1_model: Network Access Controler
718
nas1_model: Network Access Controler
719
nas1_ip: $PRIVATE_IP
719
nas1_ip: $PRIVATE_IP
720
nas1_port_num: 0
720
nas1_port_num: 0
721
nas1_community: public
721
nas1_community: public
722
EOF
722
EOF
723
	chown -R apache:apache /etc/freeradius-web/
723
	chown -R apache:apache /etc/freeradius-web/
724
# create the log & backup structure :
724
# create the log & backup structure :
725
# - base = users database
725
# - base = users database
726
# - archive = tarball of "base + http firewall + netflow"
726
# - archive = tarball of "base + http firewall + netflow"
727
# - security = watchdog log
727
# - security = watchdog log
728
	for i in base archive security activity_report;
728
	for i in base archive security activity_report;
729
	do
729
	do
730
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
730
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
731
	done
731
	done
732
	chown -R root:apache $DIR_SAVE
732
	chown -R root:apache $DIR_SAVE
733
# Configuring & securing php
733
# Configuring & securing php
734
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
734
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
735
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
735
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
736
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
736
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
737
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
737
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
738
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
738
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
739
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
739
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
740
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
740
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
741
# Configuring & sécuring Apache
741
# Configuring & sécuring Apache
742
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
742
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
743
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
743
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
744
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
744
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
745
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
745
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
746
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
746
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
747
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
747
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
748
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
748
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
749
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
749
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
750
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
750
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
751
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
751
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
752
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
752
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
753
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
753
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
754
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
754
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
755
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
755
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
756
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
756
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
757
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
757
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
758
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
758
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
759
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
759
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
760
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
760
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
761
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
761
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
762
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
762
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
763
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
763
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
764
# Error page management
764
# Error page management
765
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
765
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
766
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
766
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
767
Alias /error/ "/var/www/html/"
767
Alias /error/ "/var/www/html/"
768
<Directory "/usr/share/httpd/error">
768
<Directory "/usr/share/httpd/error">
769
    AllowOverride None
769
    AllowOverride None
770
    Options IncludesNoExec
770
    Options IncludesNoExec
771
    AddOutputFilter Includes html
771
    AddOutputFilter Includes html
772
    AddHandler type-map var
772
    AddHandler type-map var
773
    Require all granted
773
    Require all granted
774
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
774
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
775
    ForceLanguagePriority Prefer Fallback
775
    ForceLanguagePriority Prefer Fallback
776
</Directory>
776
</Directory>
777
ErrorDocument 400 /error/error.php?error=400
777
ErrorDocument 400 /error/error.php?error=400
778
ErrorDocument 401 /error/error.php?error=401
778
ErrorDocument 401 /error/error.php?error=401
779
ErrorDocument 403 /error/error.php?error=403
779
ErrorDocument 403 /error/error.php?error=403
780
ErrorDocument 404 /error/index.php
780
ErrorDocument 404 /error/index.php
781
ErrorDocument 405 /error/error.php?error=405
781
ErrorDocument 405 /error/error.php?error=405
782
ErrorDocument 408 /error/error.php?error=408
782
ErrorDocument 408 /error/error.php?error=408
783
ErrorDocument 410 /error/error.php?error=410
783
ErrorDocument 410 /error/error.php?error=410
784
ErrorDocument 411 /error/error.php?error=411
784
ErrorDocument 411 /error/error.php?error=411
785
ErrorDocument 412 /error/error.php?error=412
785
ErrorDocument 412 /error/error.php?error=412
786
ErrorDocument 413 /error/error.php?error=413
786
ErrorDocument 413 /error/error.php?error=413
787
ErrorDocument 414 /error/error.php?error=414
787
ErrorDocument 414 /error/error.php?error=414
788
ErrorDocument 415 /error/error.php?error=415
788
ErrorDocument 415 /error/error.php?error=415
789
ErrorDocument 500 /error/error.php?error=500
789
ErrorDocument 500 /error/error.php?error=500
790
ErrorDocument 501 /error/error.php?error=501
790
ErrorDocument 501 /error/error.php?error=501
791
ErrorDocument 502 /error/error.php?error=502
791
ErrorDocument 502 /error/error.php?error=502
792
ErrorDocument 503 /error/error.php?error=503
792
ErrorDocument 503 /error/error.php?error=503
793
ErrorDocument 506 /error/error.php?error=506
793
ErrorDocument 506 /error/error.php?error=506
794
EOF
794
EOF
795
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
795
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
796
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
796
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
797
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
797
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
798
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
798
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
799
</body>
799
</body>
800
</html>
800
</html>
801
EOF
801
EOF
802
# Définition du premier compte lié au profil 'admin'
802
# Définition du premier compte lié au profil 'admin'
803
if [ "$mode" = "install" ]
803
	if [ "$mode" = "install" ]
804
	then
804
		then
805
		header_install
805
			header_install
806
		admin_portal=!
806
			admin_portal=!
807
		PTN='^[a-zA-Z0-9-]*$'
807
			PTN='^[a-zA-Z0-9-]*$'
808
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
808
			until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
809
                	do
809
				do
810
			header_install
810
				header_install
811
			if [ $Lang == "fr" ]
811
				if [ $Lang == "fr" ]
812
			then 
812
				then 
813
				echo ""
813
					echo ""
814
				echo "Définissez un premier compte d'administration d'ALCASAR :"
814
					echo "Définissez un premier compte d'administration d'ALCASAR :"
815
				echo
815
					echo
816
				echo -n "Nom : "
816
					echo -n "Nom : "
817
			else
817
				else
818
				echo ""
818
					echo ""
819
				echo "Define the first account allow to administrate ALCASAR :"
819
					echo "Define the first account allow to administrate ALCASAR :"
820
				echo
820
					echo
821
				echo -n "Account : "
821
					echo -n "Account : "
822
			fi
822
				fi
823
			read admin_portal
823
				read admin_portal
824
			if [ "$admin_portal" == "" ]
824
				if [ "$admin_portal" == "" ]
825
				then
825
					then
826
				admin_portal=!
826
					admin_portal=!
827
			fi
827
				fi
828
			done
828
				done
829
# Creation of keys file for the admin account ("admin")
829
# Creation of keys file for the admin account ("admin")
830
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
830
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
831
		mkdir -p $DIR_DEST_ETC/digest
831
			mkdir -p $DIR_DEST_ETC/digest
832
		chmod 755 $DIR_DEST_ETC/digest
832
			chmod 755 $DIR_DEST_ETC/digest
833
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
833
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
834
			do
834
				do
835
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
835
					/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
836
			done
836
				done
837
		$DIR_DEST_BIN/alcasar-profil.sh --list
837
			$DIR_DEST_BIN/alcasar-profil.sh --list
838
fi
838
	fi
839
# ACC partitioning
839
# ACC partitioning
840
	rm -f /etc/httpd/conf/webapps.d/alcasar*
840
	rm -f /etc/httpd/conf/webapps.d/alcasar*
841
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
841
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
-
 
842
<Directory $DIR_WEB>
-
 
843
	AllowOverride None
-
 
844
	Order deny,allow
-
 
845
	Deny from all
-
 
846
	Allow from 127.0.0.1
-
 
847
	Allow from $PRIVATE_NETWORK_MASK
-
 
848
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
849
</Directory>
-
 
850
<Directory $DIR_WEB/certs>
-
 
851
	AddType application/x-x509-ca-cert crt
-
 
852
</Directory>
842
<Directory $DIR_ACC>
853
<Directory $DIR_ACC>
843
	SSLRequireSSL
854
	SSLRequireSSL
844
	AllowOverride None
855
	AllowOverride None
845
	Order deny,allow
856
	Order deny,allow
846
	Deny from all
857
	Deny from all
847
	Allow from 127.0.0.1
858
	Allow from 127.0.0.1
848
	Allow from $PRIVATE_NETWORK_MASK
859
	Allow from $PRIVATE_NETWORK_MASK
849
	require valid-user
860
	require valid-user
850
	AuthType digest
861
	AuthType digest
851
	AuthName "ALCASAR Control Center (ACC)" 
862
	AuthName "ALCASAR Control Center (ACC)" 
852
	AuthDigestDomain $HOSTNAME.$DOMAIN
863
	AuthDigestDomain $HOSTNAME.$DOMAIN
853
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
864
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
854
	AuthUserFile $DIR_DEST_ETC/digest/key_all
865
	AuthUserFile $DIR_DEST_ETC/digest/key_all
855
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
866
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
856
</Directory>
867
</Directory>
857
<Directory $DIR_ACC/admin>
868
<Directory $DIR_ACC/admin>
858
	SSLRequireSSL
869
	SSLRequireSSL
859
	AllowOverride None
870
	AllowOverride None
860
	Order deny,allow
871
	Order deny,allow
861
	Deny from all
872
	Deny from all
862
	Allow from 127.0.0.1
873
	Allow from 127.0.0.1
863
	Allow from $PRIVATE_NETWORK_MASK
874
	Allow from $PRIVATE_NETWORK_MASK
864
	require valid-user
875
	require valid-user
865
	AuthType digest
876
	AuthType digest
866
	AuthName "ALCASAR Control Center (ACC)" 
877
	AuthName "ALCASAR Control Center (ACC)" 
867
	AuthDigestDomain $HOSTNAME.$DOMAIN
878
	AuthDigestDomain $HOSTNAME.$DOMAIN
868
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
879
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
869
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
880
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
870
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
881
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
871
</Directory>
882
</Directory>
872
<Directory $DIR_ACC/manager>
883
<Directory $DIR_ACC/manager>
873
	SSLRequireSSL
884
	SSLRequireSSL
874
	AllowOverride None
885
	AllowOverride None
875
	Order deny,allow
886
	Order deny,allow
876
	Deny from all
887
	Deny from all
877
	Allow from 127.0.0.1
888
	Allow from 127.0.0.1
878
	Allow from $PRIVATE_NETWORK_MASK
889
	Allow from $PRIVATE_NETWORK_MASK
879
	require valid-user
890
	require valid-user
880
	AuthType digest
891
	AuthType digest
881
	AuthName "ALCASAR Control Center (ACC)" 
892
	AuthName "ALCASAR Control Center (ACC)" 
882
	AuthDigestDomain $HOSTNAME.$DOMAIN
893
	AuthDigestDomain $HOSTNAME.$DOMAIN
883
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
894
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
884
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
895
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
885
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
896
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
886
</Directory>
897
</Directory>
887
<Directory $DIR_ACC/backup>
898
<Directory $DIR_ACC/backup>
888
	SSLRequireSSL
899
	SSLRequireSSL
889
	AllowOverride None
900
	AllowOverride None
890
	Order deny,allow
901
	Order deny,allow
891
	Deny from all
902
	Deny from all
892
	Allow from 127.0.0.1
903
	Allow from 127.0.0.1
893
	Allow from $PRIVATE_NETWORK_MASK
904
	Allow from $PRIVATE_NETWORK_MASK
894
	require valid-user
905
	require valid-user
895
	AuthType digest
906
	AuthType digest
896
	AuthName "ALCASAR Control Center (ACC)" 
907
	AuthName "ALCASAR Control Center (ACC)" 
897
	AuthDigestDomain $HOSTNAME.$DOMAIN
908
	AuthDigestDomain $HOSTNAME.$DOMAIN
898
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
909
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
899
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
910
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
900
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
911
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
901
</Directory>
912
</Directory>
902
Alias /save/ "$DIR_SAVE/"
913
Alias /save/ "$DIR_SAVE/"
903
<Directory $DIR_SAVE>
914
<Directory $DIR_SAVE>
904
	SSLRequireSSL
915
	SSLRequireSSL
905
	Options Indexes
916
	Options Indexes
906
	Order deny,allow
917
	Order deny,allow
907
	Deny from all
918
	Deny from all
908
	Allow from 127.0.0.1
919
	Allow from 127.0.0.1
909
	Allow from $PRIVATE_NETWORK_MASK
920
	Allow from $PRIVATE_NETWORK_MASK
910
	require valid-user
921
	require valid-user
911
	AuthType digest
922
	AuthType digest
912
	AuthName "ALCASAR Control Center (ACC)" 
923
	AuthName "ALCASAR Control Center (ACC)" 
913
	AuthDigestDomain $HOSTNAME.$DOMAIN
924
	AuthDigestDomain $HOSTNAME.$DOMAIN
914
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
925
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
915
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
926
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
916
</Directory>
927
</Directory>
917
EOF
928
EOF
918
# Replacement of the extension .cer by .der in MIME type
-
 
919
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
-
 
920
# Launch after coova (in order to wait tun0 to be up)
929
	# Launch after coova (in order to wait tun0 to be up)
921
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
930
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
922
# Log file for ACC access imputability
931
	# Log file for ACC access imputability
923
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
932
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
924
chown root:apache /var/Save/security/acc_access.log
933
	chown root:apache /var/Save/security/acc_access.log
925
chmod 664 /var/Save/security/acc_access.log
934
	chmod 664 /var/Save/security/acc_access.log
926
} # End of ACC ()
935
} # End of ACC ()
927
 
936
 
928
##########################################################################
937
##########################################################################
929
##				Fonction "CA"				##
938
##				Fonction "CA"				##
930
## - Creating the CA and the server certificate (apache)	 	##
939
## - Creating the CA and the server certificate (apache)	 	##
931
##########################################################################
940
##########################################################################
932
CA ()
941
CA ()
933
{
942
{
934
	$DIR_DEST_BIN/alcasar-CA.sh
943
	$DIR_DEST_BIN/alcasar-CA.sh
935
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
944
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
936
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
945
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
937
	cat <<EOF > $FIC_VIRTUAL_SSL
946
	cat <<EOF > $FIC_VIRTUAL_SSL
938
# default SSL virtual host, used for all HTTPS requests that do not
947
# default SSL virtual host, used for all HTTPS requests that do not
939
# match a ServerName or ServerAlias in any <VirtualHost> block.
948
# match a ServerName or ServerAlias in any <VirtualHost> block.
940
 
949
 
941
<VirtualHost _default_:443>
950
<VirtualHost _default_:443>
942
# general configuration
951
# general configuration
943
    ServerAdmin root@localhost
952
    ServerAdmin root@localhost
944
    ServerName $HOSTNAME.$DOMAIN
953
    ServerName $HOSTNAME.$DOMAIN
945
 
954
 
946
# SSL configuration
955
# SSL configuration
947
    SSLEngine on
956
    SSLEngine on
948
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
957
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
949
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
958
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
950
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
959
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
951
    CustomLog logs/ssl_request_log \
960
    CustomLog logs/ssl_request_log \
952
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
961
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
953
    ErrorLog logs/ssl_error_log
962
    ErrorLog logs/ssl_error_log
954
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
963
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
955
</VirtualHost>
964
</VirtualHost>
956
EOF
965
EOF
957
	chown -R root:apache /etc/pki
966
	chown -R root:apache /etc/pki
958
	chmod -R 750 /etc/pki
967
	chmod -R 750 /etc/pki
959
} # End of CA ()
968
} # End of CA ()
960
 
969
 
961
##################################################################
970
##################################################################
962
##			Function "time_server"			##
971
##			Function "time_server"			##
963
## - Configuring NTP server					##
972
## - Configuring NTP server					##
964
##################################################################
973
##################################################################
965
time_server ()
974
time_server ()
966
{
975
{
967
# Set the Internet time server
976
# Set the Internet time server
968
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
977
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
969
	cat <<EOF > /etc/ntp/step-tickers
978
	cat <<EOF > /etc/ntp/step-tickers
970
0.fr.pool.ntp.org	# adapt to your country
979
0.fr.pool.ntp.org	# adapt to your country
971
1.fr.pool.ntp.org
980
1.fr.pool.ntp.org
972
2.fr.pool.ntp.org
981
2.fr.pool.ntp.org
973
EOF
982
EOF
974
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
983
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
975
	cat <<EOF > /etc/ntp.conf
984
	cat <<EOF > /etc/ntp.conf
976
server 0.fr.pool.ntp.org	# adapt to your country
985
server 0.fr.pool.ntp.org	# adapt to your country
977
server 1.fr.pool.ntp.org
986
server 1.fr.pool.ntp.org
978
server 2.fr.pool.ntp.org
987
server 2.fr.pool.ntp.org
979
server 127.127.1.0   		# local clock si NTP internet indisponible ...
988
server 127.127.1.0   		# local clock si NTP internet indisponible ...
980
fudge 127.127.1.0 stratum 10
989
fudge 127.127.1.0 stratum 10
981
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
990
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
982
restrict 127.0.0.1
991
restrict 127.0.0.1
983
driftfile /var/lib/ntp/drift
992
driftfile /var/lib/ntp/drift
984
logfile /var/log/ntp.log
993
logfile /var/log/ntp.log
985
disable monitor
994
disable monitor
986
EOF
995
EOF
987
	chown -R ntp:ntp /var/lib/ntp
996
	chown -R ntp:ntp /var/lib/ntp
988
# Synchronize now
997
# Synchronize now
989
	ntpd -q -g &
998
	ntpd -q -g &
990
} # End of time_server ()
999
} # End of time_server ()
991
 
1000
 
992
##########################################################################################
1001
##########################################################################################
993
##			Fonction "init_db"						##
1002
##			Fonction "init_db"						##
994
## - Initialisation de la base Mysql							##
1003
## - Initialisation de la base Mysql							##
995
## - Affectation du mot de passe de l'administrateur (root)				##
1004
## - Affectation du mot de passe de l'administrateur (root)				##
996
## - Suppression des bases et des utilisateurs superflus				##
1005
## - Suppression des bases et des utilisateurs superflus				##
997
## - Création de la base 'radius'							##
1006
## - Création de la base 'radius'							##
998
## - Installation du schéma de cette base						##
1007
## - Installation du schéma de cette base						##
999
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
1008
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
1000
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
1009
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
1001
##########################################################################################
1010
##########################################################################################
1002
init_db ()
1011
init_db ()
1003
{
1012
{
1004
	if [ `systemctl is-active mysqld` == "active" ]
1013
	if [ `systemctl is-active mysqld` == "active" ]
1005
	then
1014
	then
1006
		systemctl stop mysqld
1015
		systemctl stop mysqld
1007
	fi
1016
	fi
1008
	rm -rf /var/lib/mysql # to be sure that there is no former installation
1017
	rm -rf /var/lib/mysql # to be sure that there is no former installation
1009
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
1018
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
1010
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
1019
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
1011
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1020
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1012
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
1021
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
1013
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
1022
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
1014
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
1023
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
1015
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
1024
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
1016
	/usr/bin/systemctl start mysqld.service
1025
	/usr/bin/systemctl start mysqld.service
1017
	nb_round=1
1026
	nb_round=1
1018
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
1027
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
1019
	do
1028
	do
1020
		nb_round=`expr $nb_round + 1`
1029
		nb_round=`expr $nb_round + 1`
1021
		sleep 2
1030
		sleep 2
1022
	done
1031
	done
1023
	if [ ! -S /var/lib/mysql/mysql.sock ]
1032
	if [ ! -S /var/lib/mysql/mysql.sock ]
1024
	then
1033
	then
1025
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
1034
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
1026
		exit
1035
		exit
1027
	fi
1036
	fi
1028
	mysqladmin -u root password $mysqlpwd
1037
	mysqladmin -u root password $mysqlpwd
1029
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1038
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1030
# Secure the server
1039
# Secure the server
1031
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
1040
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
1032
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
1041
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
1033
# Create 'radius' database
1042
# Create 'radius' database
1034
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
1043
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
1035
# Add an empty radius database structure
1044
# Add an empty radius database structure
1036
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
1045
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
1037
# modify the start script in order to close accounting connexion when the system is comming down or up
1046
# modify the start script in order to close accounting connexion when the system is comming down or up
1038
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1047
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1039
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1048
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1040
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1049
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1041
	/usr/bin/systemctl daemon-reload
1050
	/usr/bin/systemctl daemon-reload
1042
} # End of init_db ()
1051
} # End of init_db ()
1043
 
1052
 
1044
##########################################################################
1053
##########################################################################
1045
##			Fonction "radius"				##
1054
##			Fonction "radius"				##
1046
## - Paramètrage des fichiers de configuration FreeRadius		##
1055
## - Paramètrage des fichiers de configuration FreeRadius		##
1047
## - Affectation du secret partagé entre coova-chilli et freeradius	##
1056
## - Affectation du secret partagé entre coova-chilli et freeradius	##
1048
## - Modification de fichier de conf pour l'accès à Mysql		##
1057
## - Modification de fichier de conf pour l'accès à Mysql		##
1049
##########################################################################
1058
##########################################################################
1050
radius ()
1059
radius ()
1051
{
1060
{
1052
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1061
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1053
	chown -R radius:radius /etc/raddb
1062
	chown -R radius:radius /etc/raddb
1054
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1063
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1055
# Set radius.conf parameters
1064
# Set radius.conf parameters
1056
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1065
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1057
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1066
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1058
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1067
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1059
# remove the proxy function
1068
# remove the proxy function
1060
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
1069
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
1061
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1070
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1062
# remove EAP module
1071
# remove EAP module
1063
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1072
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1064
# listen on loopback (should be modified later if EAP enabled)
1073
# listen on loopback (should be modified later if EAP enabled)
1065
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1074
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1066
# enable the  SQL module (and SQL counter)
1075
# enable the  SQL module (and SQL counter)
1067
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
1076
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
1068
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1077
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1069
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1078
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1070
# only include modules for ALCASAR needs
1079
# only include modules for ALCASAR needs
1071
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1080
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1072
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1081
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1073
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1082
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1074
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1083
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1075
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1084
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1076
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1085
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1077
# remvove virtual server and copy our conf file
1086
# remvove virtual server and copy our conf file
1078
	rm -f /etc/raddb/sites-enabled/*
1087
	rm -f /etc/raddb/sites-enabled/*
1079
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1088
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1080
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1089
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1081
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1090
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1082
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1091
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1083
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1092
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1084
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1093
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1085
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1094
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1086
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1095
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1087
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1096
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1088
	cat << EOF > /etc/raddb/clients.conf
1097
	cat << EOF > /etc/raddb/clients.conf
1089
client 127.0.0.1 {
1098
client 127.0.0.1 {
1090
	secret = $secretradius
1099
	secret = $secretradius
1091
	shortname = localhost
1100
	shortname = localhost
1092
}
1101
}
1093
EOF
1102
EOF
1094
# sql.conf modification
1103
# sql.conf modification
1095
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1104
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1096
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1105
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1097
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1106
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1098
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1107
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1099
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1108
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1100
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1109
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1101
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1110
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1102
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1111
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1103
# counter.conf modification (change the Max-All-Session-Time counter)
1112
# counter.conf modification (change the Max-All-Session-Time counter)
1104
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1113
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1105
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1114
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1106
	chown -R radius:radius /etc/raddb/sql/mysql/*
1115
	chown -R radius:radius /etc/raddb/sql/mysql/*
1107
# make certain that mysql is up before radius start
1116
# make certain that mysql is up before radius start
1108
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1117
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1109
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1118
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1110
	/usr/bin/systemctl daemon-reload
1119
	/usr/bin/systemctl daemon-reload
1111
} # End radius ()
1120
} # End radius ()
1112
 
1121
 
1113
##################################################################################
1122
##################################################################################
1114
##			Fonction "chilli"					##
1123
##			Fonction "chilli"					##
1115
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1124
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1116
## - Paramètrage de la page d'authentification (intercept.php)			##
1125
## - Paramètrage de la page d'authentification (intercept.php)			##
1117
##################################################################################
1126
##################################################################################
1118
chilli ()
1127
chilli ()
1119
{
1128
{
1120
# chilli unit for systemd
1129
# chilli unit for systemd
1121
cat << EOF > /lib/systemd/system/chilli.service
1130
cat << EOF > /lib/systemd/system/chilli.service
1122
#  This file is part of systemd.
1131
#  This file is part of systemd.
1123
#
1132
#
1124
#  systemd is free software; you can redistribute it and/or modify it
1133
#  systemd is free software; you can redistribute it and/or modify it
1125
#  under the terms of the GNU General Public License as published by
1134
#  under the terms of the GNU General Public License as published by
1126
#  the Free Software Foundation; either version 2 of the License, or
1135
#  the Free Software Foundation; either version 2 of the License, or
1127
#  (at your option) any later version.
1136
#  (at your option) any later version.
1128
[Unit]
1137
[Unit]
1129
Description=chilli is a captive portal daemon
1138
Description=chilli is a captive portal daemon
1130
After=network.target
1139
After=network.target
1131
 
1140
 
1132
[Service]
1141
[Service]
1133
Type=forking
1142
Type=forking
1134
ExecStart=/usr/libexec/chilli start
1143
ExecStart=/usr/libexec/chilli start
1135
ExecStop=/usr/libexec/chilli stop
1144
ExecStop=/usr/libexec/chilli stop
1136
ExecReload=/usr/libexec/chilli reload
1145
ExecReload=/usr/libexec/chilli reload
1137
PIDFile=/var/run/chilli.pid
1146
PIDFile=/var/run/chilli.pid
1138
 
1147
 
1139
[Install]
1148
[Install]
1140
WantedBy=multi-user.target
1149
WantedBy=multi-user.target
1141
EOF
1150
EOF
1142
# init file creation
1151
# init file creation
1143
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1152
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1144
	cat <<EOF > /etc/init.d/chilli
1153
	cat <<EOF > /etc/init.d/chilli
1145
#!/bin/sh
1154
#!/bin/sh
1146
#
1155
#
1147
# chilli CoovaChilli init
1156
# chilli CoovaChilli init
1148
#
1157
#
1149
# chkconfig: 2345 65 35
1158
# chkconfig: 2345 65 35
1150
# description: CoovaChilli
1159
# description: CoovaChilli
1151
### BEGIN INIT INFO
1160
### BEGIN INIT INFO
1152
# Provides:       chilli
1161
# Provides:       chilli
1153
# Required-Start: network 
1162
# Required-Start: network 
1154
# Should-Start: 
1163
# Should-Start: 
1155
# Required-Stop:  network
1164
# Required-Stop:  network
1156
# Should-Stop: 
1165
# Should-Stop: 
1157
# Default-Start:  2 3 5
1166
# Default-Start:  2 3 5
1158
# Default-Stop:
1167
# Default-Stop:
1159
# Description:    CoovaChilli access controller
1168
# Description:    CoovaChilli access controller
1160
### END INIT INFO
1169
### END INIT INFO
1161
 
1170
 
1162
[ -f /usr/sbin/chilli ] || exit 0
1171
[ -f /usr/sbin/chilli ] || exit 0
1163
. /etc/init.d/functions
1172
. /etc/init.d/functions
1164
CONFIG=/etc/chilli.conf
1173
CONFIG=/etc/chilli.conf
1165
pidfile=/var/run/chilli.pid
1174
pidfile=/var/run/chilli.pid
1166
[ -f \$CONFIG ] || {
1175
[ -f \$CONFIG ] || {
1167
    echo "\$CONFIG Not found"
1176
    echo "\$CONFIG Not found"
1168
    exit 0
1177
    exit 0
1169
}
1178
}
1170
RETVAL=0
1179
RETVAL=0
1171
prog="chilli"
1180
prog="chilli"
1172
case \$1 in
1181
case \$1 in
1173
    start)
1182
    start)
1174
	if [ -f \$pidfile ] ; then 
1183
	if [ -f \$pidfile ] ; then 
1175
		gprintf "chilli is already running"
1184
		gprintf "chilli is already running"
1176
	else
1185
	else
1177
        	gprintf "Starting \$prog: "
1186
        	gprintf "Starting \$prog: "
1178
		rm -f /var/run/chilli* # cleaning
1187
		rm -f /var/run/chilli* # cleaning
1179
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1188
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1180
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1189
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1181
		[ -e /dev/net/tun ] || {
1190
		[ -e /dev/net/tun ] || {
1182
	    	(cd /dev; 
1191
	    	(cd /dev; 
1183
			mkdir net; 
1192
			mkdir net; 
1184
			cd net; 
1193
			cd net; 
1185
			mknod tun c 10 200)
1194
			mknod tun c 10 200)
1186
		}
1195
		}
1187
		ifconfig $INTIF 0.0.0.0
1196
		ifconfig $INTIF 0.0.0.0
1188
		/usr/sbin/ethtool -K $INTIF gro off
1197
		/usr/sbin/ethtool -K $INTIF gro off
1189
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1198
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1190
        	RETVAL=$?
1199
        	RETVAL=$?
1191
	fi
1200
	fi
1192
	;;
1201
	;;
1193
 
1202
 
1194
    reload)
1203
    reload)
1195
	killall -HUP chilli
1204
	killall -HUP chilli
1196
	;;
1205
	;;
1197
 
1206
 
1198
    restart)
1207
    restart)
1199
	\$0 stop
1208
	\$0 stop
1200
        sleep 2
1209
        sleep 2
1201
	\$0 start
1210
	\$0 start
1202
	;;
1211
	;;
1203
    
1212
    
1204
    status)
1213
    status)
1205
        status chilli
1214
        status chilli
1206
        RETVAL=0
1215
        RETVAL=0
1207
        ;;
1216
        ;;
1208
 
1217
 
1209
    stop)
1218
    stop)
1210
	if [ -f \$pidfile ] ; then  
1219
	if [ -f \$pidfile ] ; then  
1211
        	gprintf "Shutting down \$prog: "
1220
        	gprintf "Shutting down \$prog: "
1212
		killproc /usr/sbin/chilli
1221
		killproc /usr/sbin/chilli
1213
		RETVAL=\$?
1222
		RETVAL=\$?
1214
		[ \$RETVAL = 0 ] && rm -f $pidfile
1223
		[ \$RETVAL = 0 ] && rm -f $pidfile
1215
	else	
1224
	else	
1216
        	gprintf "chilli is not running"
1225
        	gprintf "chilli is not running"
1217
	fi
1226
	fi
1218
	;;
1227
	;;
1219
    
1228
    
1220
    *)
1229
    *)
1221
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1230
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1222
        exit 1
1231
        exit 1
1223
esac
1232
esac
1224
echo
1233
echo
1225
EOF
1234
EOF
1226
chmod a+x /etc/init.d/chilli
1235
chmod a+x /etc/init.d/chilli
1227
ln -s /etc/init.d/chilli /usr/libexec/chilli
1236
ln -s /etc/init.d/chilli /usr/libexec/chilli
1228
# conf file creation
1237
# conf file creation
1229
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1238
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1230
	#NTP Option configuration for DHCP
1239
	#NTP Option configuration for DHCP
1231
	#DHCP Options : rfc2132
1240
	#DHCP Options : rfc2132
1232
		#dhcp option value will be convert in hexa.
1241
		#dhcp option value will be convert in hexa.
1233
		#NTP option (or 'option 42') is like :
1242
		#NTP option (or 'option 42') is like :
1234
		#			
1243
		#			
1235
		#    Code   Len         Address 1               Address 2
1244
		#    Code   Len         Address 1               Address 2
1236
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1245
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1237
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1246
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1238
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1247
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1239
		#
1248
		#
1240
		#Code : 42 => 2a
1249
		#Code : 42 => 2a
1241
		#Len : 4 => 04
1250
		#Len : 4 => 04
1242
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1251
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1243
	cat <<EOF > /etc/chilli.conf
1252
	cat <<EOF > /etc/chilli.conf
1244
# coova config for ALCASAR
1253
# coova config for ALCASAR
1245
cmdsocket	/var/run/chilli.sock
1254
cmdsocket	/var/run/chilli.sock
1246
unixipc		chilli.$INTIF.ipc
1255
unixipc		chilli.$INTIF.ipc
1247
pidfile		/var/run/chilli.pid
1256
pidfile		/var/run/chilli.pid
1248
net		$PRIVATE_NETWORK_MASK
1257
net		$PRIVATE_NETWORK_MASK
1249
dhcpif		$INTIF
1258
dhcpif		$INTIF
1250
ethers		$DIR_DEST_ETC/alcasar-ethers
1259
ethers		$DIR_DEST_ETC/alcasar-ethers
1251
#nodynip
1260
#nodynip
1252
#statip
1261
#statip
1253
dynip		$PRIVATE_NETWORK_MASK
1262
dynip		$PRIVATE_NETWORK_MASK
1254
domain		$DOMAIN
1263
domain		$DOMAIN
1255
dns1		$PRIVATE_IP
1264
dns1		$PRIVATE_IP
1256
dns2		$PRIVATE_IP
1265
dns2		$PRIVATE_IP
1257
uamlisten	$PRIVATE_IP
1266
uamlisten	$PRIVATE_IP
1258
uamport		3990
1267
uamport		3990
1259
macauth
1268
macauth
1260
macpasswd	password
1269
macpasswd	password
1261
strictmacauth
1270
strictmacauth
1262
locationname	$HOSTNAME.$DOMAIN
1271
locationname	$HOSTNAME.$DOMAIN
1263
radiusserver1	127.0.0.1
1272
radiusserver1	127.0.0.1
1264
radiusserver2	127.0.0.1
1273
radiusserver2	127.0.0.1
1265
radiussecret	$secretradius
1274
radiussecret	$secretradius
1266
radiusauthport	1812
1275
radiusauthport	1812
1267
radiusacctport	1813
1276
radiusacctport	1813
1268
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1277
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1269
radiusnasid	$HOSTNAME.$DOMAIN
1278
radiusnasid	$HOSTNAME.$DOMAIN
1270
uamsecret	$secretuam
1279
uamsecret	$secretuam
1271
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1280
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1272
coaport		3799
1281
coaport		3799
1273
conup		$DIR_DEST_BIN/alcasar-conup.sh
1282
conup		$DIR_DEST_BIN/alcasar-conup.sh
1274
condown		$DIR_DEST_BIN/alcasar-condown.sh
1283
condown		$DIR_DEST_BIN/alcasar-condown.sh
1275
include		$DIR_DEST_ETC/alcasar-uamallowed
1284
include		$DIR_DEST_ETC/alcasar-uamallowed
1276
include		$DIR_DEST_ETC/alcasar-uamdomain
1285
include		$DIR_DEST_ETC/alcasar-uamdomain
1277
dhcpopt		2a04$PRIVATE_IP_HEXA
1286
dhcpopt		2a04$PRIVATE_IP_HEXA
1278
macup		$DIR_DEST_BIN/alcasar-macup.sh
1287
macup		$DIR_DEST_BIN/alcasar-macup.sh
1279
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1288
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1280
#dhcpgateway		none
1289
#dhcpgateway		none
1281
#dhcprelayagent		none
1290
#dhcprelayagent		none
1282
#dhcpgatewayport	none
1291
#dhcpgatewayport	none
1283
sslkeyfile	/etc/pki/tls/private/alcasar.key
1292
sslkeyfile	/etc/pki/tls/private/alcasar.key
1284
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1293
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1285
redirssl
1294
redirssl
1286
EOF
1295
EOF
1287
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1296
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1288
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1297
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1289
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1298
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1290
# create files for trusted domains and urls
1299
# create files for trusted domains and urls
1291
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1300
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1292
	chown root:apache $DIR_DEST_ETC/alcasar-*
1301
	chown root:apache $DIR_DEST_ETC/alcasar-*
1293
	chmod 660 $DIR_DEST_ETC/alcasar-*
1302
	chmod 660 $DIR_DEST_ETC/alcasar-*
1294
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1303
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1295
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1304
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1296
# user 'chilli' creation (in order to run conup/off and up/down scripts
1305
# user 'chilli' creation (in order to run conup/off and up/down scripts
1297
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1306
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1298
	if [ "$chilli_exist" == "1" ]
1307
	if [ "$chilli_exist" == "1" ]
1299
	then
1308
	then
1300
	      userdel -r chilli 2>/dev/null
1309
	      userdel -r chilli 2>/dev/null
1301
	fi
1310
	fi
1302
	groupadd -f chilli
1311
	groupadd -f chilli
1303
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1312
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1304
}  # End of chilli ()
1313
}  # End of chilli ()
1305
 
1314
 
1306
##################################################################
1315
##################################################################
1307
##		Fonction "dansguardian"				##
1316
##		Fonction "dansguardian"				##
1308
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1317
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1309
##################################################################
1318
##################################################################
1310
dansguardian ()
1319
dansguardian ()
1311
{
1320
{
1312
	mkdir -p /var/dansguardian /var/log/dansguardian
1321
	mkdir -p /var/dansguardian /var/log/dansguardian
1313
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1322
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1314
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1323
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1315
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1324
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1316
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1325
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1317
# By default the filter is off 
1326
# By default the filter is off 
1318
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1327
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1319
# French deny HTML page
1328
# French deny HTML page
1320
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1329
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1321
# Listen only on LAN side
1330
# Listen only on LAN side
1322
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1331
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1323
# DG send its flow to HAVP
1332
# DG send its flow to HAVP
1324
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1333
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1325
# replace the default deny HTML page
1334
# replace the default deny HTML page
1326
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1335
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1327
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1336
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1328
# Don't log
1337
# Don't log
1329
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1338
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1330
# on désactive par défaut le controle de contenu des pages html
1339
# on désactive par défaut le controle de contenu des pages html
1331
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1340
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1332
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1341
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1333
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1342
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1334
# on désactive par défaut le contrôle d'URL par expressions régulières
1343
# on désactive par défaut le contrôle d'URL par expressions régulières
1335
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1344
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1336
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1345
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1337
 
1346
 
1338
# Configure Dansguardian for large site
1347
# Configure Dansguardian for large site
1339
# Minimum number of processus to handle connections
1348
# Minimum number of processus to handle connections
1340
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1349
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1341
# Maximum number of processus to handle connections
1350
# Maximum number of processus to handle connections
1342
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1351
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1343
# Run at least 8 daemons
1352
# Run at least 8 daemons
1344
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1353
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1345
# minimum number of processes to spawn
1354
# minimum number of processes to spawn
1346
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1355
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1347
# maximum age of a child process before it croaks it
1356
# maximum age of a child process before it croaks it
1348
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1357
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1349
	
1358
	
1350
# on désactive par défaut le contrôle de téléchargement de fichiers
1359
# on désactive par défaut le contrôle de téléchargement de fichiers
1351
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1360
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1352
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1361
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1353
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1362
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1354
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1363
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1355
	touch $DIR_DG/lists/bannedextensionlist
1364
	touch $DIR_DG/lists/bannedextensionlist
1356
	touch $DIR_DG/lists/bannedmimetypelist
1365
	touch $DIR_DG/lists/bannedmimetypelist
1357
# 'Safesearch' regex actualisation
1366
# 'Safesearch' regex actualisation
1358
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1367
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1359
# empty LAN IP list that won't be WEB filtered
1368
# empty LAN IP list that won't be WEB filtered
1360
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1369
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1361
	touch $DIR_DG/lists/exceptioniplist
1370
	touch $DIR_DG/lists/exceptioniplist
1362
# Keep a copy of URL & domain filter configuration files
1371
# Keep a copy of URL & domain filter configuration files
1363
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1372
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1364
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1373
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1365
} # End of dansguardian ()
1374
} # End of dansguardian ()
1366
 
1375
 
1367
##################################################################
1376
##################################################################
1368
##			Fonction "antivirus"			##
1377
##			Fonction "antivirus"			##
1369
## - configuration of havp, libclamav and freshclam		##
1378
## - configuration of havp, libclamav and freshclam		##
1370
##################################################################
1379
##################################################################
1371
antivirus ()		
1380
antivirus ()		
1372
{
1381
{
1373
# create 'havp' user
1382
# create 'havp' user
1374
	havp_exist=`grep havp /etc/passwd|wc -l`
1383
	havp_exist=`grep havp /etc/passwd|wc -l`
1375
	if [ "$havp_exist" == "1" ]
1384
	if [ "$havp_exist" == "1" ]
1376
	then
1385
	then
1377
	      userdel -r havp 2>/dev/null
1386
	      userdel -r havp 2>/dev/null
1378
	      groupdel havp 2>/dev/null
1387
	      groupdel havp 2>/dev/null
1379
	fi
1388
	fi
1380
	groupadd -f havp
1389
	groupadd -f havp
1381
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1390
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1382
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1391
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1383
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1392
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1384
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1393
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1385
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1394
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1386
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1395
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1387
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1396
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1388
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1397
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1389
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1398
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1390
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1399
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1391
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1400
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1392
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1401
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1393
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1402
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1394
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1403
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1395
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1404
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1396
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1405
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1397
# skip checking of youtube flow (too heavy load / risk too low)
1406
# skip checking of youtube flow (too heavy load / risk too low)
1398
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1407
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1399
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1408
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1400
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1409
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1401
# adapt init script and systemd unit
1410
# adapt init script and systemd unit
1402
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1411
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1403
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1412
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1404
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1413
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1405
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1414
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1406
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1415
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1407
# replace of the intercept page (template)
1416
# replace of the intercept page (template)
1408
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1417
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1409
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1418
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1410
# update virus database every 4 hours (24h/6)
1419
# update virus database every 4 hours (24h/6)
1411
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1420
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1412
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1421
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1413
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1422
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1414
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1423
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1415
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1424
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1416
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1425
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1417
# update now
1426
# update now
1418
	/usr/bin/freshclam --no-warnings
1427
	/usr/bin/freshclam --no-warnings
1419
} # End of antivirus ()
1428
} # End of antivirus ()
1420
 
1429
 
1421
##########################################################################
1430
##########################################################################
1422
##			Fonction "tinyproxy"				##
1431
##			Fonction "tinyproxy"				##
1423
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1432
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1424
##########################################################################
1433
##########################################################################
1425
tinyproxy ()		
1434
tinyproxy ()		
1426
{
1435
{
1427
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1436
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1428
	if [ "$tinyproxy_exist" == "1" ]
1437
	if [ "$tinyproxy_exist" == "1" ]
1429
	then
1438
	then
1430
	      userdel -r tinyproxy 2>/dev/null
1439
	      userdel -r tinyproxy 2>/dev/null
1431
	      groupdel tinyproxy 2>/dev/null
1440
	      groupdel tinyproxy 2>/dev/null
1432
	fi
1441
	fi
1433
	groupadd -f tinyproxy
1442
	groupadd -f tinyproxy
1434
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1443
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1435
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1444
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1436
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1445
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1437
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1446
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1438
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1447
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1439
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1448
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1440
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1449
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1441
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1450
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1442
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1451
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1443
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1452
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1444
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1453
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1445
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1454
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1446
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1455
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1447
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1456
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1448
# Create the systemd unit
1457
# Create the systemd unit
1449
cat << EOF > /lib/systemd/system/tinyproxy.service
1458
cat << EOF > /lib/systemd/system/tinyproxy.service
1450
#  This file is part of systemd.
1459
#  This file is part of systemd.
1451
#
1460
#
1452
#  systemd is free software; you can redistribute it and/or modify it
1461
#  systemd is free software; you can redistribute it and/or modify it
1453
#  under the terms of the GNU General Public License as published by
1462
#  under the terms of the GNU General Public License as published by
1454
#  the Free Software Foundation; either version 2 of the License, or
1463
#  the Free Software Foundation; either version 2 of the License, or
1455
#  (at your option) any later version.
1464
#  (at your option) any later version.
1456
 
1465
 
1457
# This unit launches tinyproxy (a very light proxy).
1466
# This unit launches tinyproxy (a very light proxy).
1458
# The "sleep 2" is needed because the pid file isn't ready for systemd
1467
# The "sleep 2" is needed because the pid file isn't ready for systemd
1459
[Unit]
1468
[Unit]
1460
Description=Tinyproxy Web Proxy Server
1469
Description=Tinyproxy Web Proxy Server
1461
After=network.target iptables.service
1470
After=network.target iptables.service
1462
 
1471
 
1463
[Service]
1472
[Service]
1464
Type=forking
1473
Type=forking
1465
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1474
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1466
ExecStartPre=/bin/sleep 2
1475
ExecStartPre=/bin/sleep 2
1467
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1476
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1468
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1477
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1469
 
1478
 
1470
[Install]
1479
[Install]
1471
WantedBy=multi-user.target
1480
WantedBy=multi-user.target
1472
EOF
1481
EOF
1473
 
1482
 
1474
} # end of tinyproxy
1483
} # end of tinyproxy
1475
##################################################################################
1484
##################################################################################
1476
##			function "ulogd"					##
1485
##			function "ulogd"					##
1477
## - Ulog config for multi-log files 						##
1486
## - Ulog config for multi-log files 						##
1478
##################################################################################
1487
##################################################################################
1479
ulogd ()
1488
ulogd ()
1480
{
1489
{
1481
# Three instances of ulogd (three different logfiles)
1490
# Three instances of ulogd (three different logfiles)
1482
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1491
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1483
	nl=1
1492
	nl=1
1484
	for log_type in traceability ssh ext-access
1493
	for log_type in traceability ssh ext-access
1485
	do
1494
	do
1486
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1495
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1487
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1496
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1488
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1497
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1489
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1498
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1490
		cat << EOF >> /etc/ulogd-$log_type.conf
1499
		cat << EOF >> /etc/ulogd-$log_type.conf
1491
[emu1]
1500
[emu1]
1492
file="/var/log/firewall/$log_type.log"
1501
file="/var/log/firewall/$log_type.log"
1493
sync=1
1502
sync=1
1494
EOF
1503
EOF
1495
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1504
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1496
		nl=`expr $nl + 1`
1505
		nl=`expr $nl + 1`
1497
	done
1506
	done
1498
	chown -R root:apache /var/log/firewall
1507
	chown -R root:apache /var/log/firewall
1499
	chmod 750 /var/log/firewall
1508
	chmod 750 /var/log/firewall
1500
	chmod 640 /var/log/firewall/*
1509
	chmod 640 /var/log/firewall/*
1501
}  # End of ulogd ()
1510
}  # End of ulogd ()
1502
 
1511
 
1503
 
1512
 
1504
##########################################################
1513
##########################################################
1505
##              Function "nfsen"			##
1514
##              Function "nfsen"			##
1506
## - install the nfsen grapher				##
1515
## - install the nfsen grapher				##
1507
## - install the two plugins porttracker & surfmap	##
1516
## - install the two plugins porttracker & surfmap	##
1508
##########################################################
1517
##########################################################
1509
nfsen()
1518
nfsen()
1510
{
1519
{
1511
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1520
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1512
# Add PortTracker plugin
1521
# Add PortTracker plugin
1513
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1522
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1514
	do
1523
	do
1515
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1524
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1516
	done
1525
	done
1517
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1526
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1518
# use of our conf file and init unit
1527
# use of our conf file and init unit
1519
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1528
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1520
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1529
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1521
	DirTmp=$(pwd)
1530
	DirTmp=$(pwd)
1522
	cd /tmp/nfsen-1.3.7/
1531
	cd /tmp/nfsen-1.3.7/
1523
	/usr/bin/perl install.pl etc/nfsen.conf
1532
	/usr/bin/perl install.pl etc/nfsen.conf
1524
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1533
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1525
# Create RRD DB for porttracker (only in it still doesn't exist)
1534
# Create RRD DB for porttracker (only in it still doesn't exist)
1526
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1535
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1527
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1536
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1528
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1537
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1529
	chmod -R 770 /var/log/netflow/porttracker
1538
	chmod -R 770 /var/log/netflow/porttracker
1530
# nfsen unit for systemd
1539
# nfsen unit for systemd
1531
cat << EOF > /lib/systemd/system/nfsen.service
1540
cat << EOF > /lib/systemd/system/nfsen.service
1532
#  This file is part of systemd.
1541
#  This file is part of systemd.
1533
#
1542
#
1534
#  systemd is free software; you can redistribute it and/or modify it
1543
#  systemd is free software; you can redistribute it and/or modify it
1535
#  under the terms of the GNU General Public License as published by
1544
#  under the terms of the GNU General Public License as published by
1536
#  the Free Software Foundation; either version 2 of the License, or
1545
#  the Free Software Foundation; either version 2 of the License, or
1537
#  (at your option) any later version.
1546
#  (at your option) any later version.
1538
 
1547
 
1539
# This unit launches nfsen (a Netflow grapher).
1548
# This unit launches nfsen (a Netflow grapher).
1540
[Unit]
1549
[Unit]
1541
Description= NfSen init script
1550
Description= NfSen init script
1542
After=network.target iptables.service
1551
After=network.target iptables.service
1543
 
1552
 
1544
[Service]
1553
[Service]
1545
Type=oneshot
1554
Type=oneshot
1546
RemainAfterExit=yes
1555
RemainAfterExit=yes
1547
PIDFile=/var/run/nfsen/nfsen.pid
1556
PIDFile=/var/run/nfsen/nfsen.pid
1548
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1557
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1549
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1558
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1550
ExecStart=/usr/bin/nfsen start 
1559
ExecStart=/usr/bin/nfsen start 
1551
ExecStop=/usr/bin/nfsen stop
1560
ExecStop=/usr/bin/nfsen stop
1552
ExecReload=/usr/bin/nfsen restart
1561
ExecReload=/usr/bin/nfsen restart
1553
TimeoutSec=0
1562
TimeoutSec=0
1554
 
1563
 
1555
[Install]
1564
[Install]
1556
WantedBy=multi-user.target
1565
WantedBy=multi-user.target
1557
EOF
1566
EOF
1558
# Add the listen port to collect netflow packet (nfcapd)
1567
# Add the listen port to collect netflow packet (nfcapd)
1559
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1568
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1560
# expire delay for the profile "live"
1569
# expire delay for the profile "live"
1561
	/usr/bin/systemctl start nfsen
1570
	/usr/bin/systemctl start nfsen
1562
	/bin/nfsen -m live -e 62d 2>/dev/null
1571
	/bin/nfsen -m live -e 62d 2>/dev/null
1563
# add SURFmap plugin
1572
# add SURFmap plugin
1564
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1573
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1565
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1574
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1566
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1575
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1567
	cd /tmp/
1576
	cd /tmp/
1568
	/usr/bin/sh SURFmap/install.sh
1577
	/usr/bin/sh SURFmap/install.sh
1569
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1578
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1570
# clear the installation
1579
# clear the installation
1571
	cd $DirTmp
1580
	cd $DirTmp
1572
	rm -rf /tmp/nfsen*
1581
	rm -rf /tmp/nfsen*
1573
	rm -rf /tmp/SURFmap*
1582
	rm -rf /tmp/SURFmap*
1574
} # End of nfsen ()
1583
} # End of nfsen ()
1575
 
1584
 
1576
##################################################
1585
##################################################
1577
##		Function "vnstat"		##
1586
##		Function "vnstat"		##
1578
## Initialization of Vnstat and vnstat phpFE    ##
1587
## Initialization of Vnstat and vnstat phpFE    ##
1579
##################################################
1588
##################################################
1580
vnstat ()
1589
vnstat ()
1581
{
1590
{
1582
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1591
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1583
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1592
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1584
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1593
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1585
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1594
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1586
	 $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1595
	 $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1587
	/usr/bin/vnstat -u -i $EXTIF
1596
	/usr/bin/vnstat -u -i $EXTIF
1588
} # End of vnstat
1597
} # End of vnstat
1589
 
1598
 
1590
##################################################
1599
##################################################
1591
##		Function "dnsmasq"		##
1600
##		Function "dnsmasq"		##
1592
##################################################
1601
##################################################
1593
dnsmasq ()
1602
dnsmasq ()
1594
{
1603
{
1595
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1604
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1596
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1605
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1597
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1606
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1598
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1607
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1599
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1608
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1600
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1609
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1601
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1610
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1602
	cat << EOF > /etc/dnsmasq.conf
1611
	cat << EOF > /etc/dnsmasq.conf
1603
# Configuration file for "dnsmasq in forward mode"
1612
# Configuration file for "dnsmasq in forward mode"
1604
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1613
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1605
listen-address=$PRIVATE_IP
1614
listen-address=$PRIVATE_IP
1606
pid-file=/var/run/dnsmasq.pid
1615
pid-file=/var/run/dnsmasq.pid
1607
listen-address=127.0.0.1
1616
listen-address=127.0.0.1
1608
no-dhcp-interface=$INTIF
1617
no-dhcp-interface=$INTIF
1609
no-dhcp-interface=tun0
1618
no-dhcp-interface=tun0
1610
no-dhcp-interface=lo
1619
no-dhcp-interface=lo
1611
bind-interfaces
1620
bind-interfaces
1612
cache-size=2048
1621
cache-size=2048
1613
domain-needed
1622
domain-needed
1614
expand-hosts
1623
expand-hosts
1615
bogus-priv
1624
bogus-priv
1616
filterwin2k
1625
filterwin2k
1617
server=$DNS1
1626
server=$DNS1
1618
server=$DNS2
1627
server=$DNS2
1619
# DHCP service is configured. It will be enabled in "bypass" mode
1628
# DHCP service is configured. It will be enabled in "bypass" mode
1620
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1629
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1621
#dhcp-option=option:router,$PRIVATE_IP
1630
#dhcp-option=option:router,$PRIVATE_IP
1622
#dhcp-option=option:ntp-server,$PRIVATE_IP
1631
#dhcp-option=option:ntp-server,$PRIVATE_IP
1623
#domain=$DOMAIN
1632
#domain=$DOMAIN
1624
 
1633
 
1625
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1634
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1626
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1635
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1627
EOF
1636
EOF
1628
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1637
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1629
	cat << EOF > /etc/dnsmasq-blacklist.conf
1638
	cat << EOF > /etc/dnsmasq-blacklist.conf
1630
# Configuration file for "dnsmasq with blacklist"
1639
# Configuration file for "dnsmasq with blacklist"
1631
# Add Toulouse University blacklist domains
1640
# Add Toulouse University blacklist domains
1632
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1641
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1633
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1642
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1634
pid-file=/var/run/dnsmasq-blacklist.pid
1643
pid-file=/var/run/dnsmasq-blacklist.pid
1635
listen-address=$PRIVATE_IP
1644
listen-address=$PRIVATE_IP
1636
port=54
1645
port=54
1637
no-dhcp-interface=$INTIF
1646
no-dhcp-interface=$INTIF
1638
no-dhcp-interface=tun0
1647
no-dhcp-interface=tun0
1639
no-dhcp-interface=lo
1648
no-dhcp-interface=lo
1640
bind-interfaces
1649
bind-interfaces
1641
cache-size=2048
1650
cache-size=2048
1642
domain-needed
1651
domain-needed
1643
expand-hosts
1652
expand-hosts
1644
bogus-priv
1653
bogus-priv
1645
filterwin2k
1654
filterwin2k
1646
log-queries
1655
log-queries
1647
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1656
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1648
server=$DNS1
1657
server=$DNS1
1649
server=$DNS2
1658
server=$DNS2
1650
EOF
1659
EOF
1651
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1660
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1652
	cat << EOF > /etc/dnsmasq-whitelist.conf
1661
	cat << EOF > /etc/dnsmasq-whitelist.conf
1653
# Configuration file for "dnsmasq with whitelist"
1662
# Configuration file for "dnsmasq with whitelist"
1654
# ADD Toulouse university whitelist domains
1663
# ADD Toulouse university whitelist domains
1655
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1664
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1656
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1665
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1657
pid-file=/var/run/dnsmasq-whitelist.pid
1666
pid-file=/var/run/dnsmasq-whitelist.pid
1658
listen-address=$PRIVATE_IP
1667
listen-address=$PRIVATE_IP
1659
port=55
1668
port=55
1660
no-dhcp-interface=$INTIF
1669
no-dhcp-interface=$INTIF
1661
no-dhcp-interface=tun0
1670
no-dhcp-interface=tun0
1662
no-dhcp-interface=lo
1671
no-dhcp-interface=lo
1663
bind-interfaces
1672
bind-interfaces
1664
cache-size=1024
1673
cache-size=1024
1665
domain-needed
1674
domain-needed
1666
expand-hosts
1675
expand-hosts
1667
bogus-priv
1676
bogus-priv
1668
filterwin2k
1677
filterwin2k
1669
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1678
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1670
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1679
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1671
EOF
1680
EOF
1672
# 4th dnsmasq listen on udp 56 ("blackhole")
1681
# 4th dnsmasq listen on udp 56 ("blackhole")
1673
	cat << EOF > /etc/dnsmasq-blackhole.conf
1682
	cat << EOF > /etc/dnsmasq-blackhole.conf
1674
# Configuration file for "dnsmasq as a blackhole"
1683
# Configuration file for "dnsmasq as a blackhole"
1675
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1684
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1676
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1685
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1677
pid-file=/var/run/dnsmasq-blackhole.pid
1686
pid-file=/var/run/dnsmasq-blackhole.pid
1678
listen-address=$PRIVATE_IP
1687
listen-address=$PRIVATE_IP
1679
port=56
1688
port=56
1680
no-dhcp-interface=$INTIF
1689
no-dhcp-interface=$INTIF
1681
no-dhcp-interface=tun0
1690
no-dhcp-interface=tun0
1682
no-dhcp-interface=lo
1691
no-dhcp-interface=lo
1683
bind-interfaces
1692
bind-interfaces
1684
cache-size=256
1693
cache-size=256
1685
domain-needed
1694
domain-needed
1686
expand-hosts
1695
expand-hosts
1687
bogus-priv
1696
bogus-priv
1688
filterwin2k
1697
filterwin2k
1689
EOF
1698
EOF
1690
 
1699
 
1691
# the main instance should start after network and chilli (which create tun0)
1700
# the main instance should start after network and chilli (which create tun0)
1692
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1701
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1693
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1702
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1694
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1703
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1695
	for list in blacklist whitelist blackhole
1704
	for list in blacklist whitelist blackhole
1696
	do
1705
	do
1697
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1706
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1698
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1707
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1699
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1708
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1700
	done
1709
	done
1701
} # End dnsmasq
1710
} # End dnsmasq
1702
 
1711
 
1703
##########################################################
1712
##########################################################
1704
##		Fonction "BL"				##
1713
##		Fonction "BL"				##
1705
##########################################################
1714
##########################################################
1706
BL ()
1715
BL ()
1707
{
1716
{
1708
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1717
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1709
	rm -rf $DIR_DG/lists/blacklists
1718
	rm -rf $DIR_DG/lists/blacklists
1710
	mkdir -p /tmp/blacklists
1719
	mkdir -p /tmp/blacklists
1711
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1720
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1712
# creation of file for the rehabilited domains and urls
1721
# creation of file for the rehabilited domains and urls
1713
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1722
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1714
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1723
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1715
	touch $DIR_DG/lists/exceptionsitelist
1724
	touch $DIR_DG/lists/exceptionsitelist
1716
	touch $DIR_DG/lists/exceptionurllist
1725
	touch $DIR_DG/lists/exceptionurllist
1717
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1726
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1718
	cat <<EOF > $DIR_DG/lists/bannedurllist
1727
	cat <<EOF > $DIR_DG/lists/bannedurllist
1719
# Dansguardian filter config for ALCASAR
1728
# Dansguardian filter config for ALCASAR
1720
EOF
1729
EOF
1721
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1730
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1722
# Dansguardian domain filter config for ALCASAR
1731
# Dansguardian domain filter config for ALCASAR
1723
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1732
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1724
#**
1733
#**
1725
# block all SSL and CONNECT tunnels
1734
# block all SSL and CONNECT tunnels
1726
**s
1735
**s
1727
# block all SSL and CONNECT tunnels specified only as an IP
1736
# block all SSL and CONNECT tunnels specified only as an IP
1728
*ips
1737
*ips
1729
# block all sites specified only by an IP
1738
# block all sites specified only by an IP
1730
*ip
1739
*ip
1731
EOF
1740
EOF
1732
# Add Bing to the safesearch url regext list (parental control)
1741
# Add Bing to the safesearch url regext list (parental control)
1733
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1742
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1734
# Bing - add 'adlt=strict'
1743
# Bing - add 'adlt=strict'
1735
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1744
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1736
EOF
1745
EOF
1737
# change the google safesearch ("safe=strict" instead of "safe=vss")
1746
# change the google safesearch ("safe=strict" instead of "safe=vss")
1738
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1747
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1739
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1748
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1740
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1749
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1741
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1750
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1742
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1751
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1743
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1752
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1744
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1753
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1745
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1754
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1746
# add custom ALCASAR BL files
1755
# add custom ALCASAR BL files
1747
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1756
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1748
	do
1757
	do
1749
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1758
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1750
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1759
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1751
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1760
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1752
	done
1761
	done
1753
	chown -R dansguardian:apache $DIR_DG
1762
	chown -R dansguardian:apache $DIR_DG
1754
	chown -R root:apache $DIR_DEST_SHARE
1763
	chown -R root:apache $DIR_DEST_SHARE
1755
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1764
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1756
# adapt the Toulouse BL to ALCASAR architecture
1765
# adapt the Toulouse BL to ALCASAR architecture
1757
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1766
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1758
# enable the default categories
1767
# enable the default categories
1759
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1768
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1760
}
1769
}
1761
 
1770
 
1762
##########################################################
1771
##########################################################
1763
##		Fonction "cron"				##
1772
##		Fonction "cron"				##
1764
## - Mise en place des différents fichiers de cron	##
1773
## - Mise en place des différents fichiers de cron	##
1765
##########################################################
1774
##########################################################
1766
cron ()
1775
cron ()
1767
{
1776
{
1768
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1777
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1769
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1778
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1770
	cat <<EOF > /etc/crontab
1779
	cat <<EOF > /etc/crontab
1771
SHELL=/usr/bin/bash
1780
SHELL=/usr/bin/bash
1772
PATH=/usr/sbin:/usr/bin
1781
PATH=/usr/sbin:/usr/bin
1773
MAILTO=root
1782
MAILTO=root
1774
HOME=/
1783
HOME=/
1775
 
1784
 
1776
# run-parts
1785
# run-parts
1777
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1786
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1778
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1787
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1779
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1788
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1780
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1789
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1781
EOF
1790
EOF
1782
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1791
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1783
	cat <<EOF >> /etc/anacrontab
1792
	cat <<EOF >> /etc/anacrontab
1784
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1793
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1785
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1794
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1786
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1795
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1787
EOF
1796
EOF
1788
 
1797
 
1789
	cat <<EOF > /etc/cron.d/alcasar-mysql
1798
	cat <<EOF > /etc/cron.d/alcasar-mysql
1790
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1799
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1791
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1800
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1792
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1801
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1793
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1802
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1794
EOF
1803
EOF
1795
	cat <<EOF > /etc/cron.d/alcasar-archive
1804
	cat <<EOF > /etc/cron.d/alcasar-archive
1796
# Archive des logs et de la base de données (tous les lundi à 5h35)
1805
# Archive des logs et de la base de données (tous les lundi à 5h35)
1797
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1806
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1798
EOF
1807
EOF
1799
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1808
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1800
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1809
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1801
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1810
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1802
EOF
1811
EOF
1803
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1812
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1804
# mise à jour automatique de la distribution tous les jours 3h30
1813
# mise à jour automatique de la distribution tous les jours 3h30
1805
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1814
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1806
EOF
1815
EOF
1807
 
1816
 
1808
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1817
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1809
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1818
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1810
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1819
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1811
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1820
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1812
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1821
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1813
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1822
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1814
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1823
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1815
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1824
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1816
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1825
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1817
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1826
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1818
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1827
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1819
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1828
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1820
EOF
1829
EOF
1821
	cat << EOF > /etc/cron.d/alcasar-watchdog
1830
	cat << EOF > /etc/cron.d/alcasar-watchdog
1822
# run the "watchdog" every 3'
1831
# run the "watchdog" every 3'
1823
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1832
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1824
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1833
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1825
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1834
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1826
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1835
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1827
EOF
1836
EOF
1828
# Enabling the watchdog every 18'
1837
# Enabling the watchdog every 18'
1829
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1838
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1830
# activate  the daemon-watchdog after boot process
1839
# activate  the daemon-watchdog after boot process
1831
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1840
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1832
# activate the daemon-watchdog every 18'
1841
# activate the daemon-watchdog every 18'
1833
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1842
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1834
EOF
1843
EOF
1835
 
1844
 
1836
# Enabling category update from rsync
1845
# Enabling category update from rsync
1837
	cat << EOF > /etc/cron.d/alcasar-rsync-bl
1846
	cat << EOF > /etc/cron.d/alcasar-rsync-bl
1838
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1847
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1839
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1848
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1840
EOF
1849
EOF
1841
 
1850
 
1842
# removing the users crons
1851
# removing the users crons
1843
	rm -f /var/spool/cron/*
1852
	rm -f /var/spool/cron/*
1844
} # End cron
1853
} # End cron
1845
 
1854
 
1846
##################################################################
1855
##################################################################
1847
## 			Fonction "Fail2Ban"			##
1856
## 			Fonction "Fail2Ban"			##
1848
##- Modification de la configuration de fail2ban		##
1857
##- Modification de la configuration de fail2ban		##
1849
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1858
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1850
##################################################################
1859
##################################################################
1851
fail2ban()
1860
fail2ban()
1852
{
1861
{
1853
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1862
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1854
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1863
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1855
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1864
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1856
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1865
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1857
	chmod 644 /var/log/fail2ban.log
1866
	chmod 644 /var/log/fail2ban.log
1858
	chmod 644 /var/Save/security/watchdog.log
1867
	chmod 644 /var/Save/security/watchdog.log
1859
	/usr/bin/touch /var/log/auth.log
1868
	/usr/bin/touch /var/log/auth.log
1860
# fail2ban unit
1869
# fail2ban unit
1861
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1870
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1862
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1871
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1863
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1872
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1864
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1873
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1865
} #Fin de fail2ban_install()
1874
} #Fin de fail2ban_install()
1866
 
1875
 
1867
##################################################################
1876
##################################################################
1868
## 			Fonction "gammu_smsd"			##
1877
## 			Fonction "gammu_smsd"			##
1869
## - Creation de la base de donnée Gammu			##
1878
## - Creation de la base de donnée Gammu			##
1870
## - Creation du fichier de config: gammu_smsd_conf		##
1879
## - Creation du fichier de config: gammu_smsd_conf		##
1871
##################################################################
1880
##################################################################
1872
gammu_smsd()
1881
gammu_smsd()
1873
{
1882
{
1874
# Create 'gammu' databse
1883
# Create 'gammu' databse
1875
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1884
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1876
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1885
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1877
# Add a gammu database structure
1886
# Add a gammu database structure
1878
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1887
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1879
 
1888
 
1880
# config file for the daemon
1889
# config file for the daemon
1881
cat << EOF > /etc/gammu_smsd_conf
1890
cat << EOF > /etc/gammu_smsd_conf
1882
[gammu]
1891
[gammu]
1883
port = /dev/ttyUSB0
1892
port = /dev/ttyUSB0
1884
connection = at115200
1893
connection = at115200
1885
 
1894
 
1886
;########################################################
1895
;########################################################
1887
 
1896
 
1888
[smsd]
1897
[smsd]
1889
 
1898
 
1890
PIN = 1234
1899
PIN = 1234
1891
 
1900
 
1892
logfile = /var/log/gammu-smsd/gammu-smsd.log
1901
logfile = /var/log/gammu-smsd/gammu-smsd.log
1893
logformat = textall
1902
logformat = textall
1894
debuglevel = 0
1903
debuglevel = 0
1895
 
1904
 
1896
service = sql
1905
service = sql
1897
driver = native_mysql
1906
driver = native_mysql
1898
user = $DB_USER
1907
user = $DB_USER
1899
password = $radiuspwd
1908
password = $radiuspwd
1900
pc = localhost
1909
pc = localhost
1901
database = $DB_GAMMU
1910
database = $DB_GAMMU
1902
 
1911
 
1903
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1912
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1904
 
1913
 
1905
StatusFrequency = 30
1914
StatusFrequency = 30
1906
;LoopSleep = 2
1915
;LoopSleep = 2
1907
 
1916
 
1908
;ResetFrequency = 300
1917
;ResetFrequency = 300
1909
;HardResetFrequency = 120
1918
;HardResetFrequency = 120
1910
 
1919
 
1911
CheckSecurity = 1 
1920
CheckSecurity = 1 
1912
CheckSignal = 1
1921
CheckSignal = 1
1913
CheckBattery = 0
1922
CheckBattery = 0
1914
EOF
1923
EOF
1915
 
1924
 
1916
chmod 755 /etc/gammu_smsd_conf
1925
chmod 755 /etc/gammu_smsd_conf
1917
 
1926
 
1918
#Creation dossier de log Gammu-smsd
1927
#Creation dossier de log Gammu-smsd
1919
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1928
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1920
chmod 755 /var/log/gammu-smsd
1929
chmod 755 /var/log/gammu-smsd
1921
 
1930
 
1922
#Edition du script sql gammu <-> radius
1931
#Edition du script sql gammu <-> radius
1923
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1932
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1924
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1933
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1925
 
1934
 
1926
#Création de la règle udev pour les Huawei // idVendor: 12d1
1935
#Création de la règle udev pour les Huawei // idVendor: 12d1
1927
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1936
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1928
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1937
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1929
EOF
1938
EOF
1930
 
1939
 
1931
} # END gammu_smsd()
1940
} # END gammu_smsd()
1932
 
1941
 
1933
 
1942
 
1934
##################################################################
1943
##################################################################
1935
##			Fonction "msec"				##
1944
##			Fonction "msec"				##
1936
## - Apply the "fileserver" security level			##
1945
## - Apply the "fileserver" security level			##
1937
## - remove the "system request" for rebboting			##
1946
## - remove the "system request" for rebboting			##
1938
## - Fix several file permissions				##
1947
## - Fix several file permissions				##
1939
##################################################################
1948
##################################################################
1940
msec()
1949
msec()
1941
{
1950
{
1942
 
1951
 
1943
# Apply fileserver security level
1952
# Apply fileserver security level
1944
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1953
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1945
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1954
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1946
 
1955
 
1947
# Set permissions monitoring and enforcement
1956
# Set permissions monitoring and enforcement
1948
cat <<EOF > /etc/security/msec/perm.local
1957
cat <<EOF > /etc/security/msec/perm.local
1949
/var/log/firefwall/                     root.apache     750
1958
/var/log/firefwall/                     root.apache     750
1950
/var/log/firewall/*                     root.apache     640
1959
/var/log/firewall/*                     root.apache     640
1951
/etc/security/msec/perm.local           root.root       640
1960
/etc/security/msec/perm.local           root.root       640
1952
/etc/security/msec/level.local          root.root       640
1961
/etc/security/msec/level.local          root.root       640
1953
/etc/freeradius-web                     root.apache     750
1962
/etc/freeradius-web                     root.apache     750
1954
/etc/freeradius-web/admin.conf          root.apache     640
1963
/etc/freeradius-web/admin.conf          root.apache     640
1955
/etc/raddb/dictionnary                  root.apache     640
1964
/etc/raddb/dictionnary                  root.apache     640
1956
/etc/raddb/ldap.attrmap                 root.radius     640
1965
/etc/raddb/ldap.attrmap                 root.radius     640
1957
/etc/raddb/hints                        root.radius     640
1966
/etc/raddb/hints                        root.radius     640
1958
/etc/raddb/huntgroups                   root.radius     640
1967
/etc/raddb/huntgroups                   root.radius     640
1959
/etc/raddb/attrs.access_reject          root.radius     640
1968
/etc/raddb/attrs.access_reject          root.radius     640
1960
/etc/raddb/attrs.accounting_response    root.radius     640
1969
/etc/raddb/attrs.accounting_response    root.radius     640
1961
/etc/raddb/acct_users                   root.radius     640
1970
/etc/raddb/acct_users                   root.radius     640
1962
/etc/raddb/preproxy_users               root.radius     640
1971
/etc/raddb/preproxy_users               root.radius     640
1963
/etc/raddb/modules/ldap                 radius.apache   660
1972
/etc/raddb/modules/ldap                 radius.apache   660
1964
/etc/raddb/sites-available/alcasar      radius.apache   660
1973
/etc/raddb/sites-available/alcasar      radius.apache   660
1965
/etc/pki/*                              root.apache     750
1974
/etc/pki/*                              root.apache     750
1966
/var/log/netflow/porttracker            root.apache     770
1975
/var/log/netflow/porttracker            root.apache     770
1967
/var/log/netflow/porttracker/*          root.apache     660
1976
/var/log/netflow/porttracker/*          root.apache     660
1968
EOF
1977
EOF
1969
# apply now hourly & daily checks 
1978
# apply now hourly & daily checks 
1970
/usr/sbin/msec
1979
/usr/sbin/msec
1971
/etc/cron.weekly/msec
1980
/etc/cron.weekly/msec
1972
 
1981
 
1973
} # END msec()
1982
} # END msec()
1974
 
1983
 
1975
##################################################################
1984
##################################################################
1976
##		Fonction "post_install"			##
1985
##		Fonction "post_install"			##
1977
## - Modifying banners (locals et ssh) & prompts	##
1986
## - Modifying banners (locals et ssh) & prompts	##
1978
## - SSH config						##
1987
## - SSH config						##
1979
## - sudoers config & files security			##
1988
## - sudoers config & files security			##
1980
## - log rotate & ANSSI security parameters		##
1989
## - log rotate & ANSSI security parameters		##
1981
## - Apply former conf in case of an update		##
1990
## - Apply former conf in case of an update		##
1982
##########################################################
1991
##########################################################
1983
post_install()
1992
post_install()
1984
{
1993
{
1985
# change the SSH banner
1994
# change the SSH banner
1986
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1995
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1987
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1996
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1988
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1997
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1989
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1998
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1990
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1999
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1991
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2000
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1992
# postfix banner anonymisation
2001
# postfix banner anonymisation
1993
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
2002
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1994
	chown -R postfix:postfix /var/lib/postfix
2003
	chown -R postfix:postfix /var/lib/postfix
1995
# sshd liste on EXTIF & INTIF
2004
# sshd liste on EXTIF & INTIF
1996
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2005
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1997
# sshd authorized certificate for root login
2006
# sshd authorized certificate for root login
1998
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2007
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1999
# ALCASAR conf file
2008
# ALCASAR conf file
2000
	echo "SSH=on" >> $CONF_FILE
2009
	echo "SSH=on" >> $CONF_FILE
2001
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2010
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2002
	echo "LDAP=off" >> $CONF_FILE
2011
	echo "LDAP=off" >> $CONF_FILE
2003
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
2012
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
2004
	echo "MULTIWAN=off" >> $CONF_FILE
2013
	echo "MULTIWAN=off" >> $CONF_FILE
2005
	echo "FAILOVER=30" >> $CONF_FILE
2014
	echo "FAILOVER=30" >> $CONF_FILE
2006
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2015
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2007
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2016
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2008
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2017
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2009
# Prompt customisation (colors)
2018
# Prompt customisation (colors)
2010
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2019
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2011
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2020
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2012
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2021
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2013
# sudoers configuration for "apache" & "sysadmin"
2022
# sudoers configuration for "apache" & "sysadmin"
2014
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2023
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2015
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2024
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2016
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2025
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2017
# Modify some logrotate files (gammu, ulogd)
2026
# Modify some logrotate files (gammu, ulogd)
2018
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2027
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2019
	chmod 644 /etc/logrotate.d/*
2028
	chmod 644 /etc/logrotate.d/*
2020
# Log compression
2029
# Log compression
2021
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2030
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2022
# actualisation des fichiers logs compressés
2031
# actualisation des fichiers logs compressés
2023
	for dir in firewall dansguardian httpd
2032
	for dir in firewall dansguardian httpd
2024
	do
2033
	do
2025
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2034
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2026
	done
2035
	done
2027
# create the alcasar-load_balancing unit
2036
# create the alcasar-load_balancing unit
2028
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2037
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2029
#  This file is part of systemd.
2038
#  This file is part of systemd.
2030
#
2039
#
2031
#  systemd is free software; you can redistribute it and/or modify it
2040
#  systemd is free software; you can redistribute it and/or modify it
2032
#  under the terms of the GNU General Public License as published by
2041
#  under the terms of the GNU General Public License as published by
2033
#  the Free Software Foundation; either version 2 of the License, or
2042
#  the Free Software Foundation; either version 2 of the License, or
2034
#  (at your option) any later version.
2043
#  (at your option) any later version.
2035
 
2044
 
2036
# This unit lauches alcasar-load-balancing.sh script.
2045
# This unit lauches alcasar-load-balancing.sh script.
2037
[Unit]
2046
[Unit]
2038
Description=alcasar-load_balancing.sh execution
2047
Description=alcasar-load_balancing.sh execution
2039
After=network.target iptables.service
2048
After=network.target iptables.service
2040
 
2049
 
2041
[Service]
2050
[Service]
2042
Type=oneshot
2051
Type=oneshot
2043
RemainAfterExit=yes
2052
RemainAfterExit=yes
2044
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2053
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2045
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2054
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2046
TimeoutSec=0
2055
TimeoutSec=0
2047
SysVStartPriority=99
2056
SysVStartPriority=99
2048
 
2057
 
2049
[Install]
2058
[Install]
2050
WantedBy=multi-user.target
2059
WantedBy=multi-user.target
2051
EOF
2060
EOF
2052
# processes launched at boot time (Systemctl)
2061
# processes launched at boot time (Systemctl)
2053
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2062
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2054
	do
2063
	do
2055
		/usr/bin/systemctl -q enable $i.service
2064
		/usr/bin/systemctl -q enable $i.service
2056
	done
2065
	done
2057
	
2066
	
2058
# disable processes at boot time (Systemctl)
2067
# disable processes at boot time (Systemctl)
2059
	for i in ulogd
2068
	for i in ulogd
2060
	do
2069
	do
2061
		/usr/bin/systemctl -q disable $i.service
2070
		/usr/bin/systemctl -q disable $i.service
2062
	done
2071
	done
2063
	
2072
	
2064
# Apply French Security Agency (ANSSI) rules
2073
# Apply French Security Agency (ANSSI) rules
2065
# ignore ICMP broadcast (smurf attack)
2074
# ignore ICMP broadcast (smurf attack)
2066
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2075
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2067
# ignore ICMP errors bogus
2076
# ignore ICMP errors bogus
2068
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2077
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2069
# remove ICMP redirects responces
2078
# remove ICMP redirects responces
2070
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2079
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2071
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2080
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2072
# enable SYN Cookies (Syn flood attacks)
2081
# enable SYN Cookies (Syn flood attacks)
2073
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2082
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2074
# enable kernel antispoofing
2083
# enable kernel antispoofing
2075
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2084
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2076
# ignore source routing
2085
# ignore source routing
2077
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2086
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2078
# set conntrack timer to 1h (3600s) instead of 5 weeks
2087
# set conntrack timer to 1h (3600s) instead of 5 weeks
2079
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2088
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2080
# disable log_martians (ALCASAR is often installed between two private network addresses) 
2089
# disable log_martians (ALCASAR is often installed between two private network addresses) 
2081
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2090
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2082
# disable iptables_helpers
2091
# disable iptables_helpers
2083
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2092
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2084
# Switch to the router mode
2093
# Switch to the router mode
2085
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2094
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2086
# Remove unused service ipv6
2095
# Remove unused service ipv6
2087
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2096
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2088
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2097
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2089
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2098
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2090
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2099
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2091
# switch to multi-users runlevel (instead of x11)
2100
# switch to multi-users runlevel (instead of x11)
2092
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2101
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2093
#	GRUB modifications (only one time)
2102
#	GRUB modifications (only one time)
2094
# Limit wait time to 3s - Create an alcasar entry instead of linux-nonfb - Change the default banner
2103
# Limit wait time to 3s - Create an alcasar entry instead of linux-nonfb - Change the default banner
2095
	vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l` # test if in VM
2104
	vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l` # test if in VM
2096
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
2105
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
2097
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2106
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2098
	if [ $grub_already_modified == 0 ] 
2107
	if [ $grub_already_modified == 0 ] 
2099
		then
2108
		then
2100
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
2109
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
2101
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
2110
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
2102
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
2111
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
2103
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
2112
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
2104
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
2113
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
2105
		if [ $vm_vga == 0 ] # is not a VM 
2114
		if [ $vm_vga == 0 ] # is not a VM 
2106
		then
2115
		then
2107
			$SED "/BOOT_IMAGE=linux-nonfb/s/$/ vga=791/" /boot/grub/menu.lst  # change display to 1024*768 (vga791) only if not on VM and only on ALCASAR entry
2116
			$SED "/BOOT_IMAGE=linux-nonfb/s/$/ vga=791/" /boot/grub/menu.lst  # change display to 1024*768 (vga791) only if not on VM and only on ALCASAR entry
2108
		fi
2117
		fi
2109
	fi
2118
	fi
2110
	if [ $vm_vga == 0 ] # is not a VM 
2119
	if [ $vm_vga == 0 ] # is not a VM 
2111
	then
2120
	then
2112
		cp -f $DIR_CONF/banner /etc/mageia-release
2121
		cp -f $DIR_CONF/banner /etc/mageia-release
2113
		echo " V$VERSION" >> /etc/mageia-release
2122
		echo " V$VERSION" >> /etc/mageia-release
2114
	else
2123
	else
2115
		echo "ALCASAR V$VERSION" > /etc/mageia-release
2124
		echo "ALCASAR V$VERSION" > /etc/mageia-release
2116
	fi
2125
	fi
2117
# Load and apply the previous conf file
2126
# Load and apply the previous conf file
2118
	if [ "$mode" = "update" ]
2127
	if [ "$mode" = "update" ]
2119
	then
2128
	then
2120
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2129
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2121
		$DIR_DEST_BIN/alcasar-conf.sh --load
2130
		$DIR_DEST_BIN/alcasar-conf.sh --load
2122
		PARENT_SCRIPT=`basename $0`
2131
		PARENT_SCRIPT=`basename $0`
2123
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2132
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2124
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2133
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2125
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf 
2134
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf 
2126
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2135
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2127
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2136
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2128
	fi
2137
	fi
2129
	rm -f /tmp/alcasar-conf*
2138
	rm -f /tmp/alcasar-conf*
2130
	chown -R root:apache $DIR_DEST_ETC/*
2139
	chown -R root:apache $DIR_DEST_ETC/*
2131
	chmod -R 660 $DIR_DEST_ETC/*
2140
	chmod -R 660 $DIR_DEST_ETC/*
2132
	chmod ug+x $DIR_DEST_ETC/digest
2141
	chmod ug+x $DIR_DEST_ETC/digest
2133
	cd $DIR_INSTALL
2142
	cd $DIR_INSTALL
2134
	echo ""
2143
	echo ""
2135
	echo "#############################################################################"
2144
	echo "#############################################################################"
2136
	if [ $Lang == "fr" ]
2145
	if [ $Lang == "fr" ]
2137
		then
2146
		then
2138
		echo "#                        Fin d'installation d'ALCASAR                       #"
2147
		echo "#                        Fin d'installation d'ALCASAR                       #"
2139
		echo "#                                                                           #"
2148
		echo "#                                                                           #"
2140
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2149
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2141
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2150
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2142
		echo "#                                                                           #"
2151
		echo "#                                                                           #"
2143
		echo "#############################################################################"
2152
		echo "#############################################################################"
2144
		echo
2153
		echo
2145
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2154
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2146
		echo
2155
		echo
2147
		echo "- Lisez attentivement la documentation d'exploitation"
2156
		echo "- Lisez attentivement la documentation d'exploitation"
2148
		echo
2157
		echo
2149
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2158
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2150
		echo
2159
		echo
2151
		echo "                   Appuyez sur 'Entrée' pour continuer"
2160
		echo "                   Appuyez sur 'Entrée' pour continuer"
2152
	else	
2161
	else	
2153
		echo "#                        Enf of ALCASAR install process                     #"
2162
		echo "#                        Enf of ALCASAR install process                     #"
2154
		echo "#                                                                           #"
2163
		echo "#                                                                           #"
2155
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2164
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2156
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2165
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2157
		echo "#                                                                           #"
2166
		echo "#                                                                           #"
2158
		echo "#############################################################################"
2167
		echo "#############################################################################"
2159
		echo
2168
		echo
2160
		echo "- The system will be rebooted in order to operate ALCASAR"
2169
		echo "- The system will be rebooted in order to operate ALCASAR"
2161
		echo
2170
		echo
2162
		echo "- Read the exploitation documentation"
2171
		echo "- Read the exploitation documentation"
2163
		echo
2172
		echo
2164
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2173
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2165
		echo
2174
		echo
2166
		echo "                   Hit 'Enter' to continue"
2175
		echo "                   Hit 'Enter' to continue"
2167
	fi
2176
	fi
2168
	sleep 2
2177
	sleep 2
2169
	if [ "$mode" != "update" ]
2178
	if [ "$mode" != "update" ]
2170
	then
2179
	then
2171
		read a
2180
		read a
2172
	fi
2181
	fi
2173
	clear
2182
	clear
2174
	reboot
2183
	reboot
2175
} # End post_install ()
2184
} # End post_install ()
2176
 
2185
 
2177
#################################
2186
#################################
2178
#  	Main Install loop  	#
2187
#  	Main Install loop  	#
2179
#################################
2188
#################################
2180
dir_exec=`dirname "$0"`
2189
dir_exec=`dirname "$0"`
2181
if [ $dir_exec != "." ]
2190
if [ $dir_exec != "." ]
2182
then
2191
then
2183
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2192
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2184
	echo "Launch this program from the ALCASAR archive directory"
2193
	echo "Launch this program from the ALCASAR archive directory"
2185
	exit 0
2194
	exit 0
2186
fi
2195
fi
2187
if [[ $EUID > 0 ]]
2196
if [[ $EUID > 0 ]]
2188
then
2197
then
2189
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2198
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2190
	echo "You must be "root" to install ALCASAR ('su' command)"
2199
	echo "You must be "root" to install ALCASAR ('su' command)"
2191
	exit 0
2200
	exit 0
2192
fi
2201
fi
2193
VERSION=`cat $DIR_INSTALL/VERSION`
2202
VERSION=`cat $DIR_INSTALL/VERSION`
2194
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2203
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2195
nb_args=$#
2204
nb_args=$#
2196
args=$1
2205
args=$1
2197
if [ $nb_args -eq 0 ]
2206
if [ $nb_args -eq 0 ]
2198
then
2207
then
2199
	nb_args=1
2208
	nb_args=1
2200
	args="-h"
2209
	args="-h"
2201
fi
2210
fi
2202
chmod -R u+x $DIR_SCRIPTS/*
2211
chmod -R u+x $DIR_SCRIPTS/*
2203
case $args in
2212
case $args in
2204
	-\? | -h* | --h*)
2213
	-\? | -h* | --h*)
2205
		echo "$usage"
2214
		echo "$usage"
2206
		exit 0
2215
		exit 0
2207
		;;
2216
		;;
2208
	-i | --install)
2217
	-i | --install)
2209
		header_install
2218
		header_install
2210
		license
2219
		license
2211
		header_install
2220
		header_install
2212
		testing
2221
		testing
2213
# RPMs install
2222
# RPMs install
2214
		$DIR_SCRIPTS/alcasar-urpmi.sh
2223
		$DIR_SCRIPTS/alcasar-urpmi.sh
2215
		if [ "$?" != "0" ]
2224
		if [ "$?" != "0" ]
2216
		then
2225
		then
2217
			exit 0
2226
			exit 0
2218
		fi
2227
		fi
2219
		if [ -e $CONF_FILE ]
2228
		if [ -e $CONF_FILE ]
2220
		then
2229
		then
2221
# Uninstall the running version
2230
# Uninstall the running version
2222
			$DIR_SCRIPTS/alcasar-uninstall.sh -update
2231
			$DIR_SCRIPTS/alcasar-uninstall.sh -update
2223
		fi
2232
		fi
2224
# Test if manual update	
2233
# Test if manual update	
2225
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2234
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2226
		then
2235
		then
2227
			header_install
2236
			header_install
2228
			if [ $Lang == "fr" ]
2237
			if [ $Lang == "fr" ]
2229
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2238
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2230
				else echo "The configuration file of an old version has been found";
2239
				else echo "The configuration file of an old version has been found";
2231
			fi
2240
			fi
2232
			response=0
2241
			response=0
2233
			PTN='^[oOnNyY]$'
2242
			PTN='^[oOnNyY]$'
2234
			until [[ $(expr $response : $PTN) -gt 0 ]]
2243
			until [[ $(expr $response : $PTN) -gt 0 ]]
2235
			do
2244
			do
2236
				if [ $Lang == "fr" ]
2245
				if [ $Lang == "fr" ]
2237
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2246
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2238
					else echo -n "Do you want to use it (Y/n)?";
2247
					else echo -n "Do you want to use it (Y/n)?";
2239
				 fi
2248
				 fi
2240
				read response
2249
				read response
2241
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2250
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2242
				then rm -f /tmp/alcasar-conf*
2251
				then rm -f /tmp/alcasar-conf*
2243
				fi
2252
				fi
2244
			done
2253
			done
2245
		fi
2254
		fi
2246
# Test if update
2255
# Test if update
2247
		if [ -e /tmp/alcasar-conf* ] 
2256
		if [ -e /tmp/alcasar-conf* ] 
2248
		then
2257
		then
2249
			if [ $Lang == "fr" ]
2258
			if [ $Lang == "fr" ]
2250
				then echo "#### Installation avec mise à jour ####";
2259
				then echo "#### Installation avec mise à jour ####";
2251
				else echo "#### Installation with update     ####";
2260
				else echo "#### Installation with update     ####";
2252
			fi
2261
			fi
2253
# Extract the central configuration file
2262
# Extract the central configuration file
2254
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2263
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2255
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2264
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2256
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2265
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2257
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2266
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2258
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2267
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2259
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2268
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2260
			mode="update"
2269
			mode="update"
2261
		fi
2270
		fi
2262
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec post_install
2271
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec post_install
2263
		do
2272
		do
2264
			$func
2273
			$func
2265
# echo "*** 'debug' : end of function $func ***"; read a
2274
# echo "*** 'debug' : end of function $func ***"; read a
2266
		done
2275
		done
2267
		;;
2276
		;;
2268
	-u | --uninstall)
2277
	-u | --uninstall)
2269
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2278
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2270
		then
2279
		then
2271
			if [ $Lang == "fr" ]
2280
			if [ $Lang == "fr" ]
2272
				then echo "ALCASAR n'est pas installé!";
2281
				then echo "ALCASAR n'est pas installé!";
2273
				else echo "ALCASAR isn't installed!";
2282
				else echo "ALCASAR isn't installed!";
2274
			fi
2283
			fi
2275
			exit 0
2284
			exit 0
2276
		fi
2285
		fi
2277
		response=0
2286
		response=0
2278
		PTN='^[oOnN]$'
2287
		PTN='^[oOnN]$'
2279
		until [[ $(expr $response : $PTN) -gt 0 ]]
2288
		until [[ $(expr $response : $PTN) -gt 0 ]]
2280
		do
2289
		do
2281
			if [ $Lang == "fr" ]
2290
			if [ $Lang == "fr" ]
2282
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2291
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2283
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2292
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2284
			fi
2293
			fi
2285
			read response
2294
			read response
2286
		done
2295
		done
2287
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2296
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2288
		then
2297
		then
2289
			$DIR_SCRIPTS/alcasar-conf.sh --create
2298
			$DIR_SCRIPTS/alcasar-conf.sh --create
2290
		else	
2299
		else	
2291
			rm -f /tmp/alcasar-conf*
2300
			rm -f /tmp/alcasar-conf*
2292
		fi
2301
		fi
2293
# Uninstall the running version
2302
# Uninstall the running version
2294
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2303
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2295
		;;
2304
		;;
2296
	*)
2305
	*)
2297
		echo "Argument inconnu :$1";
2306
		echo "Argument inconnu :$1";
2298
		echo "Unknown argument :$1";
2307
		echo "Unknown argument :$1";
2299
		echo "$usage"
2308
		echo "$usage"
2300
		exit 1
2309
		exit 1
2301
		;;
2310
		;;
2302
esac
2311
esac
2303
# end of script
2312
# end of script
2304
 
2313
 
2305
 
2314