Subversion Repositories ALCASAR

Rev

Rev 2077 | Rev 2111 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2077 Rev 2088
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2077 2016-11-29 15:47:25Z franck $ 
2
#  $Id: alcasar.sh 2088 2016-12-12 06:57:16Z raphael.pion $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
32
#	ACC			: ALCASAR Control Center installation
32
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
33
#	CA			: Certification Authority initialization
34
#	time_server		: NTPd configuration
34
#	time_server		: NTPd configuration
35
#	init_db			: Initilization of radius database managed with MariaDB
35
#	init_db			: Initilization of radius database managed with MariaDB
36
#	radius			: FreeRadius initialisation
36
#	radius			: FreeRadius initialisation
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	post_install		: Security, log rotation, etc.
49
#	post_install		: Security, log rotation, etc.
50
 
50
 
51
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
53
Lang=`echo $LANG|cut -c 1-2`
53
Lang=`echo $LANG|cut -c 1-2`
54
mode="install"
54
mode="install"
55
# ******* Files parameters - paramètres fichiers *********
55
# ******* Files parameters - paramètres fichiers *********
56
DIR_INSTALL=`pwd`				# current directory 
56
DIR_INSTALL=`pwd`				# current directory 
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
59
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
60
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
60
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
61
DIR_WEB="/var/www/html"				# directory of APACHE
61
DIR_WEB="/var/www/html"				# directory of APACHE
62
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
62
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
63
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
63
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
64
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
64
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
# ******* DBMS parameters - paramètres SGBD ********
69
# ******* DBMS parameters - paramètres SGBD ********
70
DB_RADIUS="radius"				# database name used by FreeRadius server
70
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_USER="radius"				# user name allows to request the users database
71
DB_USER="radius"				# user name allows to request the users database
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
# ******* Network parameters - paramètres réseau *******
73
# ******* Network parameters - paramètres réseau *******
74
HOSTNAME="alcasar"				# default hostname
74
HOSTNAME="alcasar"				# default hostname
75
DOMAIN="localdomain"				# default local domain
75
DOMAIN="localdomain"				# default local domain
76
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
76
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
77
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
MTU="1500"
78
MTU="1500"
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
# ****** Paths - chemin des commandes *******
80
# ****** Paths - chemin des commandes *******
81
SED="/bin/sed -i"
81
SED="/bin/sed -i"
82
# ****************** End of global parameters *********************
82
# ****************** End of global parameters *********************
83
 
83
 
84
license ()
84
license ()
85
{
85
{
86
	if [ $Lang == "fr" ]
86
	if [ $Lang == "fr" ]
87
	then
87
	then
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
	else
89
	else
90
		cat $DIR_INSTALL/gpl-warning.txt | more
90
		cat $DIR_INSTALL/gpl-warning.txt | more
91
	fi
91
	fi
92
	response=0
92
	response=0
93
	PTN='^[oOyYnN]$'
93
	PTN='^[oOyYnN]$'
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
95
	do
95
	do
96
		if [ $Lang == "fr" ]
96
		if [ $Lang == "fr" ]
97
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
97
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
		fi
99
		fi
100
		read response
100
		read response
101
	done
101
	done
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	then
103
	then
104
		exit 1
104
		exit 1
105
	fi
105
	fi
106
}
106
}
107
 
107
 
108
header_install ()
108
header_install ()
109
{
109
{
110
	clear
110
	clear
111
	echo "-----------------------------------------------------------------------------"
111
	echo "-----------------------------------------------------------------------------"
112
	echo "                     ALCASAR V$VERSION Installation"
112
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
}
115
}
116
 
116
 
117
##################################################################
117
##################################################################
118
##			Function "testing"			##
118
##			Function "testing"			##
119
## - Test of Mageia version					##
119
## - Test of Mageia version					##
120
## - Test of ALCASAR version (if already installed)		##
120
## - Test of ALCASAR version (if already installed)		##
121
## - Test of free space on /var  (>10G)				##
121
## - Test of free space on /var  (>10G)				##
122
## - Test of Internet access					##
122
## - Test of Internet access					##
123
##################################################################
123
##################################################################
124
testing ()
124
testing ()
125
{
125
{
126
# Test of Mageia version
126
# Test of Mageia version
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
	fic=`cat /etc/product.id`
128
	fic=`cat /etc/product.id`
129
	unknown_os=0
129
	unknown_os=0
130
	old="$IFS"
130
	old="$IFS"
131
	IFS=","
131
	IFS=","
132
	set $fic
132
	set $fic
133
	for i in $*
133
	for i in $*
134
	do
134
	do
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
			then 
136
			then 
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			unknown_os=`expr $unknown_os + 1`
138
			unknown_os=`expr $unknown_os + 1`
139
		fi
139
		fi
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
			then 
141
			then 
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			unknown_os=`expr $unknown_os + 1`
143
			unknown_os=`expr $unknown_os + 1`
144
		fi
144
		fi
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
			then 
146
			then 
147
			ARCH=`echo $i|cut -d"=" -f2`
147
			ARCH=`echo $i|cut -d"=" -f2`
148
			unknown_os=`expr $unknown_os + 1`
148
			unknown_os=`expr $unknown_os + 1`
149
		fi
149
		fi
150
	done
150
	done
151
	IFS="$old"
151
	IFS="$old"
152
# Test if ALCASAR is already installed
152
# Test if ALCASAR is already installed
153
	if [ -e $CONF_FILE ]
153
	if [ -e $CONF_FILE ]
154
	then
154
	then
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
159
		fi
159
		fi
160
		response=0
160
		response=0
161
		PTN='^[oOnNyY]$'
161
		PTN='^[oOnNyY]$'
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
163
		do
163
		do
164
			if [ $Lang == "fr" ]
164
			if [ $Lang == "fr" ]
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
166
				else echo -n "Do you want to update (Y/n)?";
166
				else echo -n "Do you want to update (Y/n)?";
167
			 fi
167
			 fi
168
			read response
168
			read response
169
		done
169
		done
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
171
		then
171
		then
172
			rm -f /tmp/alcasar-conf*
172
			rm -f /tmp/alcasar-conf*
173
		else
173
		else
174
# Retrieve former NICname
174
# Retrieve former NICname
175
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
175
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
176
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
176
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
177
# Create the current conf file
177
# Create the current conf file
178
			$DIR_SCRIPTS/alcasar-conf.sh --create
178
			$DIR_SCRIPTS/alcasar-conf.sh --create
179
			mode="update"
179
			mode="update"
180
		fi
180
		fi
181
	fi
181
	fi
182
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
182
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
183
		then
183
		then
184
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
184
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
185
			then
185
			then
186
			echo
186
			echo
187
			if [ $Lang == "fr" ]
187
			if [ $Lang == "fr" ]
188
				then	
188
				then	
189
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
189
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
190
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
190
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
191
				echo "2 - Installez Linux-Mageia 5 et ALCASAR (cf. doc d'installation)"
191
				echo "2 - Installez Linux-Mageia 5 et ALCASAR (cf. doc d'installation)"
192
				echo "3 - Importez votre base des usagers"
192
				echo "3 - Importez votre base des usagers"
193
			else
193
			else
194
				echo "The automatic update of ALCASAR can't be performed."
194
				echo "The automatic update of ALCASAR can't be performed."
195
				echo "1 - Save your traceability files and the user database"
195
				echo "1 - Save your traceability files and the user database"
196
				echo "2 - Install Linux-Mageia 5 & ALCASAR (cf. installation doc)"
196
				echo "2 - Install Linux-Mageia 5 & ALCASAR (cf. installation doc)"
197
				echo "3 - Import your users database"
197
				echo "3 - Import your users database"
198
			fi
198
			fi
199
		else
199
		else
200
			if [ $Lang == "fr" ]
200
			if [ $Lang == "fr" ]
201
				then	
201
				then	
202
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
202
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
203
			else
203
			else
204
				echo "The installation of ALCASAR can't be performed."
204
				echo "The installation of ALCASAR can't be performed."
205
			fi
205
			fi
206
		fi
206
		fi
207
		echo
207
		echo
208
		if [ $Lang == "fr" ]
208
		if [ $Lang == "fr" ]
209
			then	
209
			then	
210
			echo "Le système d'exploitation doit être remplacé (Mageia5)"
210
			echo "Le système d'exploitation doit être remplacé (Mageia5)"
211
		else
211
		else
212
			echo "The OS must be replaced (Mageia5)"
212
			echo "The OS must be replaced (Mageia5)"
213
		fi
213
		fi
214
		exit 0
214
		exit 0
215
	fi
215
	fi
216
	if [ ! -d /var/log/netflow/porttracker ]
216
	if [ ! -d /var/log/netflow/porttracker ]
217
		then
217
		then
218
# Test of free space on /var
218
# Test of free space on /var
219
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
219
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
220
		if [ $free_space -lt 10 ]
220
		if [ $free_space -lt 10 ]
221
			then
221
			then
222
			if [ $Lang == "fr" ]
222
			if [ $Lang == "fr" ]
223
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
223
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
224
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
224
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
225
			fi
225
			fi
226
		exit 0
226
		exit 0
227
		fi
227
		fi
228
	fi
228
	fi
229
	if [ $Lang == "fr" ]
229
	if [ $Lang == "fr" ]
230
		then echo -n "Tests des paramètres réseau : "
230
		then echo -n "Tests des paramètres réseau : "
231
		else echo -n "Network parameters tests : "
231
		else echo -n "Network parameters tests : "
232
	fi
232
	fi
233
# Test of Ethernet links state
233
# Test of Ethernet links state
234
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
234
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
235
	for i in $DOWN_IF
235
	for i in $DOWN_IF
236
	do
236
	do
237
		if [ $Lang == "fr" ]
237
		if [ $Lang == "fr" ]
238
		then 
238
		then 
239
			echo "Échec"
239
			echo "Échec"
240
			echo "Le lien réseau de la carte $i n'est pas actif."
240
			echo "Le lien réseau de la carte $i n'est pas actif."
241
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
241
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
242
		else
242
		else
243
			echo "Failed"
243
			echo "Failed"
244
			echo "The link state of $i interface is down."
244
			echo "The link state of $i interface is down."
245
			echo "Make sure that this network card is connected to a switch or an A.P."
245
			echo "Make sure that this network card is connected to a switch or an A.P."
246
		fi
246
		fi
247
		exit 0
247
		exit 0
248
	done
248
	done
249
	echo -n "."
249
	echo -n "."
250
 
250
 
251
# Test EXTIF config files
251
# Test EXTIF config files
252
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
252
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
253
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
253
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
254
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
254
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
255
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
255
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
256
	then
256
	then
257
		if [ $Lang == "fr" ]
257
		if [ $Lang == "fr" ]
258
		then 
258
		then 
259
			echo "Échec"
259
			echo "Échec"
260
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
260
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
261
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
261
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
262
			echo "Appliquez les changements : 'systemctl restart network'"
262
			echo "Appliquez les changements : 'systemctl restart network'"
263
		else
263
		else
264
			echo "Failed"
264
			echo "Failed"
265
			echo "The Internet connected network card ($EXTIF) isn't well configured."
265
			echo "The Internet connected network card ($EXTIF) isn't well configured."
266
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
266
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
267
			echo "Apply the new configuration 'systemctl restart network'"
267
			echo "Apply the new configuration 'systemctl restart network'"
268
		fi
268
		fi
269
		echo "DEVICE=$EXTIF"
269
		echo "DEVICE=$EXTIF"
270
		echo "IPADDR="
270
		echo "IPADDR="
271
		echo "NETMASK="
271
		echo "NETMASK="
272
		echo "GATEWAY="
272
		echo "GATEWAY="
273
		echo "DNS1="
273
		echo "DNS1="
274
		echo "DNS2="
274
		echo "DNS2="
275
		echo "ONBOOT=yes"
275
		echo "ONBOOT=yes"
276
		exit 0
276
		exit 0
277
	fi
277
	fi
278
	echo -n "."
278
	echo -n "."
279
 
279
 
280
# Test if router is alive (Box FAI)
280
# Test if router is alive (Box FAI)
281
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
281
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
282
		if [ $Lang == "fr" ]
282
		if [ $Lang == "fr" ]
283
		then 
283
		then 
284
			echo "Échec"
284
			echo "Échec"
285
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
285
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
286
			echo "Réglez ce problème puis relancez ce script."
286
			echo "Réglez ce problème puis relancez ce script."
287
		else
287
		else
288
			echo "Failed"
288
			echo "Failed"
289
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
289
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
290
			echo "Resolv this problem, then restart this script."
290
			echo "Resolv this problem, then restart this script."
291
		fi
291
		fi
292
		exit 0
292
		exit 0
293
	fi
293
	fi
294
	echo -n "."
294
	echo -n "."
295
# On teste le lien vers le routeur par defaut
295
# On teste le lien vers le routeur par defaut
296
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
296
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
297
	if [ $(expr $arp_reply) -eq 0 ]
297
	if [ $(expr $arp_reply) -eq 0 ]
298
	       	then
298
	       	then
299
		if [ $Lang == "fr" ]
299
		if [ $Lang == "fr" ]
300
		then 
300
		then 
301
			echo "Échec"
301
			echo "Échec"
302
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
302
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
303
			echo "Réglez ce problème puis relancez ce script."
303
			echo "Réglez ce problème puis relancez ce script."
304
		else
304
		else
305
			echo "Failed"
305
			echo "Failed"
306
			echo "The Internet gateway doesn't answered"
306
			echo "The Internet gateway doesn't answered"
307
			echo "Resolv this problem, then restart this script."
307
			echo "Resolv this problem, then restart this script."
308
		fi
308
		fi
309
		exit 0
309
		exit 0
310
	fi
310
	fi
311
	echo -n "."
311
	echo -n "."
312
# On teste la connectivité Internet
312
# On teste la connectivité Internet
313
	rm -rf /tmp/con_ok.html
313
	rm -rf /tmp/con_ok.html
314
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
314
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
315
	if [ ! -e /tmp/con_ok.html ]
315
	if [ ! -e /tmp/con_ok.html ]
316
	then
316
	then
317
		if [ $Lang == "fr" ]
317
		if [ $Lang == "fr" ]
318
		then 
318
		then 
319
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
319
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
320
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
320
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
321
			echo "Vérifiez la validité des adresses IP des DNS."
321
			echo "Vérifiez la validité des adresses IP des DNS."
322
		else
322
		else
323
			echo "The Internet connection try failed (google.fr)."
323
			echo "The Internet connection try failed (google.fr)."
324
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
324
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
325
			echo "Verify the DNS IP addresses"
325
			echo "Verify the DNS IP addresses"
326
		fi
326
		fi
327
		exit 0
327
		exit 0
328
	fi
328
	fi
329
	rm -rf /tmp/con_ok.html
329
	rm -rf /tmp/con_ok.html
330
	echo ". : ok"
330
	echo ". : ok"
331
} # end of testing ()
331
} # end of testing ()
332
 
332
 
333
##################################################################
333
##################################################################
334
##			Function "init"				##
334
##			Function "init"				##
335
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
335
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
336
## - Installation et modification des scripts du portail	##
336
## - Installation et modification des scripts du portail	##
337
##################################################################
337
##################################################################
338
init ()
338
init ()
339
{
339
{
340
	if [ "$mode" != "update" ]
340
	if [ "$mode" != "update" ]
341
	then
341
	then
342
# On affecte le nom d'organisme
342
# On affecte le nom d'organisme
343
		header_install
343
		header_install
344
		ORGANISME=!
344
		ORGANISME=!
345
		PTN='^[a-zA-Z0-9-]*$'
345
		PTN='^[a-zA-Z0-9-]*$'
346
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
346
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
347
                do
347
                do
348
			if [ $Lang == "fr" ]
348
			if [ $Lang == "fr" ]
349
			       	then echo -n "Entrez le nom de votre organisme : "
349
			       	then echo -n "Entrez le nom de votre organisme : "
350
				else echo -n "Enter the name of your organism : "
350
				else echo -n "Enter the name of your organism : "
351
			fi
351
			fi
352
			read ORGANISME
352
			read ORGANISME
353
			if [ "$ORGANISME" == "" ]
353
			if [ "$ORGANISME" == "" ]
354
				then
354
				then
355
				ORGANISME=!
355
				ORGANISME=!
356
			fi
356
			fi
357
		done
357
		done
358
	fi
358
	fi
359
# On crée aléatoirement les mots de passe et les secrets partagés
359
# On crée aléatoirement les mots de passe et les secrets partagés
360
	rm -f $PASSWD_FILE
360
	rm -f $PASSWD_FILE
361
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
361
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
362
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
362
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
363
	echo "$grubpwd" >> $PASSWD_FILE
363
	echo "$grubpwd" >> $PASSWD_FILE
364
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
364
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
365
	$SED "/^password.*/d" /boot/grub/menu.lst
365
	$SED "/^password.*/d" /boot/grub/menu.lst
366
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
366
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
367
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
367
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
368
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
368
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
369
	echo "root / $mysqlpwd" >> $PASSWD_FILE
369
	echo "root / $mysqlpwd" >> $PASSWD_FILE
370
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
370
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
371
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
371
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
372
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
372
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
373
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
373
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
374
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
374
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
375
	echo "$secretuam" >> $PASSWD_FILE
375
	echo "$secretuam" >> $PASSWD_FILE
376
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
376
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
377
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
377
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
378
	echo "$secretradius" >> $PASSWD_FILE
378
	echo "$secretradius" >> $PASSWD_FILE
379
	chmod 640 $PASSWD_FILE
379
	chmod 640 $PASSWD_FILE
380
#  copy scripts in in /usr/local/bin
380
#  copy scripts in in /usr/local/bin
381
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
381
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
382
#  copy conf files in /usr/local/etc
382
#  copy conf files in /usr/local/etc
383
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
383
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
384
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
384
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
385
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
385
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
386
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
386
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
388
# generate central conf file
388
# generate central conf file
389
	cat <<EOF > $CONF_FILE
389
	cat <<EOF > $CONF_FILE
390
##########################################
390
##########################################
391
##                                      ##
391
##                                      ##
392
##          ALCASAR Parameters          ##
392
##          ALCASAR Parameters          ##
393
##                                      ##
393
##                                      ##
394
##########################################
394
##########################################
395
 
395
 
396
INSTALL_DATE=$DATE
396
INSTALL_DATE=$DATE
397
VERSION=$VERSION
397
VERSION=$VERSION
398
ORGANISM=$ORGANISME
398
ORGANISM=$ORGANISME
399
HOSTNAME=$HOSTNAME
399
HOSTNAME=$HOSTNAME
400
DOMAIN=$DOMAIN
400
DOMAIN=$DOMAIN
401
EOF
401
EOF
402
	chmod o-rwx $CONF_FILE
402
	chmod o-rwx $CONF_FILE
403
} # End of init ()
403
} # End of init ()
404
 
404
 
405
##################################################################
405
##################################################################
406
##			Function "network"			##
406
##			Function "network"			##
407
## - Définition du plan d'adressage du réseau de consultation	##
407
## - Définition du plan d'adressage du réseau de consultation	##
408
## - Nommage DNS du système 					##
408
## - Nommage DNS du système 					##
409
## - Configuration de l'interface INTIF (réseau de consultation)##
409
## - Configuration de l'interface INTIF (réseau de consultation)##
410
## - Modification du fichier /etc/hosts				##
410
## - Modification du fichier /etc/hosts				##
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
412
##################################################################
412
##################################################################
413
network ()
413
network ()
414
{
414
{
415
	header_install
415
	header_install
416
	if [ "$mode" != "update" ]
416
	if [ "$mode" != "update" ]
417
		then
417
		then
418
		if [ $Lang == "fr" ]
418
		if [ $Lang == "fr" ]
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
421
		fi
421
		fi
422
		response=0
422
		response=0
423
		PTN='^[oOyYnN]$'
423
		PTN='^[oOyYnN]$'
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
425
		do
425
		do
426
			if [ $Lang == "fr" ]
426
			if [ $Lang == "fr" ]
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
429
			fi
429
			fi
430
			read response
430
			read response
431
		done
431
		done
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
433
		then
433
		then
434
			PRIVATE_IP_MASK="0"
434
			PRIVATE_IP_MASK="0"
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
437
			do
437
			do
438
				if [ $Lang == "fr" ]
438
				if [ $Lang == "fr" ]
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
441
				fi
441
				fi
442
				read PRIVATE_IP_MASK
442
				read PRIVATE_IP_MASK
443
			done
443
			done
444
		else
444
		else
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
446
		fi
446
		fi
447
	else
447
	else
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
449
		rm -rf conf/etc/alcasar.conf
449
		rm -rf conf/etc/alcasar.conf
450
	fi
450
	fi
451
# Define LAN side global parameters
451
# Define LAN side global parameters
452
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
452
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
453
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
453
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
454
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
454
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
455
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
455
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
456
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
456
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
457
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
457
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
458
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
458
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
459
		then
459
		then
460
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
460
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
461
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
461
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
462
	fi	
462
	fi	
463
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
463
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
464
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
464
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
465
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
465
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
466
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
466
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
467
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
467
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
468
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
468
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
469
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
469
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
470
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
470
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
471
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
471
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
472
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
472
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
473
# Define Internet parameters
473
# Define Internet parameters
474
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
474
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
475
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
475
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
476
	if [ $nb_dns == 2 ]
476
	if [ $nb_dns == 2 ]
477
		then
477
		then
478
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
478
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
479
	fi
479
	fi
480
	DNS1=${DNS1:=208.67.220.220}
480
	DNS1=${DNS1:=208.67.220.220}
481
	DNS2=${DNS2:=208.67.222.222}
481
	DNS2=${DNS2:=208.67.222.222}
482
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
482
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
483
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
483
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
484
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
484
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
485
# Wrtie the conf file
485
# Wrtie the conf file
486
	echo "EXTIF=$EXTIF" >> $CONF_FILE
486
	echo "EXTIF=$EXTIF" >> $CONF_FILE
487
	echo "INTIF=$INTIF" >> $CONF_FILE
487
	echo "INTIF=$INTIF" >> $CONF_FILE
488
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
488
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
489
	if [ $IP_SETTING == "dhcp" ]
489
	if [ $IP_SETTING == "dhcp" ]
490
		then
490
		then
491
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
491
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
492
		echo "GW=dhcp" >> $CONF_FILE
492
		echo "GW=dhcp" >> $CONF_FILE
493
	else
493
	else
494
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
494
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
495
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
495
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
496
	fi
496
	fi
497
	echo "DNS1=$DNS1" >> $CONF_FILE
497
	echo "DNS1=$DNS1" >> $CONF_FILE
498
	echo "DNS2=$DNS2" >> $CONF_FILE
498
	echo "DNS2=$DNS2" >> $CONF_FILE
499
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
499
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
500
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
500
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
501
	echo "DHCP=on" >> $CONF_FILE
501
	echo "DHCP=on" >> $CONF_FILE
502
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
502
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
503
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
503
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
505
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
505
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
506
	echo "INT_DNS_IP=none" >> $CONF_FILE
506
	echo "INT_DNS_IP=none" >> $CONF_FILE
507
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
507
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
508
# network default
508
# network default
509
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
509
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
510
	cat <<EOF > /etc/sysconfig/network
510
	cat <<EOF > /etc/sysconfig/network
511
NETWORKING=yes
511
NETWORKING=yes
512
FORWARD_IPV4=true
512
FORWARD_IPV4=true
513
EOF
513
EOF
514
# /etc/hosts config
514
# /etc/hosts config
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
516
	cat <<EOF > /etc/hosts
516
	cat <<EOF > /etc/hosts
517
127.0.0.1	localhost
517
127.0.0.1	localhost
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
519
EOF
519
EOF
520
# EXTIF (Internet) config
520
# EXTIF (Internet) config
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
522
	if [ $IP_SETTING == "dhcp" ]
522
	if [ $IP_SETTING == "dhcp" ]
523
		then
523
		then
524
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
524
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
525
DEVICE=$EXTIF
525
DEVICE=$EXTIF
526
BOOTPROTO=dhcp
526
BOOTPROTO=dhcp
527
DNS1=127.0.0.1
527
DNS1=127.0.0.1
528
PEERDNS=no
528
PEERDNS=no
529
RESOLV_MODS=yes
529
RESOLV_MODS=yes
530
ONBOOT=yes
530
ONBOOT=yes
531
NOZEROCONF=yes
531
NOZEROCONF=yes
532
METRIC=10
532
METRIC=10
533
MII_NOT_SUPPORTED=yes
533
MII_NOT_SUPPORTED=yes
534
IPV6INIT=no
534
IPV6INIT=no
535
IPV6TO4INIT=no
535
IPV6TO4INIT=no
536
ACCOUNTING=no
536
ACCOUNTING=no
537
USERCTL=no
537
USERCTL=no
538
MTU=$MTU
538
MTU=$MTU
539
EOF
539
EOF
540
		else	
540
		else	
541
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
541
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
542
DEVICE=$EXTIF
542
DEVICE=$EXTIF
543
BOOTPROTO=static
543
BOOTPROTO=static
544
IPADDR=$PUBLIC_IP
544
IPADDR=$PUBLIC_IP
545
NETMASK=$PUBLIC_NETMASK
545
NETMASK=$PUBLIC_NETMASK
546
GATEWAY=$PUBLIC_GATEWAY
546
GATEWAY=$PUBLIC_GATEWAY
547
DNS1=127.0.0.1
547
DNS1=127.0.0.1
548
RESOLV_MODS=yes
548
RESOLV_MODS=yes
549
ONBOOT=yes
549
ONBOOT=yes
550
METRIC=10
550
METRIC=10
551
NOZEROCONF=yes
551
NOZEROCONF=yes
552
MII_NOT_SUPPORTED=yes
552
MII_NOT_SUPPORTED=yes
553
IPV6INIT=no
553
IPV6INIT=no
554
IPV6TO4INIT=no
554
IPV6TO4INIT=no
555
ACCOUNTING=no
555
ACCOUNTING=no
556
USERCTL=no
556
USERCTL=no
557
MTU=$MTU
557
MTU=$MTU
558
EOF
558
EOF
559
	fi
559
	fi
560
# Config INTIF (consultation LAN) in normal mode
560
# Config INTIF (consultation LAN) in normal mode
561
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
561
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
562
DEVICE=$INTIF
562
DEVICE=$INTIF
563
BOOTPROTO=static
563
BOOTPROTO=static
564
ONBOOT=yes
564
ONBOOT=yes
565
NOZEROCONF=yes
565
NOZEROCONF=yes
566
MII_NOT_SUPPORTED=yes
566
MII_NOT_SUPPORTED=yes
567
IPV6INIT=no
567
IPV6INIT=no
568
IPV6TO4INIT=no
568
IPV6TO4INIT=no
569
ACCOUNTING=no
569
ACCOUNTING=no
570
USERCTL=no
570
USERCTL=no
571
EOF
571
EOF
572
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
572
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
573
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
573
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
574
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
574
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
575
DEVICE=$INTIF
575
DEVICE=$INTIF
576
BOOTPROTO=static
576
BOOTPROTO=static
577
IPADDR=$PRIVATE_IP
577
IPADDR=$PRIVATE_IP
578
NETMASK=$PRIVATE_NETMASK
578
NETMASK=$PRIVATE_NETMASK
579
ONBOOT=yes
579
ONBOOT=yes
580
METRIC=10
580
METRIC=10
581
NOZEROCONF=yes
581
NOZEROCONF=yes
582
MII_NOT_SUPPORTED=yes
582
MII_NOT_SUPPORTED=yes
583
IPV6INIT=no
583
IPV6INIT=no
584
IPV6TO4INIT=no
584
IPV6TO4INIT=no
585
ACCOUNTING=no
585
ACCOUNTING=no
586
USERCTL=no
586
USERCTL=no
587
EOF
587
EOF
588
# Renseignement des fichiers hosts.allow et hosts.deny
588
# Renseignement des fichiers hosts.allow et hosts.deny
589
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
589
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
590
	cat <<EOF > /etc/hosts.allow
590
	cat <<EOF > /etc/hosts.allow
591
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
591
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
592
sshd: ALL
592
sshd: ALL
593
ntpd: $PRIVATE_NETWORK_SHORT
593
ntpd: $PRIVATE_NETWORK_SHORT
594
EOF
594
EOF
595
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
595
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
596
	cat <<EOF > /etc/hosts.deny
596
	cat <<EOF > /etc/hosts.deny
597
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
597
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
598
EOF
598
EOF
599
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
599
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
600
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
600
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
601
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
601
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
602
# load conntrack ftp module
602
# load conntrack ftp module
603
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
603
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
604
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
604
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
605
# load ipt_NETFLOW module
605
# load ipt_NETFLOW module
606
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
606
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
607
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
607
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
608
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
608
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
609
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
609
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
610
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
610
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
611
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
611
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
612
# 
612
# 
613
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
613
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
614
} # End of network ()
614
} # End of network ()
615
 
615
 
616
##################################################################
616
##################################################################
617
##			Function "ACC"				##
617
##			Function "ACC"				##
618
## - installation of then ALCASAR Control Center (ACC)	)	##
618
## - installation of then ALCASAR Control Center (ACC)	)	##
619
## - configuration of the web server (Apache)			##
619
## - configuration of the web server (Apache)			##
620
## - creation of the first ACC admin account 			##
620
## - creation of the first ACC admin account 			##
621
## - secure the access						##
621
## - secure the access						##
622
##################################################################
622
##################################################################
623
ACC ()
623
ACC ()
624
{
624
{
625
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
625
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
626
	mkdir $DIR_WEB
626
	mkdir $DIR_WEB
627
# Copy & adapt ACC files
627
# Copy & adapt ACC files
628
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
628
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
629
	echo "$VERSION" > $DIR_WEB/VERSION
629
	echo "$VERSION" > $DIR_WEB/VERSION
630
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
630
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
631
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
631
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
632
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
632
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
633
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
633
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
634
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
634
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
635
	chown -R apache:apache $DIR_WEB/*
635
	chown -R apache:apache $DIR_WEB/*
636
# copy & adapt "freeradius-web" files
636
# copy & adapt "freeradius-web" files
637
	cp -rf $DIR_CONF/freeradius-web/ /etc/
637
	cp -rf $DIR_CONF/freeradius-web/ /etc/
638
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
638
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
639
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
639
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
640
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
640
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
641
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
641
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
642
	cat <<EOF > /etc/freeradius-web/naslist.conf
642
	cat <<EOF > /etc/freeradius-web/naslist.conf
643
nas1_name: alcasar-$ORGANISME
643
nas1_name: alcasar-$ORGANISME
644
nas1_model: Network Access Controler
644
nas1_model: Network Access Controler
645
nas1_ip: $PRIVATE_IP
645
nas1_ip: $PRIVATE_IP
646
nas1_port_num: 0
646
nas1_port_num: 0
647
nas1_community: public
647
nas1_community: public
648
EOF
648
EOF
649
	chown -R apache:apache /etc/freeradius-web/
649
	chown -R apache:apache /etc/freeradius-web/
650
# create the log & backup structure :
650
# create the log & backup structure :
651
# - base = users database
651
# - base = users database
652
# - archive = tarball of "base + http firewall + netflow"
652
# - archive = tarball of "base + http firewall + netflow"
653
# - security = watchdog log
653
# - security = watchdog log
654
	for i in base archive security;
654
	for i in base archive security;
655
	do
655
	do
656
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
656
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
657
	done
657
	done
658
	chown -R root:apache $DIR_SAVE
658
	chown -R root:apache $DIR_SAVE
659
# Configuring & securing php
659
# Configuring & securing php
660
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
660
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
661
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
661
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
662
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
662
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
663
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
663
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
664
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
664
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
665
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
665
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
666
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
666
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
667
# Configuring & sécuring Apache
667
# Configuring & sécuring Apache
668
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
668
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
669
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
669
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
670
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
670
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
671
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
671
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
672
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
672
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
673
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
673
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
674
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
674
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
675
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
675
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
676
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
676
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
677
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
677
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
678
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
678
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
679
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
679
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
680
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
680
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
681
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
681
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
682
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
682
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
683
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
683
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
684
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
684
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
685
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
685
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
686
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
686
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
687
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
687
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
688
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
688
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
689
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
689
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
690
# Error page management
690
# Error page management
691
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
691
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
692
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
692
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
693
Alias /error/ "/var/www/html/"
693
Alias /error/ "/var/www/html/"
694
<Directory "/usr/share/httpd/error">
694
<Directory "/usr/share/httpd/error">
695
    AllowOverride None
695
    AllowOverride None
696
    Options IncludesNoExec
696
    Options IncludesNoExec
697
    AddOutputFilter Includes html
697
    AddOutputFilter Includes html
698
    AddHandler type-map var
698
    AddHandler type-map var
699
    Require all granted
699
    Require all granted
700
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
700
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
701
    ForceLanguagePriority Prefer Fallback
701
    ForceLanguagePriority Prefer Fallback
702
</Directory>
702
</Directory>
703
ErrorDocument 400 /error/error.php?error=400
703
ErrorDocument 400 /error/error.php?error=400
704
ErrorDocument 401 /error/error.php?error=401
704
ErrorDocument 401 /error/error.php?error=401
705
ErrorDocument 403 /error/error.php?error=403
705
ErrorDocument 403 /error/error.php?error=403
706
ErrorDocument 404 /error/index.php
706
ErrorDocument 404 /error/index.php
707
ErrorDocument 405 /error/error.php?error=405
707
ErrorDocument 405 /error/error.php?error=405
708
ErrorDocument 408 /error/error.php?error=408
708
ErrorDocument 408 /error/error.php?error=408
709
ErrorDocument 410 /error/error.php?error=410
709
ErrorDocument 410 /error/error.php?error=410
710
ErrorDocument 411 /error/error.php?error=411
710
ErrorDocument 411 /error/error.php?error=411
711
ErrorDocument 412 /error/error.php?error=412
711
ErrorDocument 412 /error/error.php?error=412
712
ErrorDocument 413 /error/error.php?error=413
712
ErrorDocument 413 /error/error.php?error=413
713
ErrorDocument 414 /error/error.php?error=414
713
ErrorDocument 414 /error/error.php?error=414
714
ErrorDocument 415 /error/error.php?error=415
714
ErrorDocument 415 /error/error.php?error=415
715
ErrorDocument 500 /error/error.php?error=500
715
ErrorDocument 500 /error/error.php?error=500
716
ErrorDocument 501 /error/error.php?error=501
716
ErrorDocument 501 /error/error.php?error=501
717
ErrorDocument 502 /error/error.php?error=502
717
ErrorDocument 502 /error/error.php?error=502
718
ErrorDocument 503 /error/error.php?error=503
718
ErrorDocument 503 /error/error.php?error=503
719
ErrorDocument 506 /error/error.php?error=506
719
ErrorDocument 506 /error/error.php?error=506
720
EOF
720
EOF
721
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
721
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
722
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
722
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
723
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
723
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
724
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
724
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
725
</body>
725
</body>
726
</html>
726
</html>
727
EOF
727
EOF
728
# Définition du premier compte lié au profil 'admin'
728
# Définition du premier compte lié au profil 'admin'
729
if [ "$mode" = "install" ]
729
if [ "$mode" = "install" ]
730
	then
730
	then
731
		header_install
731
		header_install
732
		admin_portal=!
732
		admin_portal=!
733
		PTN='^[a-zA-Z0-9-]*$'
733
		PTN='^[a-zA-Z0-9-]*$'
734
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
734
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
735
                	do
735
                	do
736
			header_install
736
			header_install
737
			if [ $Lang == "fr" ]
737
			if [ $Lang == "fr" ]
738
			then 
738
			then 
739
				echo ""
739
				echo ""
740
				echo "Définissez un premier compte d'administration du portail :"
740
				echo "Définissez un premier compte d'administration du portail :"
741
				echo
741
				echo
742
				echo -n "Nom : "
742
				echo -n "Nom : "
743
			else
743
			else
744
				echo ""
744
				echo ""
745
				echo "Define the first account allow to administrate the portal :"
745
				echo "Define the first account allow to administrate the portal :"
746
				echo
746
				echo
747
				echo -n "Account : "
747
				echo -n "Account : "
748
			fi
748
			fi
749
			read admin_portal
749
			read admin_portal
750
			if [ "$admin_portal" == "" ]
750
			if [ "$admin_portal" == "" ]
751
				then
751
				then
752
				admin_portal=!
752
				admin_portal=!
753
			fi
753
			fi
754
			done
754
			done
755
# Creation of keys file for the admin account ("admin")
755
# Creation of keys file for the admin account ("admin")
756
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
756
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
757
		mkdir -p $DIR_DEST_ETC/digest
757
		mkdir -p $DIR_DEST_ETC/digest
758
		chmod 755 $DIR_DEST_ETC/digest
758
		chmod 755 $DIR_DEST_ETC/digest
759
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
759
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
760
			do
760
			do
761
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
761
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
762
			done
762
			done
763
		$DIR_DEST_BIN/alcasar-profil.sh --list
763
		$DIR_DEST_BIN/alcasar-profil.sh --list
764
fi
764
fi
765
# ACC partitioning
765
# ACC partitioning
766
	rm -f /etc/httpd/conf/webapps.d/alcasar*
766
	rm -f /etc/httpd/conf/webapps.d/alcasar*
767
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
767
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
768
<Directory $DIR_ACC>
768
<Directory $DIR_ACC>
769
	SSLRequireSSL
769
	SSLRequireSSL
770
	AllowOverride None
770
	AllowOverride None
771
	Order deny,allow
771
	Order deny,allow
772
	Deny from all
772
	Deny from all
773
	Allow from 127.0.0.1
773
	Allow from 127.0.0.1
774
	Allow from $PRIVATE_NETWORK_MASK
774
	Allow from $PRIVATE_NETWORK_MASK
775
	require valid-user
775
	require valid-user
776
	AuthType digest
776
	AuthType digest
777
	AuthName "ALCASAR Control Center (ACC)" 
777
	AuthName "ALCASAR Control Center (ACC)" 
778
	AuthDigestDomain $HOSTNAME.$DOMAIN
778
	AuthDigestDomain $HOSTNAME.$DOMAIN
779
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
779
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
780
	AuthUserFile $DIR_DEST_ETC/digest/key_all
780
	AuthUserFile $DIR_DEST_ETC/digest/key_all
781
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
781
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
782
</Directory>
782
</Directory>
783
<Directory $DIR_ACC/admin>
783
<Directory $DIR_ACC/admin>
784
	SSLRequireSSL
784
	SSLRequireSSL
785
	AllowOverride None
785
	AllowOverride None
786
	Order deny,allow
786
	Order deny,allow
787
	Deny from all
787
	Deny from all
788
	Allow from 127.0.0.1
788
	Allow from 127.0.0.1
789
	Allow from $PRIVATE_NETWORK_MASK
789
	Allow from $PRIVATE_NETWORK_MASK
790
	require valid-user
790
	require valid-user
791
	AuthType digest
791
	AuthType digest
792
	AuthName "ALCASAR Control Center (ACC)" 
792
	AuthName "ALCASAR Control Center (ACC)" 
793
	AuthDigestDomain $HOSTNAME.$DOMAIN
793
	AuthDigestDomain $HOSTNAME.$DOMAIN
794
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
794
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
795
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
795
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
796
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
796
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
797
</Directory>
797
</Directory>
798
<Directory $DIR_ACC/manager>
798
<Directory $DIR_ACC/manager>
799
	SSLRequireSSL
799
	SSLRequireSSL
800
	AllowOverride None
800
	AllowOverride None
801
	Order deny,allow
801
	Order deny,allow
802
	Deny from all
802
	Deny from all
803
	Allow from 127.0.0.1
803
	Allow from 127.0.0.1
804
	Allow from $PRIVATE_NETWORK_MASK
804
	Allow from $PRIVATE_NETWORK_MASK
805
	require valid-user
805
	require valid-user
806
	AuthType digest
806
	AuthType digest
807
	AuthName "ALCASAR Control Center (ACC)" 
807
	AuthName "ALCASAR Control Center (ACC)" 
808
	AuthDigestDomain $HOSTNAME.$DOMAIN
808
	AuthDigestDomain $HOSTNAME.$DOMAIN
809
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
809
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
810
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
810
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
811
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
812
</Directory>
812
</Directory>
813
<Directory $DIR_ACC/backup>
813
<Directory $DIR_ACC/backup>
814
	SSLRequireSSL
814
	SSLRequireSSL
815
	AllowOverride None
815
	AllowOverride None
816
	Order deny,allow
816
	Order deny,allow
817
	Deny from all
817
	Deny from all
818
	Allow from 127.0.0.1
818
	Allow from 127.0.0.1
819
	Allow from $PRIVATE_NETWORK_MASK
819
	Allow from $PRIVATE_NETWORK_MASK
820
	require valid-user
820
	require valid-user
821
	AuthType digest
821
	AuthType digest
822
	AuthName "ALCASAR Control Center (ACC)" 
822
	AuthName "ALCASAR Control Center (ACC)" 
823
	AuthDigestDomain $HOSTNAME.$DOMAIN
823
	AuthDigestDomain $HOSTNAME.$DOMAIN
824
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
824
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
825
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
825
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
826
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
826
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
827
</Directory>
827
</Directory>
828
Alias /save/ "$DIR_SAVE/"
828
Alias /save/ "$DIR_SAVE/"
829
<Directory $DIR_SAVE>
829
<Directory $DIR_SAVE>
830
	SSLRequireSSL
830
	SSLRequireSSL
831
	Options Indexes
831
	Options Indexes
832
	Order deny,allow
832
	Order deny,allow
833
	Deny from all
833
	Deny from all
834
	Allow from 127.0.0.1
834
	Allow from 127.0.0.1
835
	Allow from $PRIVATE_NETWORK_MASK
835
	Allow from $PRIVATE_NETWORK_MASK
836
	require valid-user
836
	require valid-user
837
	AuthType digest
837
	AuthType digest
838
	AuthName "ALCASAR Control Center (ACC)" 
838
	AuthName "ALCASAR Control Center (ACC)" 
839
	AuthDigestDomain $HOSTNAME.$DOMAIN
839
	AuthDigestDomain $HOSTNAME.$DOMAIN
840
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
840
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
841
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
841
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
842
</Directory>
842
</Directory>
843
<Directory $DIR_WEB/pass>
843
<Directory $DIR_WEB/pass>
844
	SSLRequireSSL
844
	SSLRequireSSL
845
	AllowOverride None
845
	AllowOverride None
846
	Order deny,allow
846
	Order deny,allow
847
	Deny from all
847
	Deny from all
848
	Allow from 127.0.0.1
848
	Allow from 127.0.0.1
849
	Allow from $PRIVATE_NETWORK_MASK
849
	Allow from $PRIVATE_NETWORK_MASK
850
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
850
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
851
</Directory>
851
</Directory>
852
EOF
852
EOF
853
# Replacement of the extension .cer by .der in MIME type
853
# Replacement of the extension .cer by .der in MIME type
854
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
854
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
855
# Launch after coova (in order to wait tun0 to be up)
855
# Launch after coova (in order to wait tun0 to be up)
856
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
856
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
857
} # End of ACC ()
857
} # End of ACC ()
858
 
858
 
859
##########################################################################
859
##########################################################################
860
##				Fonction "CA"				##
860
##				Fonction "CA"				##
861
## - Creating the CA and the server certificate (apache)	 	##
861
## - Creating the CA and the server certificate (apache)	 	##
862
##########################################################################
862
##########################################################################
863
CA ()
863
CA ()
864
{
864
{
865
	$DIR_DEST_BIN/alcasar-CA.sh
865
	$DIR_DEST_BIN/alcasar-CA.sh
866
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
866
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
867
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
867
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
868
	cat <<EOF > $FIC_VIRTUAL_SSL
868
	cat <<EOF > $FIC_VIRTUAL_SSL
869
# default SSL virtual host, used for all HTTPS requests that do not
869
# default SSL virtual host, used for all HTTPS requests that do not
870
# match a ServerName or ServerAlias in any <VirtualHost> block.
870
# match a ServerName or ServerAlias in any <VirtualHost> block.
871
 
871
 
872
<VirtualHost _default_:443>
872
<VirtualHost _default_:443>
873
# general configuration
873
# general configuration
874
    ServerAdmin root@localhost
874
    ServerAdmin root@localhost
875
    ServerName $HOSTNAME.$DOMAIN
875
    ServerName $HOSTNAME.$DOMAIN
876
 
876
 
877
# SSL configuration
877
# SSL configuration
878
    SSLEngine on
878
    SSLEngine on
879
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
879
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
880
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
880
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
881
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
881
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
882
    CustomLog logs/ssl_request_log \
882
    CustomLog logs/ssl_request_log \
883
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
883
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
884
    ErrorLog logs/ssl_error_log
884
    ErrorLog logs/ssl_error_log
885
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
885
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
886
</VirtualHost>
886
</VirtualHost>
887
EOF
887
EOF
888
	chown -R root:apache /etc/pki
888
	chown -R root:apache /etc/pki
889
	chmod -R 750 /etc/pki
889
	chmod -R 750 /etc/pki
890
} # End of CA ()
890
} # End of CA ()
891
 
891
 
892
##################################################################
892
##################################################################
893
##			Function "time_server"			##
893
##			Function "time_server"			##
894
## - Configuring NTP server					##
894
## - Configuring NTP server					##
895
##################################################################
895
##################################################################
896
time_server ()
896
time_server ()
897
{
897
{
898
# Set the Internet time server
898
# Set the Internet time server
899
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
899
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
900
	cat <<EOF > /etc/ntp/step-tickers
900
	cat <<EOF > /etc/ntp/step-tickers
901
0.fr.pool.ntp.org	# adapt to your country
901
0.fr.pool.ntp.org	# adapt to your country
902
1.fr.pool.ntp.org
902
1.fr.pool.ntp.org
903
2.fr.pool.ntp.org
903
2.fr.pool.ntp.org
904
EOF
904
EOF
905
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
905
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
906
	cat <<EOF > /etc/ntp.conf
906
	cat <<EOF > /etc/ntp.conf
907
server 0.fr.pool.ntp.org	# adapt to your country
907
server 0.fr.pool.ntp.org	# adapt to your country
908
server 1.fr.pool.ntp.org
908
server 1.fr.pool.ntp.org
909
server 2.fr.pool.ntp.org
909
server 2.fr.pool.ntp.org
910
server 127.127.1.0   		# local clock si NTP internet indisponible ...
910
server 127.127.1.0   		# local clock si NTP internet indisponible ...
911
fudge 127.127.1.0 stratum 10
911
fudge 127.127.1.0 stratum 10
912
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
912
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
913
restrict 127.0.0.1
913
restrict 127.0.0.1
914
driftfile /var/lib/ntp/drift
914
driftfile /var/lib/ntp/drift
915
logfile /var/log/ntp.log
915
logfile /var/log/ntp.log
916
disable monitor
916
disable monitor
917
EOF
917
EOF
918
	chown -R ntp:ntp /var/lib/ntp
918
	chown -R ntp:ntp /var/lib/ntp
919
# Synchronize now
919
# Synchronize now
920
	ntpd -q -g &
920
	ntpd -q -g &
921
} # End of time_server ()
921
} # End of time_server ()
922
 
922
 
923
##########################################################################################
923
##########################################################################################
924
##			Fonction "init_db"						##
924
##			Fonction "init_db"						##
925
## - Initialisation de la base Mysql							##
925
## - Initialisation de la base Mysql							##
926
## - Affectation du mot de passe de l'administrateur (root)				##
926
## - Affectation du mot de passe de l'administrateur (root)				##
927
## - Suppression des bases et des utilisateurs superflus				##
927
## - Suppression des bases et des utilisateurs superflus				##
928
## - Création de la base 'radius'							##
928
## - Création de la base 'radius'							##
929
## - Installation du schéma de cette base						##
929
## - Installation du schéma de cette base						##
930
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
930
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
931
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
931
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
932
##########################################################################################
932
##########################################################################################
933
init_db ()
933
init_db ()
934
{
934
{
935
	if [ `systemctl is-active mysqld` == "active" ]
935
	if [ `systemctl is-active mysqld` == "active" ]
936
	then
936
	then
937
		systemctl stop mysqld
937
		systemctl stop mysqld
938
	fi
938
	fi
939
	rm -rf /var/lib/mysql # to be sure that there is no former installation
939
	rm -rf /var/lib/mysql # to be sure that there is no former installation
940
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
940
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
941
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
941
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
942
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
942
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
943
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
943
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
944
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
944
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
945
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
945
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
946
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
946
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
947
	/usr/bin/systemctl start mysqld.service
947
	/usr/bin/systemctl start mysqld.service
948
	nb_round=1
948
	nb_round=1
949
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
949
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
950
	do
950
	do
951
		nb_round=`expr $nb_round + 1`
951
		nb_round=`expr $nb_round + 1`
952
		sleep 2
952
		sleep 2
953
	done
953
	done
954
	if [ ! -S /var/lib/mysql/mysql.sock ]
954
	if [ ! -S /var/lib/mysql/mysql.sock ]
955
	then
955
	then
956
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
956
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
957
		exit
957
		exit
958
	fi
958
	fi
959
	mysqladmin -u root password $mysqlpwd
959
	mysqladmin -u root password $mysqlpwd
960
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
960
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
961
# Secure the server
961
# Secure the server
962
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
962
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
963
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
963
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
964
# Create 'radius' database
964
# Create 'radius' database
965
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
965
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
966
# Add an empty radius database structure
966
# Add an empty radius database structure
967
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
967
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
968
# modify the start script in order to close accounting connexion when the system is comming down or up
968
# modify the start script in order to close accounting connexion when the system is comming down or up
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
970
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
970
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
971
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
971
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
972
	/usr/bin/systemctl daemon-reload
972
	/usr/bin/systemctl daemon-reload
973
} # End of init_db ()
973
} # End of init_db ()
974
 
974
 
975
##########################################################################
975
##########################################################################
976
##			Fonction "radius"				##
976
##			Fonction "radius"				##
977
## - Paramètrage des fichiers de configuration FreeRadius		##
977
## - Paramètrage des fichiers de configuration FreeRadius		##
978
## - Affectation du secret partagé entre coova-chilli et freeradius	##
978
## - Affectation du secret partagé entre coova-chilli et freeradius	##
979
## - Modification de fichier de conf pour l'accès à Mysql		##
979
## - Modification de fichier de conf pour l'accès à Mysql		##
980
##########################################################################
980
##########################################################################
981
radius ()
981
radius ()
982
{
982
{
983
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
983
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
984
	chown -R radius:radius /etc/raddb
984
	chown -R radius:radius /etc/raddb
985
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
985
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
986
# Set radius.conf parameters
986
# Set radius.conf parameters
987
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
987
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
990
# remove the proxy function
990
# remove the proxy function
991
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
991
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
992
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
992
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
993
# remove EAP module
993
# remove EAP module
994
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
994
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
995
# listen on loopback (should be modified later if EAP enabled)
995
# listen on loopback (should be modified later if EAP enabled)
996
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
996
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
997
# enable the  SQL module (and SQL counter)
997
# enable the  SQL module (and SQL counter)
998
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
998
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
999
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
999
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1000
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1000
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1001
# only include modules for ALCASAR needs
1001
# only include modules for ALCASAR needs
1002
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1002
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1003
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1003
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1004
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1004
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1005
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1005
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1006
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1006
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1007
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1007
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1008
# remvove virtual server and copy our conf file
1008
# remvove virtual server and copy our conf file
1009
	rm -f /etc/raddb/sites-enabled/*
1009
	rm -f /etc/raddb/sites-enabled/*
1010
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1010
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1011
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1011
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1012
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1012
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1013
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1013
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1014
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1014
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1015
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1015
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1016
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1016
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1017
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1017
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1018
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1018
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1019
	cat << EOF > /etc/raddb/clients.conf
1019
	cat << EOF > /etc/raddb/clients.conf
1020
client 127.0.0.1 {
1020
client 127.0.0.1 {
1021
	secret = $secretradius
1021
	secret = $secretradius
1022
	shortname = localhost
1022
	shortname = localhost
1023
}
1023
}
1024
EOF
1024
EOF
1025
# sql.conf modification
1025
# sql.conf modification
1026
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1026
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1027
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1027
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1028
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1028
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1029
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1029
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1030
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1030
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1031
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1031
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1032
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1032
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1033
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1033
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1034
# counter.conf modification (change the Max-All-Session-Time counter)
1034
# counter.conf modification (change the Max-All-Session-Time counter)
1035
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1035
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1036
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1036
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1037
	chown -R radius:radius /etc/raddb/sql/mysql/*
1037
	chown -R radius:radius /etc/raddb/sql/mysql/*
1038
# make certain that mysql is up before radius start
1038
# make certain that mysql is up before radius start
1039
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1039
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1040
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1040
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1041
	/usr/bin/systemctl daemon-reload
1041
	/usr/bin/systemctl daemon-reload
1042
} # End radius ()
1042
} # End radius ()
1043
 
1043
 
1044
##################################################################################
1044
##################################################################################
1045
##			Fonction "chilli"					##
1045
##			Fonction "chilli"					##
1046
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1046
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1047
## - Paramètrage de la page d'authentification (intercept.php)			##
1047
## - Paramètrage de la page d'authentification (intercept.php)			##
1048
##################################################################################
1048
##################################################################################
1049
chilli ()
1049
chilli ()
1050
{
1050
{
1051
# chilli unit for systemd
1051
# chilli unit for systemd
1052
cat << EOF > /lib/systemd/system/chilli.service
1052
cat << EOF > /lib/systemd/system/chilli.service
1053
#  This file is part of systemd.
1053
#  This file is part of systemd.
1054
#
1054
#
1055
#  systemd is free software; you can redistribute it and/or modify it
1055
#  systemd is free software; you can redistribute it and/or modify it
1056
#  under the terms of the GNU General Public License as published by
1056
#  under the terms of the GNU General Public License as published by
1057
#  the Free Software Foundation; either version 2 of the License, or
1057
#  the Free Software Foundation; either version 2 of the License, or
1058
#  (at your option) any later version.
1058
#  (at your option) any later version.
1059
[Unit]
1059
[Unit]
1060
Description=chilli is a captive portal daemon
1060
Description=chilli is a captive portal daemon
1061
After=network.target
1061
After=network.target
1062
 
1062
 
1063
[Service]
1063
[Service]
1064
Type=forking
1064
Type=forking
1065
ExecStart=/usr/libexec/chilli start
1065
ExecStart=/usr/libexec/chilli start
1066
ExecStop=/usr/libexec/chilli stop
1066
ExecStop=/usr/libexec/chilli stop
1067
ExecReload=/usr/libexec/chilli reload
1067
ExecReload=/usr/libexec/chilli reload
1068
PIDFile=/var/run/chilli.pid
1068
PIDFile=/var/run/chilli.pid
1069
 
1069
 
1070
[Install]
1070
[Install]
1071
WantedBy=multi-user.target
1071
WantedBy=multi-user.target
1072
EOF
1072
EOF
1073
# init file creation
1073
# init file creation
1074
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1074
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1075
	cat <<EOF > /etc/init.d/chilli
1075
	cat <<EOF > /etc/init.d/chilli
1076
#!/bin/sh
1076
#!/bin/sh
1077
#
1077
#
1078
# chilli CoovaChilli init
1078
# chilli CoovaChilli init
1079
#
1079
#
1080
# chkconfig: 2345 65 35
1080
# chkconfig: 2345 65 35
1081
# description: CoovaChilli
1081
# description: CoovaChilli
1082
### BEGIN INIT INFO
1082
### BEGIN INIT INFO
1083
# Provides:       chilli
1083
# Provides:       chilli
1084
# Required-Start: network 
1084
# Required-Start: network 
1085
# Should-Start: 
1085
# Should-Start: 
1086
# Required-Stop:  network
1086
# Required-Stop:  network
1087
# Should-Stop: 
1087
# Should-Stop: 
1088
# Default-Start:  2 3 5
1088
# Default-Start:  2 3 5
1089
# Default-Stop:
1089
# Default-Stop:
1090
# Description:    CoovaChilli access controller
1090
# Description:    CoovaChilli access controller
1091
### END INIT INFO
1091
### END INIT INFO
1092
 
1092
 
1093
[ -f /usr/sbin/chilli ] || exit 0
1093
[ -f /usr/sbin/chilli ] || exit 0
1094
. /etc/init.d/functions
1094
. /etc/init.d/functions
1095
CONFIG=/etc/chilli.conf
1095
CONFIG=/etc/chilli.conf
1096
pidfile=/var/run/chilli.pid
1096
pidfile=/var/run/chilli.pid
1097
[ -f \$CONFIG ] || {
1097
[ -f \$CONFIG ] || {
1098
    echo "\$CONFIG Not found"
1098
    echo "\$CONFIG Not found"
1099
    exit 0
1099
    exit 0
1100
}
1100
}
1101
RETVAL=0
1101
RETVAL=0
1102
prog="chilli"
1102
prog="chilli"
1103
case \$1 in
1103
case \$1 in
1104
    start)
1104
    start)
1105
	if [ -f \$pidfile ] ; then 
1105
	if [ -f \$pidfile ] ; then 
1106
		gprintf "chilli is already running"
1106
		gprintf "chilli is already running"
1107
	else
1107
	else
1108
        	gprintf "Starting \$prog: "
1108
        	gprintf "Starting \$prog: "
1109
		rm -f /var/run/chilli* # cleaning
1109
		rm -f /var/run/chilli* # cleaning
1110
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1110
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1111
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1111
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1112
		[ -e /dev/net/tun ] || {
1112
		[ -e /dev/net/tun ] || {
1113
	    	(cd /dev; 
1113
	    	(cd /dev; 
1114
			mkdir net; 
1114
			mkdir net; 
1115
			cd net; 
1115
			cd net; 
1116
			mknod tun c 10 200)
1116
			mknod tun c 10 200)
1117
		}
1117
		}
1118
		ifconfig $INTIF 0.0.0.0
1118
		ifconfig $INTIF 0.0.0.0
1119
		/usr/sbin/ethtool -K $INTIF gro off
1119
		/usr/sbin/ethtool -K $INTIF gro off
1120
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1120
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1121
        	RETVAL=$?
1121
        	RETVAL=$?
1122
	fi
1122
	fi
1123
	;;
1123
	;;
1124
 
1124
 
1125
    reload)
1125
    reload)
1126
	killall -HUP chilli
1126
	killall -HUP chilli
1127
	;;
1127
	;;
1128
 
1128
 
1129
    restart)
1129
    restart)
1130
	\$0 stop
1130
	\$0 stop
1131
        sleep 2
1131
        sleep 2
1132
	\$0 start
1132
	\$0 start
1133
	;;
1133
	;;
1134
    
1134
    
1135
    status)
1135
    status)
1136
        status chilli
1136
        status chilli
1137
        RETVAL=0
1137
        RETVAL=0
1138
        ;;
1138
        ;;
1139
 
1139
 
1140
    stop)
1140
    stop)
1141
	if [ -f \$pidfile ] ; then  
1141
	if [ -f \$pidfile ] ; then  
1142
        	gprintf "Shutting down \$prog: "
1142
        	gprintf "Shutting down \$prog: "
1143
		killproc /usr/sbin/chilli
1143
		killproc /usr/sbin/chilli
1144
		RETVAL=\$?
1144
		RETVAL=\$?
1145
		[ \$RETVAL = 0 ] && rm -f $pidfile
1145
		[ \$RETVAL = 0 ] && rm -f $pidfile
1146
	else	
1146
	else	
1147
        	gprintf "chilli is not running"
1147
        	gprintf "chilli is not running"
1148
	fi
1148
	fi
1149
	;;
1149
	;;
1150
    
1150
    
1151
    *)
1151
    *)
1152
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1152
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1153
        exit 1
1153
        exit 1
1154
esac
1154
esac
1155
echo
1155
echo
1156
EOF
1156
EOF
1157
chmod a+x /etc/init.d/chilli
1157
chmod a+x /etc/init.d/chilli
1158
ln -s /etc/init.d/chilli /usr/libexec/chilli
1158
ln -s /etc/init.d/chilli /usr/libexec/chilli
1159
# conf file creation
1159
# conf file creation
1160
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1160
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1161
	#NTP Option configuration for DHCP
1161
	#NTP Option configuration for DHCP
1162
	#DHCP Options : rfc2132
1162
	#DHCP Options : rfc2132
1163
		#dhcp option value will be convert in hexa.
1163
		#dhcp option value will be convert in hexa.
1164
		#NTP option (or 'option 42') is like :
1164
		#NTP option (or 'option 42') is like :
1165
		#			
1165
		#			
1166
		#    Code   Len         Address 1               Address 2
1166
		#    Code   Len         Address 1               Address 2
1167
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1167
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1168
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1168
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1169
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1169
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1170
		#
1170
		#
1171
		#Code : 42 => 2a
1171
		#Code : 42 => 2a
1172
		#Len : 4 => 04
1172
		#Len : 4 => 04
1173
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1173
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1174
	cat <<EOF > /etc/chilli.conf
1174
	cat <<EOF > /etc/chilli.conf
1175
# coova config for ALCASAR
1175
# coova config for ALCASAR
1176
cmdsocket	/var/run/chilli.sock
1176
cmdsocket	/var/run/chilli.sock
1177
unixipc		chilli.$INTIF.ipc
1177
unixipc		chilli.$INTIF.ipc
1178
pidfile		/var/run/chilli.pid
1178
pidfile		/var/run/chilli.pid
1179
net		$PRIVATE_NETWORK_MASK
1179
net		$PRIVATE_NETWORK_MASK
1180
dhcpif		$INTIF
1180
dhcpif		$INTIF
1181
ethers		$DIR_DEST_ETC/alcasar-ethers
1181
ethers		$DIR_DEST_ETC/alcasar-ethers
1182
#nodynip
1182
#nodynip
1183
#statip
1183
#statip
1184
dynip		$PRIVATE_NETWORK_MASK
1184
dynip		$PRIVATE_NETWORK_MASK
1185
domain		$DOMAIN
1185
domain		$DOMAIN
1186
dns1		$PRIVATE_IP
1186
dns1		$PRIVATE_IP
1187
dns2		$PRIVATE_IP
1187
dns2		$PRIVATE_IP
1188
uamlisten	$PRIVATE_IP
1188
uamlisten	$PRIVATE_IP
1189
uamport		3990
1189
uamport		3990
1190
macauth
1190
macauth
1191
macpasswd	password
1191
macpasswd	password
1192
strictmacauth
1192
strictmacauth
1193
locationname	$HOSTNAME.$DOMAIN
1193
locationname	$HOSTNAME.$DOMAIN
1194
radiusserver1	127.0.0.1
1194
radiusserver1	127.0.0.1
1195
radiusserver2	127.0.0.1
1195
radiusserver2	127.0.0.1
1196
radiussecret	$secretradius
1196
radiussecret	$secretradius
1197
radiusauthport	1812
1197
radiusauthport	1812
1198
radiusacctport	1813
1198
radiusacctport	1813
1199
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1199
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1200
radiusnasid	$HOSTNAME.$DOMAIN
1200
radiusnasid	$HOSTNAME.$DOMAIN
1201
uamsecret	$secretuam
1201
uamsecret	$secretuam
1202
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1202
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1203
coaport		3799
1203
coaport		3799
1204
conup		$DIR_DEST_BIN/alcasar-conup.sh
1204
conup		$DIR_DEST_BIN/alcasar-conup.sh
1205
condown		$DIR_DEST_BIN/alcasar-condown.sh
1205
condown		$DIR_DEST_BIN/alcasar-condown.sh
1206
include		$DIR_DEST_ETC/alcasar-uamallowed
1206
include		$DIR_DEST_ETC/alcasar-uamallowed
1207
include		$DIR_DEST_ETC/alcasar-uamdomain
1207
include		$DIR_DEST_ETC/alcasar-uamdomain
1208
dhcpopt		2a04$PRIVATE_IP_HEXA
1208
dhcpopt		2a04$PRIVATE_IP_HEXA
-
 
1209
macup		$DIR_DEST_BIN/alcasar-macup.sh
-
 
1210
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1209
#dhcpgateway		none
1211
#dhcpgateway		none
1210
#dhcprelayagent		none
1212
#dhcprelayagent		none
1211
#dhcpgatewayport	none
1213
#dhcpgatewayport	none
1212
EOF
1214
EOF
1213
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1215
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1214
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1216
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1215
# create files for trusted domains and urls
1217
# create files for trusted domains and urls
1216
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1218
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1217
	chown root:apache $DIR_DEST_ETC/alcasar-*
1219
	chown root:apache $DIR_DEST_ETC/alcasar-*
1218
	chmod 660 $DIR_DEST_ETC/alcasar-*
1220
	chmod 660 $DIR_DEST_ETC/alcasar-*
1219
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1221
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1220
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1222
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1221
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1223
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1222
# user 'chilli' creation (in order to run conup/off and up/down scripts
1224
# user 'chilli' creation (in order to run conup/off and up/down scripts
1223
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1225
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1224
	if [ "$chilli_exist" == "1" ]
1226
	if [ "$chilli_exist" == "1" ]
1225
	then
1227
	then
1226
	      userdel -r chilli 2>/dev/null
1228
	      userdel -r chilli 2>/dev/null
1227
	fi
1229
	fi
1228
	groupadd -f chilli
1230
	groupadd -f chilli
1229
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1231
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1230
}  # End of chilli ()
1232
}  # End of chilli ()
1231
 
1233
 
1232
##################################################################
1234
##################################################################
1233
##		Fonction "dansguardian"				##
1235
##		Fonction "dansguardian"				##
1234
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1236
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1235
##################################################################
1237
##################################################################
1236
dansguardian ()
1238
dansguardian ()
1237
{
1239
{
1238
	mkdir -p /var/dansguardian /var/log/dansguardian
1240
	mkdir -p /var/dansguardian /var/log/dansguardian
1239
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1241
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1240
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1242
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1241
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1243
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1242
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1244
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1243
# By default the filter is off 
1245
# By default the filter is off 
1244
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1246
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1245
# French deny HTML page
1247
# French deny HTML page
1246
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1248
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1247
# Listen only on LAN side
1249
# Listen only on LAN side
1248
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1250
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1249
# DG send its flow to HAVP
1251
# DG send its flow to HAVP
1250
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1252
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1251
# replace the default deny HTML page
1253
# replace the default deny HTML page
1252
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1254
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1253
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1255
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1254
# Don't log
1256
# Don't log
1255
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1257
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1256
# on désactive par défaut le controle de contenu des pages html
1258
# on désactive par défaut le controle de contenu des pages html
1257
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1259
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1258
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1260
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1259
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1261
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1260
# on désactive par défaut le contrôle d'URL par expressions régulières
1262
# on désactive par défaut le contrôle d'URL par expressions régulières
1261
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1263
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1262
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1264
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1263
 
1265
 
1264
# Configure Dansguardian for large site
1266
# Configure Dansguardian for large site
1265
# Minimum number of processus to handle connections
1267
# Minimum number of processus to handle connections
1266
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1268
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1267
# Maximum number of processus to handle connections
1269
# Maximum number of processus to handle connections
1268
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1270
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1269
# Run at least 8 daemons
1271
# Run at least 8 daemons
1270
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1272
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1271
# minimum number of processes to spawn
1273
# minimum number of processes to spawn
1272
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1274
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1273
# maximum age of a child process before it croaks it
1275
# maximum age of a child process before it croaks it
1274
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1276
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1275
	
1277
	
1276
# on désactive par défaut le contrôle de téléchargement de fichiers
1278
# on désactive par défaut le contrôle de téléchargement de fichiers
1277
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1279
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1278
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1280
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1279
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1281
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1280
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1282
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1281
	touch $DIR_DG/lists/bannedextensionlist
1283
	touch $DIR_DG/lists/bannedextensionlist
1282
	touch $DIR_DG/lists/bannedmimetypelist
1284
	touch $DIR_DG/lists/bannedmimetypelist
1283
# 'Safesearch' regex actualisation
1285
# 'Safesearch' regex actualisation
1284
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1286
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1285
# empty LAN IP list that won't be WEB filtered
1287
# empty LAN IP list that won't be WEB filtered
1286
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1288
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1287
	touch $DIR_DG/lists/exceptioniplist
1289
	touch $DIR_DG/lists/exceptioniplist
1288
# Keep a copy of URL & domain filter configuration files
1290
# Keep a copy of URL & domain filter configuration files
1289
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1291
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1290
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1292
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1291
} # End of dansguardian ()
1293
} # End of dansguardian ()
1292
 
1294
 
1293
##################################################################
1295
##################################################################
1294
##			Fonction "antivirus"			##
1296
##			Fonction "antivirus"			##
1295
## - configuration of havp, libclamav and freshclam		##
1297
## - configuration of havp, libclamav and freshclam		##
1296
##################################################################
1298
##################################################################
1297
antivirus ()		
1299
antivirus ()		
1298
{
1300
{
1299
# create 'havp' user
1301
# create 'havp' user
1300
	havp_exist=`grep havp /etc/passwd|wc -l`
1302
	havp_exist=`grep havp /etc/passwd|wc -l`
1301
	if [ "$havp_exist" == "1" ]
1303
	if [ "$havp_exist" == "1" ]
1302
	then
1304
	then
1303
	      userdel -r havp 2>/dev/null
1305
	      userdel -r havp 2>/dev/null
1304
	      groupdel havp 2>/dev/null
1306
	      groupdel havp 2>/dev/null
1305
	fi
1307
	fi
1306
	groupadd -f havp
1308
	groupadd -f havp
1307
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1309
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1308
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1310
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1309
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1311
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1310
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1312
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1311
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1313
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1312
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1314
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1313
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1315
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1314
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1316
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1315
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1317
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1316
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1318
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1317
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1319
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1318
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1320
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1319
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1321
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1320
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1322
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1321
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1323
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1322
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1324
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1323
# skip checking of youtube flow (too heavy load / risk too low)
1325
# skip checking of youtube flow (too heavy load / risk too low)
1324
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1326
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1325
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1327
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1326
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1328
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1327
# adapt init script and systemd unit
1329
# adapt init script and systemd unit
1328
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1330
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1329
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1331
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1330
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1332
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1331
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1333
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1332
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1334
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1333
# replace of the intercept page (template)
1335
# replace of the intercept page (template)
1334
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1336
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1335
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1337
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1336
# update virus database every 4 hours (24h/6)
1338
# update virus database every 4 hours (24h/6)
1337
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1339
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1338
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1340
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1339
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1341
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1340
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1342
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1341
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1343
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1342
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1344
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1343
# update now
1345
# update now
1344
	/usr/bin/freshclam --no-warnings
1346
	/usr/bin/freshclam --no-warnings
1345
} # End of antivirus ()
1347
} # End of antivirus ()
1346
 
1348
 
1347
##########################################################################
1349
##########################################################################
1348
##			Fonction "tinyproxy"				##
1350
##			Fonction "tinyproxy"				##
1349
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1351
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1350
##########################################################################
1352
##########################################################################
1351
tinyproxy ()		
1353
tinyproxy ()		
1352
{
1354
{
1353
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1355
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1354
	if [ "$tinyproxy_exist" == "1" ]
1356
	if [ "$tinyproxy_exist" == "1" ]
1355
	then
1357
	then
1356
	      userdel -r tinyproxy 2>/dev/null
1358
	      userdel -r tinyproxy 2>/dev/null
1357
	      groupdel tinyproxy 2>/dev/null
1359
	      groupdel tinyproxy 2>/dev/null
1358
	fi
1360
	fi
1359
	groupadd -f tinyproxy
1361
	groupadd -f tinyproxy
1360
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1362
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1361
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1363
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1362
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1364
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1363
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1365
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1364
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1366
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1365
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1367
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1366
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1368
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1367
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1369
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1368
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1370
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1369
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1371
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1370
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1372
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1371
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1373
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1372
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1374
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1373
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1375
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1374
# Create the systemd unit
1376
# Create the systemd unit
1375
cat << EOF > /lib/systemd/system/tinyproxy.service
1377
cat << EOF > /lib/systemd/system/tinyproxy.service
1376
#  This file is part of systemd.
1378
#  This file is part of systemd.
1377
#
1379
#
1378
#  systemd is free software; you can redistribute it and/or modify it
1380
#  systemd is free software; you can redistribute it and/or modify it
1379
#  under the terms of the GNU General Public License as published by
1381
#  under the terms of the GNU General Public License as published by
1380
#  the Free Software Foundation; either version 2 of the License, or
1382
#  the Free Software Foundation; either version 2 of the License, or
1381
#  (at your option) any later version.
1383
#  (at your option) any later version.
1382
 
1384
 
1383
# This unit launches tinyproxy (a very light proxy).
1385
# This unit launches tinyproxy (a very light proxy).
1384
# The "sleep 2" is needed because the pid file isn't ready for systemd
1386
# The "sleep 2" is needed because the pid file isn't ready for systemd
1385
[Unit]
1387
[Unit]
1386
Description=Tinyproxy Web Proxy Server
1388
Description=Tinyproxy Web Proxy Server
1387
After=network.target iptables.service
1389
After=network.target iptables.service
1388
 
1390
 
1389
[Service]
1391
[Service]
1390
Type=forking
1392
Type=forking
1391
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1393
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1392
ExecStartPre=/bin/sleep 2
1394
ExecStartPre=/bin/sleep 2
1393
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1395
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1394
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1396
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1395
 
1397
 
1396
[Install]
1398
[Install]
1397
WantedBy=multi-user.target
1399
WantedBy=multi-user.target
1398
EOF
1400
EOF
1399
 
1401
 
1400
} # end of tinyproxy
1402
} # end of tinyproxy
1401
##################################################################################
1403
##################################################################################
1402
##			function "ulogd"					##
1404
##			function "ulogd"					##
1403
## - Ulog config for multi-log files 						##
1405
## - Ulog config for multi-log files 						##
1404
##################################################################################
1406
##################################################################################
1405
ulogd ()
1407
ulogd ()
1406
{
1408
{
1407
# Three instances of ulogd (three different logfiles)
1409
# Three instances of ulogd (three different logfiles)
1408
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1410
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1409
	nl=1
1411
	nl=1
1410
	for log_type in traceability ssh ext-access
1412
	for log_type in traceability ssh ext-access
1411
	do
1413
	do
1412
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1414
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1413
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1415
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1414
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1416
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1415
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1417
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1416
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1418
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1417
		cat << EOF >> /etc/ulogd-$log_type.conf
1419
		cat << EOF >> /etc/ulogd-$log_type.conf
1418
[emu1]
1420
[emu1]
1419
file="/var/log/firewall/$log_type.log"
1421
file="/var/log/firewall/$log_type.log"
1420
sync=1
1422
sync=1
1421
EOF
1423
EOF
1422
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1424
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1423
		nl=`expr $nl + 1`
1425
		nl=`expr $nl + 1`
1424
	done
1426
	done
1425
	chown -R root:apache /var/log/firewall
1427
	chown -R root:apache /var/log/firewall
1426
	chmod 750 /var/log/firewall
1428
	chmod 750 /var/log/firewall
1427
	chmod 640 /var/log/firewall/*
1429
	chmod 640 /var/log/firewall/*
1428
}  # End of ulogd ()
1430
}  # End of ulogd ()
1429
 
1431
 
1430
 
1432
 
1431
##########################################################
1433
##########################################################
1432
##              Function "nfsen"			##
1434
##              Function "nfsen"			##
1433
## - install the nfsen grapher				##
1435
## - install the nfsen grapher				##
1434
## - install the two plugins porttracker & surfmap	##
1436
## - install the two plugins porttracker & surfmap	##
1435
##########################################################
1437
##########################################################
1436
nfsen()
1438
nfsen()
1437
{
1439
{
1438
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1440
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1439
# Add PortTracker plugin
1441
# Add PortTracker plugin
1440
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1442
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1441
	do
1443
	do
1442
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1444
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1443
	done
1445
	done
1444
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1446
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1445
# use of our conf file and init unit
1447
# use of our conf file and init unit
1446
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1448
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1447
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1449
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1448
	DirTmp=$(pwd)
1450
	DirTmp=$(pwd)
1449
	cd /tmp/nfsen-1.3.7/
1451
	cd /tmp/nfsen-1.3.7/
1450
	/usr/bin/perl install.pl etc/nfsen.conf
1452
	/usr/bin/perl install.pl etc/nfsen.conf
1451
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1453
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1452
# Create RRD DB for porttracker (only in it still doesn't exist)
1454
# Create RRD DB for porttracker (only in it still doesn't exist)
1453
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1455
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1454
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1456
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1455
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1457
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1456
	chmod -R 770 /var/log/netflow/porttracker
1458
	chmod -R 770 /var/log/netflow/porttracker
1457
# nfsen unit for systemd
1459
# nfsen unit for systemd
1458
cat << EOF > /lib/systemd/system/nfsen.service
1460
cat << EOF > /lib/systemd/system/nfsen.service
1459
#  This file is part of systemd.
1461
#  This file is part of systemd.
1460
#
1462
#
1461
#  systemd is free software; you can redistribute it and/or modify it
1463
#  systemd is free software; you can redistribute it and/or modify it
1462
#  under the terms of the GNU General Public License as published by
1464
#  under the terms of the GNU General Public License as published by
1463
#  the Free Software Foundation; either version 2 of the License, or
1465
#  the Free Software Foundation; either version 2 of the License, or
1464
#  (at your option) any later version.
1466
#  (at your option) any later version.
1465
 
1467
 
1466
# This unit launches nfsen (a Netflow grapher).
1468
# This unit launches nfsen (a Netflow grapher).
1467
[Unit]
1469
[Unit]
1468
Description= NfSen init script
1470
Description= NfSen init script
1469
After=network.target iptables.service
1471
After=network.target iptables.service
1470
 
1472
 
1471
[Service]
1473
[Service]
1472
Type=oneshot
1474
Type=oneshot
1473
RemainAfterExit=yes
1475
RemainAfterExit=yes
1474
PIDFile=/var/run/nfsen/nfsen.pid
1476
PIDFile=/var/run/nfsen/nfsen.pid
1475
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1477
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1476
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1478
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1477
ExecStart=/usr/bin/nfsen start 
1479
ExecStart=/usr/bin/nfsen start 
1478
ExecStop=/usr/bin/nfsen stop
1480
ExecStop=/usr/bin/nfsen stop
1479
ExecReload=/usr/bin/nfsen restart
1481
ExecReload=/usr/bin/nfsen restart
1480
TimeoutSec=0
1482
TimeoutSec=0
1481
 
1483
 
1482
[Install]
1484
[Install]
1483
WantedBy=multi-user.target
1485
WantedBy=multi-user.target
1484
EOF
1486
EOF
1485
# Add the listen port to collect netflow packet (nfcapd)
1487
# Add the listen port to collect netflow packet (nfcapd)
1486
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1488
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1487
# expire delay for the profile "live"
1489
# expire delay for the profile "live"
1488
	/usr/bin/systemctl start nfsen
1490
	/usr/bin/systemctl start nfsen
1489
	/bin/nfsen -m live -e 62d 2>/dev/null
1491
	/bin/nfsen -m live -e 62d 2>/dev/null
1490
# add SURFmap plugin
1492
# add SURFmap plugin
1491
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1493
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1492
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1494
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1493
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1495
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1494
	cd /tmp/
1496
	cd /tmp/
1495
	/usr/bin/sh SURFmap/install.sh
1497
	/usr/bin/sh SURFmap/install.sh
1496
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1498
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1497
# clear the installation
1499
# clear the installation
1498
	cd $DirTmp
1500
	cd $DirTmp
1499
	rm -rf /tmp/nfsen*
1501
	rm -rf /tmp/nfsen*
1500
	rm -rf /tmp/SURFmap*
1502
	rm -rf /tmp/SURFmap*
1501
} # End of nfsen ()
1503
} # End of nfsen ()
1502
 
1504
 
1503
##################################################
1505
##################################################
1504
##		Function "vnstat"		##
1506
##		Function "vnstat"		##
1505
## Initialization of Vnstat and vnstat phpFE    ##
1507
## Initialization of Vnstat and vnstat phpFE    ##
1506
##################################################
1508
##################################################
1507
vnstat ()
1509
vnstat ()
1508
{
1510
{
1509
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1511
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1510
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1512
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1511
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1513
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1512
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1514
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1513
	/usr/bin/vnstat -u -i $EXTIF
1515
	/usr/bin/vnstat -u -i $EXTIF
1514
} # End of vnstat	
1516
} # End of vnstat	
1515
##################################################
1517
##################################################
1516
##		Function "dnsmasq"		##
1518
##		Function "dnsmasq"		##
1517
##################################################
1519
##################################################
1518
dnsmasq ()
1520
dnsmasq ()
1519
{
1521
{
1520
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1522
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1521
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1523
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1522
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1524
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1523
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1525
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1524
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1526
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1525
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1527
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1526
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1528
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1527
	cat << EOF > /etc/dnsmasq.conf
1529
	cat << EOF > /etc/dnsmasq.conf
1528
# Configuration file for "dnsmasq in forward mode"
1530
# Configuration file for "dnsmasq in forward mode"
1529
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1531
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1530
listen-address=$PRIVATE_IP
1532
listen-address=$PRIVATE_IP
1531
pid-file=/var/run/dnsmasq.pid
1533
pid-file=/var/run/dnsmasq.pid
1532
listen-address=127.0.0.1
1534
listen-address=127.0.0.1
1533
no-dhcp-interface=$INTIF
1535
no-dhcp-interface=$INTIF
1534
no-dhcp-interface=tun0
1536
no-dhcp-interface=tun0
1535
no-dhcp-interface=lo
1537
no-dhcp-interface=lo
1536
bind-interfaces
1538
bind-interfaces
1537
cache-size=2048
1539
cache-size=2048
1538
domain-needed
1540
domain-needed
1539
expand-hosts
1541
expand-hosts
1540
bogus-priv
1542
bogus-priv
1541
filterwin2k
1543
filterwin2k
1542
server=$DNS1
1544
server=$DNS1
1543
server=$DNS2
1545
server=$DNS2
1544
# DHCP service is configured. It will be enabled in "bypass" mode
1546
# DHCP service is configured. It will be enabled in "bypass" mode
1545
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1547
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1546
#dhcp-option=option:router,$PRIVATE_IP
1548
#dhcp-option=option:router,$PRIVATE_IP
1547
#dhcp-option=option:ntp-server,$PRIVATE_IP
1549
#dhcp-option=option:ntp-server,$PRIVATE_IP
1548
#domain=$DOMAIN
1550
#domain=$DOMAIN
1549
 
1551
 
1550
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1552
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1551
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1553
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1552
EOF
1554
EOF
1553
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1555
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1554
	cat << EOF > /etc/dnsmasq-blacklist.conf
1556
	cat << EOF > /etc/dnsmasq-blacklist.conf
1555
# Configuration file for "dnsmasq with blacklist"
1557
# Configuration file for "dnsmasq with blacklist"
1556
# Add Toulouse University blacklist domains
1558
# Add Toulouse University blacklist domains
1557
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1559
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1558
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1560
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1559
pid-file=/var/run/dnsmasq-blacklist.pid
1561
pid-file=/var/run/dnsmasq-blacklist.pid
1560
listen-address=$PRIVATE_IP
1562
listen-address=$PRIVATE_IP
1561
port=54
1563
port=54
1562
no-dhcp-interface=$INTIF
1564
no-dhcp-interface=$INTIF
1563
no-dhcp-interface=tun0
1565
no-dhcp-interface=tun0
1564
no-dhcp-interface=lo
1566
no-dhcp-interface=lo
1565
bind-interfaces
1567
bind-interfaces
1566
cache-size=2048
1568
cache-size=2048
1567
domain-needed
1569
domain-needed
1568
expand-hosts
1570
expand-hosts
1569
bogus-priv
1571
bogus-priv
1570
filterwin2k
1572
filterwin2k
1571
log-queries
1573
log-queries
1572
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1574
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1573
server=$DNS1
1575
server=$DNS1
1574
server=$DNS2
1576
server=$DNS2
1575
EOF
1577
EOF
1576
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1578
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1577
	cat << EOF > /etc/dnsmasq-whitelist.conf
1579
	cat << EOF > /etc/dnsmasq-whitelist.conf
1578
# Configuration file for "dnsmasq with whitelist"
1580
# Configuration file for "dnsmasq with whitelist"
1579
# ADD Toulouse university whitelist domains
1581
# ADD Toulouse university whitelist domains
1580
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1582
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1581
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1583
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1582
pid-file=/var/run/dnsmasq-whitelist.pid
1584
pid-file=/var/run/dnsmasq-whitelist.pid
1583
listen-address=$PRIVATE_IP
1585
listen-address=$PRIVATE_IP
1584
port=55
1586
port=55
1585
no-dhcp-interface=$INTIF
1587
no-dhcp-interface=$INTIF
1586
no-dhcp-interface=tun0
1588
no-dhcp-interface=tun0
1587
no-dhcp-interface=lo
1589
no-dhcp-interface=lo
1588
bind-interfaces
1590
bind-interfaces
1589
cache-size=1024
1591
cache-size=1024
1590
domain-needed
1592
domain-needed
1591
expand-hosts
1593
expand-hosts
1592
bogus-priv
1594
bogus-priv
1593
filterwin2k
1595
filterwin2k
1594
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1596
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1595
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1597
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1596
EOF
1598
EOF
1597
# 4th dnsmasq listen on udp 56 ("blackhole")
1599
# 4th dnsmasq listen on udp 56 ("blackhole")
1598
	cat << EOF > /etc/dnsmasq-blackhole.conf
1600
	cat << EOF > /etc/dnsmasq-blackhole.conf
1599
# Configuration file for "dnsmasq as a blackhole"
1601
# Configuration file for "dnsmasq as a blackhole"
1600
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1602
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1601
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1603
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1602
pid-file=/var/run/dnsmasq-blackhole.pid
1604
pid-file=/var/run/dnsmasq-blackhole.pid
1603
listen-address=$PRIVATE_IP
1605
listen-address=$PRIVATE_IP
1604
port=56
1606
port=56
1605
no-dhcp-interface=$INTIF
1607
no-dhcp-interface=$INTIF
1606
no-dhcp-interface=tun0
1608
no-dhcp-interface=tun0
1607
no-dhcp-interface=lo
1609
no-dhcp-interface=lo
1608
bind-interfaces
1610
bind-interfaces
1609
cache-size=256
1611
cache-size=256
1610
domain-needed
1612
domain-needed
1611
expand-hosts
1613
expand-hosts
1612
bogus-priv
1614
bogus-priv
1613
filterwin2k
1615
filterwin2k
1614
EOF
1616
EOF
1615
 
1617
 
1616
# the main instance should start after network and chilli (which create tun0)
1618
# the main instance should start after network and chilli (which create tun0)
1617
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1619
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1618
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1620
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1619
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1621
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1620
	for list in blacklist whitelist blackhole
1622
	for list in blacklist whitelist blackhole
1621
	do
1623
	do
1622
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1624
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1623
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1625
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1624
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1626
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1625
	done
1627
	done
1626
} # End dnsmasq
1628
} # End dnsmasq
1627
 
1629
 
1628
##########################################################
1630
##########################################################
1629
##		Fonction "BL"				##
1631
##		Fonction "BL"				##
1630
##########################################################
1632
##########################################################
1631
BL ()
1633
BL ()
1632
{
1634
{
1633
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1635
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1634
	rm -rf $DIR_DG/lists/blacklists
1636
	rm -rf $DIR_DG/lists/blacklists
1635
	mkdir -p /tmp/blacklists
1637
	mkdir -p /tmp/blacklists
1636
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1638
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1637
# creation of file for the rehabilited domains and urls
1639
# creation of file for the rehabilited domains and urls
1638
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1640
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1639
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1641
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1640
	touch $DIR_DG/lists/exceptionsitelist
1642
	touch $DIR_DG/lists/exceptionsitelist
1641
	touch $DIR_DG/lists/exceptionurllist
1643
	touch $DIR_DG/lists/exceptionurllist
1642
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1644
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1643
	cat <<EOF > $DIR_DG/lists/bannedurllist
1645
	cat <<EOF > $DIR_DG/lists/bannedurllist
1644
# Dansguardian filter config for ALCASAR
1646
# Dansguardian filter config for ALCASAR
1645
EOF
1647
EOF
1646
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1648
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1647
# Dansguardian domain filter config for ALCASAR
1649
# Dansguardian domain filter config for ALCASAR
1648
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1650
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1649
#**
1651
#**
1650
# block all SSL and CONNECT tunnels
1652
# block all SSL and CONNECT tunnels
1651
**s
1653
**s
1652
# block all SSL and CONNECT tunnels specified only as an IP
1654
# block all SSL and CONNECT tunnels specified only as an IP
1653
*ips
1655
*ips
1654
# block all sites specified only by an IP
1656
# block all sites specified only by an IP
1655
*ip
1657
*ip
1656
EOF
1658
EOF
1657
# Add Bing to the safesearch url regext list (parental control)
1659
# Add Bing to the safesearch url regext list (parental control)
1658
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1660
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1659
# Bing - add 'adlt=strict'
1661
# Bing - add 'adlt=strict'
1660
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1662
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1661
EOF
1663
EOF
1662
# change the google safesearch ("safe=strict" instead of "safe=vss")
1664
# change the google safesearch ("safe=strict" instead of "safe=vss")
1663
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1665
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1664
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1666
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1665
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1667
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1666
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1668
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1667
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1669
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1668
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1670
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1669
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1671
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1670
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1672
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1671
# add custom ALCASAR BL files
1673
# add custom ALCASAR BL files
1672
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1674
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1673
	do
1675
	do
1674
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1676
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1675
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1677
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1676
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1678
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1677
	done
1679
	done
1678
	chown -R dansguardian:apache $DIR_DG
1680
	chown -R dansguardian:apache $DIR_DG
1679
	chown -R root:apache $DIR_DEST_SHARE
1681
	chown -R root:apache $DIR_DEST_SHARE
1680
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1682
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1681
# adapt the Toulouse BL to ALCASAR architecture
1683
# adapt the Toulouse BL to ALCASAR architecture
1682
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1684
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1683
# enable the default categories
1685
# enable the default categories
1684
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1686
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1685
}
1687
}
1686
 
1688
 
1687
##########################################################
1689
##########################################################
1688
##		Fonction "cron"				##
1690
##		Fonction "cron"				##
1689
## - Mise en place des différents fichiers de cron	##
1691
## - Mise en place des différents fichiers de cron	##
1690
##########################################################
1692
##########################################################
1691
cron ()
1693
cron ()
1692
{
1694
{
1693
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1695
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1694
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1696
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1695
	cat <<EOF > /etc/crontab
1697
	cat <<EOF > /etc/crontab
1696
SHELL=/usr/bin/bash
1698
SHELL=/usr/bin/bash
1697
PATH=/usr/sbin:/usr/bin
1699
PATH=/usr/sbin:/usr/bin
1698
MAILTO=root
1700
MAILTO=root
1699
HOME=/
1701
HOME=/
1700
 
1702
 
1701
# run-parts
1703
# run-parts
1702
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1704
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1703
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1705
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1704
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1706
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1705
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1707
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1706
EOF
1708
EOF
1707
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1709
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1708
	cat <<EOF >> /etc/anacrontab
1710
	cat <<EOF >> /etc/anacrontab
1709
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1711
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1710
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1712
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1711
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1713
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1712
EOF
1714
EOF
1713
 
1715
 
1714
	cat <<EOF > /etc/cron.d/alcasar-mysql
1716
	cat <<EOF > /etc/cron.d/alcasar-mysql
1715
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1717
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1716
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1718
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1717
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1719
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1718
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1720
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1719
EOF
1721
EOF
1720
	cat <<EOF > /etc/cron.d/alcasar-archive
1722
	cat <<EOF > /etc/cron.d/alcasar-archive
1721
# Archive des logs et de la base de données (tous les lundi à 5h35)
1723
# Archive des logs et de la base de données (tous les lundi à 5h35)
1722
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1724
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1723
EOF
1725
EOF
1724
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1726
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1725
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1727
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1726
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1728
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1727
EOF
1729
EOF
1728
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1730
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1729
# mise à jour automatique de la distribution tous les jours 3h30
1731
# mise à jour automatique de la distribution tous les jours 3h30
1730
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1732
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1731
EOF
1733
EOF
1732
 
1734
 
1733
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1735
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1734
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1736
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1735
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1737
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1736
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1738
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1737
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1739
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1738
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1740
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1739
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1741
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1740
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1742
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1741
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1743
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1742
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1744
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1743
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1745
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1744
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1746
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1745
EOF
1747
EOF
1746
	cat << EOF > /etc/cron.d/alcasar-watchdog
1748
	cat << EOF > /etc/cron.d/alcasar-watchdog
1747
# run the "watchdog" every 3'
1749
# run the "watchdog" every 3'
1748
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1750
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1749
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1751
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1750
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1752
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1751
EOF
1753
EOF
1752
# Enabling the watchdog every 18'
1754
# Enabling the watchdog every 18'
1753
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1755
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1754
# activate  the daemon-watchdog after boot process
1756
# activate  the daemon-watchdog after boot process
1755
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1757
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1756
# activate the daemon-watchdog every 18'
1758
# activate the daemon-watchdog every 18'
1757
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1759
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1758
EOF
1760
EOF
1759
 
1761
 
1760
# Enabling category update from rsync
1762
# Enabling category update from rsync
1761
	cat << EOF > /etc/cron.d/alcasar-rsync_bl
1763
	cat << EOF > /etc/cron.d/alcasar-rsync_bl
1762
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1764
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1763
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1765
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1764
EOF
1766
EOF
1765
 
1767
 
1766
# removing the users crons
1768
# removing the users crons
1767
	rm -f /var/spool/cron/*
1769
	rm -f /var/spool/cron/*
1768
} # End cron
1770
} # End cron
1769
 
1771
 
1770
##################################################################
1772
##################################################################
1771
## 			Fonction "Fail2Ban"			##
1773
## 			Fonction "Fail2Ban"			##
1772
##- Modification de la configuration de fail2ban		##
1774
##- Modification de la configuration de fail2ban		##
1773
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1775
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1774
##################################################################
1776
##################################################################
1775
fail2ban()
1777
fail2ban()
1776
{
1778
{
1777
	$DIR_CONF/fail2ban.sh
1779
	$DIR_CONF/fail2ban.sh
1778
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1780
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1779
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1781
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1780
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1782
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1781
	chmod 644 /var/log/fail2ban.log
1783
	chmod 644 /var/log/fail2ban.log
1782
	chmod 644 /var/Save/security/watchdog.log
1784
	chmod 644 /var/Save/security/watchdog.log
1783
	/usr/bin/touch /var/log/auth.log
1785
	/usr/bin/touch /var/log/auth.log
1784
# fail2ban unit
1786
# fail2ban unit
1785
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1787
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1786
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1788
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1787
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1789
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1788
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1790
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1789
} #Fin de fail2ban_install()
1791
} #Fin de fail2ban_install()
1790
 
1792
 
1791
##################################################################
1793
##################################################################
1792
## 			Fonction "gammu_smsd"			##
1794
## 			Fonction "gammu_smsd"			##
1793
## - Creation de la base de donnée Gammu			##
1795
## - Creation de la base de donnée Gammu			##
1794
## - Creation du fichier de config: gammu_smsd_conf		##
1796
## - Creation du fichier de config: gammu_smsd_conf		##
1795
##								##
1797
##								##
1796
##################################################################
1798
##################################################################
1797
gammu_smsd()
1799
gammu_smsd()
1798
{
1800
{
1799
# Create 'gammu' databse
1801
# Create 'gammu' databse
1800
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1802
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1801
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1803
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1802
# Add a gammu database structure
1804
# Add a gammu database structure
1803
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1805
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1804
 
1806
 
1805
# config file for the daemon
1807
# config file for the daemon
1806
cat << EOF > /etc/gammu_smsd_conf
1808
cat << EOF > /etc/gammu_smsd_conf
1807
[gammu]
1809
[gammu]
1808
port = /dev/ttyUSB0
1810
port = /dev/ttyUSB0
1809
connection = at115200
1811
connection = at115200
1810
 
1812
 
1811
;########################################################
1813
;########################################################
1812
 
1814
 
1813
[smsd]
1815
[smsd]
1814
 
1816
 
1815
PIN = 1234
1817
PIN = 1234
1816
 
1818
 
1817
logfile = /var/log/gammu-smsd/gammu-smsd.log
1819
logfile = /var/log/gammu-smsd/gammu-smsd.log
1818
logformat = textall
1820
logformat = textall
1819
debuglevel = 0
1821
debuglevel = 0
1820
 
1822
 
1821
service = sql
1823
service = sql
1822
driver = native_mysql
1824
driver = native_mysql
1823
user = $DB_USER
1825
user = $DB_USER
1824
password = $radiuspwd
1826
password = $radiuspwd
1825
pc = localhost
1827
pc = localhost
1826
database = $DB_GAMMU
1828
database = $DB_GAMMU
1827
 
1829
 
1828
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1830
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1829
 
1831
 
1830
StatusFrequency = 30
1832
StatusFrequency = 30
1831
;LoopSleep = 2
1833
;LoopSleep = 2
1832
 
1834
 
1833
;ResetFrequency = 300
1835
;ResetFrequency = 300
1834
;HardResetFrequency = 120
1836
;HardResetFrequency = 120
1835
 
1837
 
1836
CheckSecurity = 1 
1838
CheckSecurity = 1 
1837
CheckSignal = 1
1839
CheckSignal = 1
1838
CheckBattery = 0
1840
CheckBattery = 0
1839
EOF
1841
EOF
1840
 
1842
 
1841
chmod 755 /etc/gammu_smsd_conf
1843
chmod 755 /etc/gammu_smsd_conf
1842
 
1844
 
1843
#Creation dossier de log Gammu-smsd
1845
#Creation dossier de log Gammu-smsd
1844
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1846
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1845
chmod 755 /var/log/gammu-smsd
1847
chmod 755 /var/log/gammu-smsd
1846
 
1848
 
1847
#Edition du script sql gammu <-> radius
1849
#Edition du script sql gammu <-> radius
1848
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1850
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1849
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1851
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1850
 
1852
 
1851
#Création de la règle udev pour les Huawei // idVendor: 12d1
1853
#Création de la règle udev pour les Huawei // idVendor: 12d1
1852
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1854
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1853
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1855
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1854
EOF
1856
EOF
1855
 
1857
 
1856
} # END gammu_smsd()
1858
} # END gammu_smsd()
1857
 
1859
 
1858
##################################################################
1860
##################################################################
1859
##			Fonction "post_install"			##
1861
##			Fonction "post_install"			##
1860
## - Modification des bannières (locales et ssh) et des prompts ##
1862
## - Modification des bannières (locales et ssh) et des prompts ##
1861
## - Installation de la structure de chiffrement pour root	##
1863
## - Installation de la structure de chiffrement pour root	##
1862
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1864
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1863
## - Mise en place du la rotation des logs			##
1865
## - Mise en place du la rotation des logs			##
1864
## - Configuration dans le cas d'une mise à jour		##
1866
## - Configuration dans le cas d'une mise à jour		##
1865
##################################################################
1867
##################################################################
1866
post_install()
1868
post_install()
1867
{
1869
{
1868
# création de la bannière locale
1870
# création de la bannière locale
1869
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1871
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1870
	cp -f $DIR_CONF/banner /etc/mageia-release
1872
	cp -f $DIR_CONF/banner /etc/mageia-release
1871
	echo " V$VERSION" >> /etc/mageia-release
1873
	echo " V$VERSION" >> /etc/mageia-release
1872
# création de la bannière SSH
1874
# création de la bannière SSH
1873
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1875
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1874
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1876
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1875
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1877
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1876
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1878
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1877
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1879
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1878
# postfix banner anonymisation
1880
# postfix banner anonymisation
1879
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1881
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1880
	chown -R postfix:postfix /var/lib/postfix
1882
	chown -R postfix:postfix /var/lib/postfix
1881
# sshd écoute côté LAN et WAN
1883
# sshd écoute côté LAN et WAN
1882
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1884
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1883
# sshd autorise les connections root par certificat
1885
# sshd autorise les connections root par certificat
1884
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1886
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1885
	# Put the default values in conf file
1887
	# Put the default values in conf file
1886
	echo "SSH=on" >> $CONF_FILE
1888
	echo "SSH=on" >> $CONF_FILE
1887
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1889
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1888
	echo "LDAP=off" >> $CONF_FILE
1890
	echo "LDAP=off" >> $CONF_FILE
1889
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1891
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1890
	echo "MULTIWAN=off" >> $CONF_FILE
1892
	echo "MULTIWAN=off" >> $CONF_FILE
1891
	echo "FAILOVER=30" >> $CONF_FILE
1893
	echo "FAILOVER=30" >> $CONF_FILE
1892
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1894
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1893
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1895
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1894
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1896
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1895
# Coloration des prompts
1897
# Coloration des prompts
1896
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1898
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1897
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1899
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1898
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1900
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1899
# Droits d'exécution pour utilisateur apache et sysadmin
1901
# Droits d'exécution pour utilisateur apache et sysadmin
1900
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1902
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1901
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1903
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1902
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1904
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1903
# Modify some logrotate files (gammu, ulogd)
1905
# Modify some logrotate files (gammu, ulogd)
1904
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1906
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1905
	chmod 644 /etc/logrotate.d/*
1907
	chmod 644 /etc/logrotate.d/*
1906
# rectification sur versions précédentes de la compression des logs
1908
# rectification sur versions précédentes de la compression des logs
1907
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1909
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1908
# actualisation des fichiers logs compressés
1910
# actualisation des fichiers logs compressés
1909
	for dir in firewall dansguardian httpd
1911
	for dir in firewall dansguardian httpd
1910
	do
1912
	do
1911
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1913
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1912
	done
1914
	done
1913
# create the alcasar-load_balancing unit
1915
# create the alcasar-load_balancing unit
1914
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1916
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1915
#  This file is part of systemd.
1917
#  This file is part of systemd.
1916
#
1918
#
1917
#  systemd is free software; you can redistribute it and/or modify it
1919
#  systemd is free software; you can redistribute it and/or modify it
1918
#  under the terms of the GNU General Public License as published by
1920
#  under the terms of the GNU General Public License as published by
1919
#  the Free Software Foundation; either version 2 of the License, or
1921
#  the Free Software Foundation; either version 2 of the License, or
1920
#  (at your option) any later version.
1922
#  (at your option) any later version.
1921
 
1923
 
1922
# This unit lauches alcasar-load-balancing.sh script.
1924
# This unit lauches alcasar-load-balancing.sh script.
1923
[Unit]
1925
[Unit]
1924
Description=alcasar-load_balancing.sh execution
1926
Description=alcasar-load_balancing.sh execution
1925
After=network.target iptables.service
1927
After=network.target iptables.service
1926
 
1928
 
1927
[Service]
1929
[Service]
1928
Type=oneshot
1930
Type=oneshot
1929
RemainAfterExit=yes
1931
RemainAfterExit=yes
1930
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1932
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1931
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1933
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1932
TimeoutSec=0
1934
TimeoutSec=0
1933
SysVStartPriority=99
1935
SysVStartPriority=99
1934
 
1936
 
1935
[Install]
1937
[Install]
1936
WantedBy=multi-user.target
1938
WantedBy=multi-user.target
1937
EOF
1939
EOF
1938
# processes launched at boot time (Systemctl)
1940
# processes launched at boot time (Systemctl)
1939
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1941
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1940
	do
1942
	do
1941
		/usr/bin/systemctl -q enable $i.service
1943
		/usr/bin/systemctl -q enable $i.service
1942
	done
1944
	done
1943
	
1945
	
1944
# disable processes at boot time (Systemctl)
1946
# disable processes at boot time (Systemctl)
1945
	for i in ulogd
1947
	for i in ulogd
1946
	do
1948
	do
1947
		/usr/bin/systemctl -q disable $i.service
1949
		/usr/bin/systemctl -q disable $i.service
1948
	done
1950
	done
1949
	
1951
	
1950
# Apply French Security Agency (ANSSI) rules
1952
# Apply French Security Agency (ANSSI) rules
1951
# ignore ICMP broadcast (smurf attack)
1953
# ignore ICMP broadcast (smurf attack)
1952
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1954
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1953
# ignore ICMP errors bogus
1955
# ignore ICMP errors bogus
1954
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1956
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1955
# remove ICMP redirects responces
1957
# remove ICMP redirects responces
1956
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1958
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1957
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1959
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1958
# enable SYN Cookies (Syn flood attacks)
1960
# enable SYN Cookies (Syn flood attacks)
1959
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1961
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1960
# enable kernel antispoofing
1962
# enable kernel antispoofing
1961
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1963
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1962
# ignore source routing
1964
# ignore source routing
1963
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1965
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1964
# set conntrack timer to 1h (3600s) instead of 5 weeks
1966
# set conntrack timer to 1h (3600s) instead of 5 weeks
1965
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1967
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1966
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1968
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1967
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1969
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1968
# disable iptables_helpers
1970
# disable iptables_helpers
1969
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1971
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1970
# Switch to the router mode
1972
# Switch to the router mode
1971
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1973
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1972
# Remove unused service ipv6
1974
# Remove unused service ipv6
1973
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1975
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1974
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1976
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1975
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1977
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1976
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1978
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1977
# remove Magic SysReq Keys
1979
# remove Magic SysReq Keys
1978
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1980
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1979
# switch to multi-users runlevel (instead of x11)
1981
# switch to multi-users runlevel (instead of x11)
1980
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1982
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1981
#	GRUB modifications (only one time)
1983
#	GRUB modifications (only one time)
1982
# limit wait time to 3s
1984
# limit wait time to 3s
1983
# create an alcasar entry instead of linux-nonfb
1985
# create an alcasar entry instead of linux-nonfb
1984
# change display to 1024*768 (vga791)
1986
# change display to 1024*768 (vga791)
1985
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1987
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1986
	if [ $grub_already_modified == 0 ]
1988
	if [ $grub_already_modified == 0 ]
1987
		then
1989
		then
1988
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1990
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1989
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1991
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1990
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1992
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1991
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1993
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1992
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1994
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1993
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1995
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1994
	fi
1996
	fi
1995
# Load and apply the previous conf file
1997
# Load and apply the previous conf file
1996
	if [ "$mode" = "update" ]
1998
	if [ "$mode" = "update" ]
1997
	then
1999
	then
1998
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2000
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1999
		$DIR_DEST_BIN/alcasar-conf.sh --load
2001
		$DIR_DEST_BIN/alcasar-conf.sh --load
2000
		PARENT_SCRIPT=`basename $0`
2002
		PARENT_SCRIPT=`basename $0`
2001
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2003
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2002
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2004
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2003
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2005
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2004
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2006
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2005
	fi
2007
	fi
2006
	rm -f /tmp/alcasar-conf*
2008
	rm -f /tmp/alcasar-conf*
2007
	chown -R root:apache $DIR_DEST_ETC/*
2009
	chown -R root:apache $DIR_DEST_ETC/*
2008
	chmod -R 660 $DIR_DEST_ETC/*
2010
	chmod -R 660 $DIR_DEST_ETC/*
2009
	chmod ug+x $DIR_DEST_ETC/digest
2011
	chmod ug+x $DIR_DEST_ETC/digest
2010
	cd $DIR_INSTALL
2012
	cd $DIR_INSTALL
2011
	echo ""
2013
	echo ""
2012
	echo "#############################################################################"
2014
	echo "#############################################################################"
2013
	if [ $Lang == "fr" ]
2015
	if [ $Lang == "fr" ]
2014
		then
2016
		then
2015
		echo "#                        Fin d'installation d'ALCASAR                       #"
2017
		echo "#                        Fin d'installation d'ALCASAR                       #"
2016
		echo "#                                                                           #"
2018
		echo "#                                                                           #"
2017
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2019
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2018
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2020
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2019
		echo "#                                                                           #"
2021
		echo "#                                                                           #"
2020
		echo "#############################################################################"
2022
		echo "#############################################################################"
2021
		echo
2023
		echo
2022
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2024
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2023
		echo
2025
		echo
2024
		echo "- Lisez attentivement la documentation d'exploitation"
2026
		echo "- Lisez attentivement la documentation d'exploitation"
2025
		echo
2027
		echo
2026
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2028
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2027
		echo
2029
		echo
2028
		echo "                   Appuyez sur 'Entrée' pour continuer"
2030
		echo "                   Appuyez sur 'Entrée' pour continuer"
2029
	else	
2031
	else	
2030
		echo "#                        Enf of ALCASAR install process                     #"
2032
		echo "#                        Enf of ALCASAR install process                     #"
2031
		echo "#                                                                           #"
2033
		echo "#                                                                           #"
2032
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2034
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2033
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2035
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2034
		echo "#                                                                           #"
2036
		echo "#                                                                           #"
2035
		echo "#############################################################################"
2037
		echo "#############################################################################"
2036
		echo
2038
		echo
2037
		echo "- The system will be rebooted in order to operate ALCASAR"
2039
		echo "- The system will be rebooted in order to operate ALCASAR"
2038
		echo
2040
		echo
2039
		echo "- Read the exploitation documentation"
2041
		echo "- Read the exploitation documentation"
2040
		echo
2042
		echo
2041
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2043
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2042
		echo
2044
		echo
2043
		echo "                   Hit 'Enter' to continue"
2045
		echo "                   Hit 'Enter' to continue"
2044
	fi
2046
	fi
2045
	sleep 2
2047
	sleep 2
2046
	if [ "$mode" != "update" ]
2048
	if [ "$mode" != "update" ]
2047
	then
2049
	then
2048
		read a
2050
		read a
2049
	fi
2051
	fi
2050
	clear
2052
	clear
2051
	reboot
2053
	reboot
2052
} # End post_install ()
2054
} # End post_install ()
2053
 
2055
 
2054
#################################
2056
#################################
2055
#  	Main Install loop  	#
2057
#  	Main Install loop  	#
2056
#################################
2058
#################################
2057
dir_exec=`dirname "$0"`
2059
dir_exec=`dirname "$0"`
2058
if [ $dir_exec != "." ]
2060
if [ $dir_exec != "." ]
2059
then
2061
then
2060
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2062
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2061
	echo "Launch this program from the ALCASAR archive directory"
2063
	echo "Launch this program from the ALCASAR archive directory"
2062
	exit 0
2064
	exit 0
2063
fi
2065
fi
2064
VERSION=`cat $DIR_INSTALL/VERSION`
2066
VERSION=`cat $DIR_INSTALL/VERSION`
2065
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2067
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2066
nb_args=$#
2068
nb_args=$#
2067
args=$1
2069
args=$1
2068
if [ $nb_args -eq 0 ]
2070
if [ $nb_args -eq 0 ]
2069
then
2071
then
2070
	nb_args=1
2072
	nb_args=1
2071
	args="-h"
2073
	args="-h"
2072
fi
2074
fi
2073
chmod -R u+x $DIR_SCRIPTS/*
2075
chmod -R u+x $DIR_SCRIPTS/*
2074
case $args in
2076
case $args in
2075
	-\? | -h* | --h*)
2077
	-\? | -h* | --h*)
2076
		echo "$usage"
2078
		echo "$usage"
2077
		exit 0
2079
		exit 0
2078
		;;
2080
		;;
2079
	-i | --install)
2081
	-i | --install)
2080
		header_install
2082
		header_install
2081
		license
2083
		license
2082
		header_install
2084
		header_install
2083
		testing
2085
		testing
2084
# RPMs install
2086
# RPMs install
2085
		$DIR_SCRIPTS/alcasar-urpmi.sh
2087
		$DIR_SCRIPTS/alcasar-urpmi.sh
2086
		if [ "$?" != "0" ]
2088
		if [ "$?" != "0" ]
2087
		then
2089
		then
2088
			exit 0
2090
			exit 0
2089
		fi
2091
		fi
2090
		if [ -e $CONF_FILE ]
2092
		if [ -e $CONF_FILE ]
2091
		then
2093
		then
2092
# Uninstall the running version
2094
# Uninstall the running version
2093
			$DIR_SCRIPTS/alcasar-uninstall.sh
2095
			$DIR_SCRIPTS/alcasar-uninstall.sh
2094
		fi
2096
		fi
2095
# Test if manual update	
2097
# Test if manual update	
2096
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2098
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2097
		then
2099
		then
2098
			header_install
2100
			header_install
2099
			if [ $Lang == "fr" ]
2101
			if [ $Lang == "fr" ]
2100
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2102
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2101
				else echo "The configuration file of an old version has been found";
2103
				else echo "The configuration file of an old version has been found";
2102
			fi
2104
			fi
2103
			response=0
2105
			response=0
2104
			PTN='^[oOnNyY]$'
2106
			PTN='^[oOnNyY]$'
2105
			until [[ $(expr $response : $PTN) -gt 0 ]]
2107
			until [[ $(expr $response : $PTN) -gt 0 ]]
2106
			do
2108
			do
2107
				if [ $Lang == "fr" ]
2109
				if [ $Lang == "fr" ]
2108
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2110
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2109
					else echo -n "Do you want to use it (Y/n)?";
2111
					else echo -n "Do you want to use it (Y/n)?";
2110
				 fi
2112
				 fi
2111
				read response
2113
				read response
2112
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2114
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2113
				then rm -f /tmp/alcasar-conf*
2115
				then rm -f /tmp/alcasar-conf*
2114
				fi
2116
				fi
2115
			done
2117
			done
2116
		fi
2118
		fi
2117
# Test if update
2119
# Test if update
2118
		if [ -e /tmp/alcasar-conf* ] 
2120
		if [ -e /tmp/alcasar-conf* ] 
2119
		then
2121
		then
2120
			if [ $Lang == "fr" ]
2122
			if [ $Lang == "fr" ]
2121
				then echo "#### Installation avec mise à jour ####";
2123
				then echo "#### Installation avec mise à jour ####";
2122
				else echo "#### Installation with update     ####";
2124
				else echo "#### Installation with update     ####";
2123
			fi
2125
			fi
2124
# Extract the central configuration file
2126
# Extract the central configuration file
2125
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2127
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2126
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2128
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2127
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2129
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2128
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2130
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2129
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2131
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2130
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2132
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2131
			mode="update"
2133
			mode="update"
2132
		fi
2134
		fi
2133
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2135
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2134
		do
2136
		do
2135
			$func
2137
			$func
2136
# echo "*** 'debug' : end of function $func ***"; read a
2138
# echo "*** 'debug' : end of function $func ***"; read a
2137
		done
2139
		done
2138
		;;
2140
		;;
2139
	-u | --uninstall)
2141
	-u | --uninstall)
2140
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2142
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2141
		then
2143
		then
2142
			if [ $Lang == "fr" ]
2144
			if [ $Lang == "fr" ]
2143
				then echo "ALCASAR n'est pas installé!";
2145
				then echo "ALCASAR n'est pas installé!";
2144
				else echo "ALCASAR isn't installed!";
2146
				else echo "ALCASAR isn't installed!";
2145
			fi
2147
			fi
2146
			exit 0
2148
			exit 0
2147
		fi
2149
		fi
2148
		response=0
2150
		response=0
2149
		PTN='^[oOnN]$'
2151
		PTN='^[oOnN]$'
2150
		until [[ $(expr $response : $PTN) -gt 0 ]]
2152
		until [[ $(expr $response : $PTN) -gt 0 ]]
2151
		do
2153
		do
2152
			if [ $Lang == "fr" ]
2154
			if [ $Lang == "fr" ]
2153
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2155
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2154
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2156
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2155
			fi
2157
			fi
2156
			read response
2158
			read response
2157
		done
2159
		done
2158
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2160
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2159
		then
2161
		then
2160
			$DIR_SCRIPTS/alcasar-conf.sh --create
2162
			$DIR_SCRIPTS/alcasar-conf.sh --create
2161
		else	
2163
		else	
2162
			rm -f /tmp/alcasar-conf*
2164
			rm -f /tmp/alcasar-conf*
2163
		fi
2165
		fi
2164
# Uninstall the running version
2166
# Uninstall the running version
2165
		$DIR_SCRIPTS/alcasar-uninstall.sh
2167
		$DIR_SCRIPTS/alcasar-uninstall.sh
2166
		;;
2168
		;;
2167
	*)
2169
	*)
2168
		echo "Argument inconnu :$1";
2170
		echo "Argument inconnu :$1";
2169
		echo "Unknown argument :$1";
2171
		echo "Unknown argument :$1";
2170
		echo "$usage"
2172
		echo "$usage"
2171
		exit 1
2173
		exit 1
2172
		;;
2174
		;;
2173
esac
2175
esac
2174
# end of script
2176
# end of script
2175
 
2177
 
2176
 
2178