Subversion Repositories ALCASAR

Rev

Rev 1703 | Rev 1705 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1703 Rev 1704
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 1703 2015-10-19 09:27:28Z richard $ 
2
#  $Id: alcasar.sh 1704 2015-10-19 12:50:17Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
32
#	ACC			: ALCASAR Control Center installation
32
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
33
#	CA			: Certification Authority initialization
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	radius			: FreeRadius initialisation
35
#	radius			: FreeRadius initialisation
36
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
36
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
42
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	post_install		: Security, log rotation, etc.
49
#	post_install		: Security, log rotation, etc.
50
 
50
 
51
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
53
Lang=`echo $LANG|cut -c 1-2`
53
Lang=`echo $LANG|cut -c 1-2`
54
mode="install"
54
mode="install"
55
# ******* Files parameters - paramètres fichiers *********
55
# ******* Files parameters - paramètres fichiers *********
56
DIR_INSTALL=`pwd`				# current directory 
56
DIR_INSTALL=`pwd`				# current directory 
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
59
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
60
DIR_WEB="/var/www/html"				# directory of APACHE
60
DIR_WEB="/var/www/html"				# directory of APACHE
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
64
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
64
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
# ******* DBMS parameters - paramètres SGBD ********
69
# ******* DBMS parameters - paramètres SGBD ********
70
DB_RADIUS="radius"				# database name used by FreeRadius server
70
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_USER="radius"				# user name allows to request the users database
71
DB_USER="radius"				# user name allows to request the users database
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
# ******* Network parameters - paramètres réseau *******
73
# ******* Network parameters - paramètres réseau *******
74
HOSTNAME="alcasar"				# default hostname
74
HOSTNAME="alcasar"				# default hostname
75
DOMAIN="localdomain"				# default local domain
75
DOMAIN="localdomain"				# default local domain
76
EXTIF=`/sbin/ip route|grep default|head -n1|cut -d" " -f5`						# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
76
EXTIF=`/sbin/ip route|grep default|head -n1|cut -d" " -f5`						# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
77
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
MTU="1500"
78
MTU="1500"
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
# ****** Paths - chemin des commandes *******
80
# ****** Paths - chemin des commandes *******
81
SED="/bin/sed -i"
81
SED="/bin/sed -i"
82
# ****************** End of global parameters *********************
82
# ****************** End of global parameters *********************
83
 
83
 
84
license ()
84
license ()
85
{
85
{
86
	if [ $Lang == "fr" ]
86
	if [ $Lang == "fr" ]
87
	then
87
	then
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
	else
89
	else
90
		cat $DIR_INSTALL/gpl-warning.txt | more
90
		cat $DIR_INSTALL/gpl-warning.txt | more
91
	fi
91
	fi
92
	response=0
92
	response=0
93
	PTN='^[oOyYnN]$'
93
	PTN='^[oOyYnN]$'
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
95
	do
95
	do
96
		if [ $Lang == "fr" ]
96
		if [ $Lang == "fr" ]
97
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
97
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
		fi
99
		fi
100
		read response
100
		read response
101
	done
101
	done
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	then
103
	then
104
		exit 1
104
		exit 1
105
	fi
105
	fi
106
}
106
}
107
 
107
 
108
header_install ()
108
header_install ()
109
{
109
{
110
	clear
110
	clear
111
	echo "-----------------------------------------------------------------------------"
111
	echo "-----------------------------------------------------------------------------"
112
	echo "                     ALCASAR V$VERSION Installation"
112
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
}
115
}
116
 
116
 
117
##################################################################
117
##################################################################
118
##			Function "testing"			##
118
##			Function "testing"			##
119
## - Test of Mageia version					##
119
## - Test of Mageia version					##
120
## - Test of ALCASAR version (if already installed)		##
120
## - Test of ALCASAR version (if already installed)		##
121
## - Test of free space on /var  (>10G)				##
121
## - Test of free space on /var  (>10G)				##
122
## - Test of Internet access					##
122
## - Test of Internet access					##
123
##################################################################
123
##################################################################
124
testing ()
124
testing ()
125
{
125
{
126
# Test of Mageia version
126
# Test of Mageia version
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
	fic=`cat /etc/product.id`
128
	fic=`cat /etc/product.id`
129
	unknown_os=0
129
	unknown_os=0
130
	old="$IFS"
130
	old="$IFS"
131
	IFS=","
131
	IFS=","
132
	set $fic
132
	set $fic
133
	for i in $*
133
	for i in $*
134
	do
134
	do
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
			then 
136
			then 
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			unknown_os=`expr $unknown_os + 1`
138
			unknown_os=`expr $unknown_os + 1`
139
		fi
139
		fi
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
			then 
141
			then 
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			unknown_os=`expr $unknown_os + 1`
143
			unknown_os=`expr $unknown_os + 1`
144
		fi
144
		fi
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
			then 
146
			then 
147
			ARCH=`echo $i|cut -d"=" -f2`
147
			ARCH=`echo $i|cut -d"=" -f2`
148
			unknown_os=`expr $unknown_os + 1`
148
			unknown_os=`expr $unknown_os + 1`
149
		fi
149
		fi
150
	done
150
	done
151
	IFS="$old"
151
	IFS="$old"
152
# Test if ALCASAR is already installed
152
# Test if ALCASAR is already installed
153
	if [ -e $CONF_FILE ]
153
	if [ -e $CONF_FILE ]
154
	then
154
	then
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
159
		fi
159
		fi
160
		response=0
160
		response=0
161
		PTN='^[oOnNyY]$'
161
		PTN='^[oOnNyY]$'
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
163
		do
163
		do
164
			if [ $Lang == "fr" ]
164
			if [ $Lang == "fr" ]
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
166
				else echo -n "Do you want to update (Y/n)?";
166
				else echo -n "Do you want to update (Y/n)?";
167
			 fi
167
			 fi
168
			read response
168
			read response
169
		done
169
		done
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
171
		then
171
		then
172
			rm -f /tmp/alcasar-conf*
172
			rm -f /tmp/alcasar-conf*
173
		else
173
		else
174
# Retrieve former NICname
174
# Retrieve former NICname
175
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
175
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
176
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
176
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
177
# Create the current conf file
177
# Create the current conf file
178
			$DIR_SCRIPTS/alcasar-conf.sh --create
178
			$DIR_SCRIPTS/alcasar-conf.sh --create
179
			mode="update"
179
			mode="update"
180
		fi
180
		fi
181
	fi
181
	fi
182
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
182
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
183
		then
183
		then
184
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
184
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
185
			then
185
			then
186
			echo
186
			echo
187
			if [ $Lang == "fr" ]
187
			if [ $Lang == "fr" ]
188
				then	
188
				then	
189
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
189
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
190
				echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
190
				echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
191
				echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
191
				echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
192
				echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
192
				echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
193
			else
193
			else
194
				echo "The automatic update of ALCASAR can't be performed."
194
				echo "The automatic update of ALCASAR can't be performed."
195
				echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
195
				echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
196
				echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
196
				echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
197
				echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
197
				echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
198
			fi
198
			fi
199
		else
199
		else
200
			if [ $Lang == "fr" ]
200
			if [ $Lang == "fr" ]
201
				then	
201
				then	
202
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
202
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
203
			else
203
			else
204
				echo "The installation of ALCASAR can't be performed."
204
				echo "The installation of ALCASAR can't be performed."
205
			fi
205
			fi
206
		fi
206
		fi
207
		echo
207
		echo
208
		if [ $Lang == "fr" ]
208
		if [ $Lang == "fr" ]
209
			then	
209
			then	
210
			echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
210
			echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
211
		else
211
		else
212
			echo "The OS must be replaced (Mageia4.1)"
212
			echo "The OS must be replaced (Mageia4.1)"
213
		fi
213
		fi
214
		exit 0
214
		exit 0
215
	fi
215
	fi
216
	if [ ! -d /var/log/netflow/porttracker ]
216
	if [ ! -d /var/log/netflow/porttracker ]
217
		then
217
		then
218
# Test of free space on /var
218
# Test of free space on /var
219
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
219
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
220
		if [ $free_space -lt 10 ]
220
		if [ $free_space -lt 10 ]
221
			then
221
			then
222
			if [ $Lang == "fr" ]
222
			if [ $Lang == "fr" ]
223
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
223
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
224
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
224
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
225
			fi
225
			fi
226
		exit 0
226
		exit 0
227
		fi
227
		fi
228
	fi
228
	fi
229
	if [ $Lang == "fr" ]
229
	if [ $Lang == "fr" ]
230
		then echo -n "Tests des paramètres réseau : "
230
		then echo -n "Tests des paramètres réseau : "
231
		else echo -n "Network parameters tests : "
231
		else echo -n "Network parameters tests : "
232
	fi
232
	fi
233
# Test of Ethernet links state
233
# Test of Ethernet links state
234
	DOWN_IF=`/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
234
	DOWN_IF=`/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
235
	for i in $DOWN_IF
235
	for i in $DOWN_IF
236
	do
236
	do
237
		if [ $Lang == "fr" ]
237
		if [ $Lang == "fr" ]
238
		then 
238
		then 
239
			echo "Échec"
239
			echo "Échec"
240
			echo "Le lien réseau de la carte $i n'est pas actif."
240
			echo "Le lien réseau de la carte $i n'est pas actif."
241
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
241
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
242
		else
242
		else
243
			echo "Failed"
243
			echo "Failed"
244
			echo "The link state of $i interface is down."
244
			echo "The link state of $i interface is down."
245
			echo "Make sure that this network card is connected to a switch or an A.P."
245
			echo "Make sure that this network card is connected to a switch or an A.P."
246
		fi
246
		fi
247
		exit 0
247
		exit 0
248
	done
248
	done
249
	echo -n "."
249
	echo -n "."
250
 
250
 
251
# Test EXTIF config files
251
# Test EXTIF config files
252
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
252
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
253
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
253
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
254
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
254
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
255
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
255
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
256
	then
256
	then
257
		if [ $Lang == "fr" ]
257
		if [ $Lang == "fr" ]
258
		then 
258
		then 
259
			echo "Échec"
259
			echo "Échec"
260
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
260
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
261
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
261
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
262
			echo "Appliquez les changements : 'systemctl restart network'"
262
			echo "Appliquez les changements : 'systemctl restart network'"
263
		else
263
		else
264
			echo "Failed"
264
			echo "Failed"
265
			echo "The Internet connected network card ($EXTIF) isn't well configured."
265
			echo "The Internet connected network card ($EXTIF) isn't well configured."
266
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
266
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
267
			echo "Apply the new configuration 'systemctl restart network'"
267
			echo "Apply the new configuration 'systemctl restart network'"
268
		fi
268
		fi
269
		echo "DEVICE=$EXTIF"
269
		echo "DEVICE=$EXTIF"
270
		echo "IPADDR="
270
		echo "IPADDR="
271
		echo "NETMASK="
271
		echo "NETMASK="
272
		echo "GATEWAY="
272
		echo "GATEWAY="
273
		echo "DNS1="
273
		echo "DNS1="
274
		echo "DNS2="
274
		echo "DNS2="
275
		echo "ONBOOT=yes"
275
		echo "ONBOOT=yes"
276
		exit 0
276
		exit 0
277
	fi
277
	fi
278
	echo -n "."
278
	echo -n "."
279
 
279
 
280
# Test if router is alive (Box FAI)
280
# Test if router is alive (Box FAI)
281
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
281
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
282
		if [ $Lang == "fr" ]
282
		if [ $Lang == "fr" ]
283
		then 
283
		then 
284
			echo "Échec"
284
			echo "Échec"
285
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
285
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
286
			echo "Réglez ce problème puis relancez ce script."
286
			echo "Réglez ce problème puis relancez ce script."
287
		else
287
		else
288
			echo "Failed"
288
			echo "Failed"
289
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
289
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
290
			echo "Resolv this problem, then restart this script."
290
			echo "Resolv this problem, then restart this script."
291
		fi
291
		fi
292
		exit 0
292
		exit 0
293
	fi
293
	fi
294
	echo -n "."
294
	echo -n "."
295
# On teste le lien vers le routeur par defaut
295
# On teste le lien vers le routeur par defaut
296
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
296
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
297
	if [ $(expr $arp_reply) -eq 0 ]
297
	if [ $(expr $arp_reply) -eq 0 ]
298
	       	then
298
	       	then
299
		if [ $Lang == "fr" ]
299
		if [ $Lang == "fr" ]
300
		then 
300
		then 
301
			echo "Échec"
301
			echo "Échec"
302
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
302
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
303
			echo "Réglez ce problème puis relancez ce script."
303
			echo "Réglez ce problème puis relancez ce script."
304
		else
304
		else
305
			echo "Failed"
305
			echo "Failed"
306
			echo "The Internet gateway doesn't answered"
306
			echo "The Internet gateway doesn't answered"
307
			echo "Resolv this problem, then restart this script."
307
			echo "Resolv this problem, then restart this script."
308
		fi
308
		fi
309
		exit 0
309
		exit 0
310
	fi
310
	fi
311
	echo -n "."
311
	echo -n "."
312
# On teste la connectivité Internet
312
# On teste la connectivité Internet
313
	rm -rf /tmp/con_ok.html
313
	rm -rf /tmp/con_ok.html
314
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
314
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
315
	if [ ! -e /tmp/con_ok.html ]
315
	if [ ! -e /tmp/con_ok.html ]
316
	then
316
	then
317
		if [ $Lang == "fr" ]
317
		if [ $Lang == "fr" ]
318
		then 
318
		then 
319
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
319
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
320
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
320
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
321
			echo "Vérifiez la validité des adresses IP des DNS."
321
			echo "Vérifiez la validité des adresses IP des DNS."
322
		else
322
		else
323
			echo "The Internet connection try failed (google.fr)."
323
			echo "The Internet connection try failed (google.fr)."
324
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
324
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
325
			echo "Verify the DNS IP addresses"
325
			echo "Verify the DNS IP addresses"
326
		fi
326
		fi
327
		exit 0
327
		exit 0
328
	fi
328
	fi
329
	rm -rf /tmp/con_ok.html
329
	rm -rf /tmp/con_ok.html
330
	echo ". : ok"
330
	echo ". : ok"
331
} # end of testing ()
331
} # end of testing ()
332
 
332
 
333
##################################################################
333
##################################################################
334
##			Function "init"				##
334
##			Function "init"				##
335
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
335
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
336
## - Installation et modification des scripts du portail	##
336
## - Installation et modification des scripts du portail	##
337
##################################################################
337
##################################################################
338
init ()
338
init ()
339
{
339
{
340
	if [ "$mode" != "update" ]
340
	if [ "$mode" != "update" ]
341
	then
341
	then
342
# On affecte le nom d'organisme
342
# On affecte le nom d'organisme
343
		header_install
343
		header_install
344
		ORGANISME=!
344
		ORGANISME=!
345
		PTN='^[a-zA-Z0-9-]*$'
345
		PTN='^[a-zA-Z0-9-]*$'
346
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
346
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
347
                do
347
                do
348
			if [ $Lang == "fr" ]
348
			if [ $Lang == "fr" ]
349
			       	then echo -n "Entrez le nom de votre organisme : "
349
			       	then echo -n "Entrez le nom de votre organisme : "
350
				else echo -n "Enter the name of your organism : "
350
				else echo -n "Enter the name of your organism : "
351
			fi
351
			fi
352
			read ORGANISME
352
			read ORGANISME
353
			if [ "$ORGANISME" == "" ]
353
			if [ "$ORGANISME" == "" ]
354
				then
354
				then
355
				ORGANISME=!
355
				ORGANISME=!
356
			fi
356
			fi
357
		done
357
		done
358
	fi
358
	fi
359
# On crée aléatoirement les mots de passe et les secrets partagés
359
# On crée aléatoirement les mots de passe et les secrets partagés
360
	rm -f $PASSWD_FILE
360
	rm -f $PASSWD_FILE
361
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
361
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
362
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
362
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
363
	echo "$grubpwd" >> $PASSWD_FILE
363
	echo "$grubpwd" >> $PASSWD_FILE
364
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
364
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
365
	$SED "/^password.*/d" /boot/grub/menu.lst
365
	$SED "/^password.*/d" /boot/grub/menu.lst
366
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
366
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
367
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
367
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
368
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
368
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
369
	echo "root / $mysqlpwd" >> $PASSWD_FILE
369
	echo "root / $mysqlpwd" >> $PASSWD_FILE
370
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
370
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
371
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
371
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
372
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
372
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
373
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
373
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
374
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
374
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
375
	echo "$secretuam" >> $PASSWD_FILE
375
	echo "$secretuam" >> $PASSWD_FILE
376
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
376
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
377
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
377
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
378
	echo "$secretradius" >> $PASSWD_FILE
378
	echo "$secretradius" >> $PASSWD_FILE
379
	chmod 640 $PASSWD_FILE
379
	chmod 640 $PASSWD_FILE
380
# Scripts and conf files copy 
380
# Scripts and conf files copy 
381
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
381
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
382
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
382
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
383
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
383
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
384
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
384
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
385
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
385
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
386
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
386
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
387
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
387
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
388
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
388
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
389
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
389
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
390
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
390
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
391
# generate central conf file
391
# generate central conf file
392
	cat <<EOF > $CONF_FILE
392
	cat <<EOF > $CONF_FILE
393
##########################################
393
##########################################
394
##                                      ##
394
##                                      ##
395
##          ALCASAR Parameters          ##
395
##          ALCASAR Parameters          ##
396
##                                      ##
396
##                                      ##
397
##########################################
397
##########################################
398
 
398
 
399
INSTALL_DATE=$DATE
399
INSTALL_DATE=$DATE
400
VERSION=$VERSION
400
VERSION=$VERSION
401
ORGANISM=$ORGANISME
401
ORGANISM=$ORGANISME
402
DOMAIN=$DOMAIN
402
DOMAIN=$DOMAIN
403
EOF
403
EOF
404
	chmod o-rwx $CONF_FILE
404
	chmod o-rwx $CONF_FILE
405
} # End of init ()
405
} # End of init ()
406
 
406
 
407
##################################################################
407
##################################################################
408
##			Function "network"			##
408
##			Function "network"			##
409
## - Définition du plan d'adressage du réseau de consultation	##
409
## - Définition du plan d'adressage du réseau de consultation	##
410
## - Nommage DNS du système 					##
410
## - Nommage DNS du système 					##
411
## - Configuration de l'interface INTIF (réseau de consultation)##
411
## - Configuration de l'interface INTIF (réseau de consultation)##
412
## - Modification du fichier /etc/hosts				##
412
## - Modification du fichier /etc/hosts				##
413
## - Configuration du serveur de temps (NTP)			##
413
## - Configuration du serveur de temps (NTP)			##
414
## - Renseignement des fichiers hosts.allow et hosts.deny	##
414
## - Renseignement des fichiers hosts.allow et hosts.deny	##
415
##################################################################
415
##################################################################
416
network ()
416
network ()
417
{
417
{
418
	header_install
418
	header_install
419
	if [ "$mode" != "update" ]
419
	if [ "$mode" != "update" ]
420
		then
420
		then
421
		if [ $Lang == "fr" ]
421
		if [ $Lang == "fr" ]
422
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
422
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
423
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
423
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
424
		fi
424
		fi
425
		response=0
425
		response=0
426
		PTN='^[oOyYnN]$'
426
		PTN='^[oOyYnN]$'
427
		until [[ $(expr $response : $PTN) -gt 0 ]]
427
		until [[ $(expr $response : $PTN) -gt 0 ]]
428
		do
428
		do
429
			if [ $Lang == "fr" ]
429
			if [ $Lang == "fr" ]
430
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
430
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
431
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
431
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
432
			fi
432
			fi
433
			read response
433
			read response
434
		done
434
		done
435
		if [ "$response" = "n" ] || [ "$response" = "N" ]
435
		if [ "$response" = "n" ] || [ "$response" = "N" ]
436
		then
436
		then
437
			PRIVATE_IP_MASK="0"
437
			PRIVATE_IP_MASK="0"
438
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
438
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
439
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
439
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
440
			do
440
			do
441
				if [ $Lang == "fr" ]
441
				if [ $Lang == "fr" ]
442
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
442
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
443
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
443
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
444
				fi
444
				fi
445
				read PRIVATE_IP_MASK
445
				read PRIVATE_IP_MASK
446
			done
446
			done
447
		else
447
		else
448
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
448
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
449
		fi
449
		fi
450
	else
450
	else
451
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
451
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
452
		rm -rf conf/etc/alcasar.conf
452
		rm -rf conf/etc/alcasar.conf
453
	fi
453
	fi
454
# Define LAN side global parameters
454
# Define LAN side global parameters
455
	hostname $HOSTNAME.$DOMAIN
455
	hostname $HOSTNAME.$DOMAIN
456
	echo $HOSTNAME.$DOMAIN > /etc/hostname
456
	echo $HOSTNAME.$DOMAIN > /etc/hostname
457
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
457
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
458
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
458
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
459
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
459
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
460
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
460
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
461
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
461
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
462
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
462
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
463
		then
463
		then
464
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
464
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
465
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
465
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
466
	fi	
466
	fi	
467
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
467
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
468
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
468
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
469
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
469
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
470
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
470
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
471
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
471
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
472
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
472
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
473
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
473
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
474
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
474
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
475
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
475
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
476
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
476
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
477
# Define Internet parameters
477
# Define Internet parameters
478
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
478
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
479
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
479
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
480
	if [ $nb_dns == 2 ]
480
	if [ $nb_dns == 2 ]
481
		then
481
		then
482
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
482
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
483
	fi
483
	fi
484
	DNS1=${DNS1:=208.67.220.220}
484
	DNS1=${DNS1:=208.67.220.220}
485
	DNS2=${DNS2:=208.67.222.222}
485
	DNS2=${DNS2:=208.67.222.222}
486
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
486
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
487
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
487
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
488
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
488
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
489
# Wrtie the conf file
489
# Wrtie the conf file
490
	echo "EXTIF=$EXTIF" >> $CONF_FILE
490
	echo "EXTIF=$EXTIF" >> $CONF_FILE
491
	echo "INTIF=$INTIF" >> $CONF_FILE
491
	echo "INTIF=$INTIF" >> $CONF_FILE
492
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
492
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
493
	if [ $IP_SETTING == "dhcp" ]
493
	if [ $IP_SETTING == "dhcp" ]
494
		then
494
		then
495
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
495
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
496
		echo "GW=dhcp" >> $CONF_FILE
496
		echo "GW=dhcp" >> $CONF_FILE
497
	else
497
	else
498
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
498
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
499
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
499
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
500
	fi
500
	fi
501
	echo "DNS1=$DNS1" >> $CONF_FILE
501
	echo "DNS1=$DNS1" >> $CONF_FILE
502
	echo "DNS2=$DNS2" >> $CONF_FILE
502
	echo "DNS2=$DNS2" >> $CONF_FILE
503
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
503
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
504
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
504
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
505
	echo "DHCP=on" >> $CONF_FILE
505
	echo "DHCP=on" >> $CONF_FILE
506
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
506
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
507
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
507
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
508
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
508
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
509
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
509
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
510
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
510
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
511
	echo "INT_DNS_IP=none" >> $CONF_FILE
511
	echo "INT_DNS_IP=none" >> $CONF_FILE
512
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
512
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
513
# network default
513
# network default
514
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
514
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
515
	cat <<EOF > /etc/sysconfig/network
515
	cat <<EOF > /etc/sysconfig/network
516
NETWORKING=yes
516
NETWORKING=yes
517
HOSTNAME="$HOSTNAME.$DOMAIN"
517
HOSTNAME="$HOSTNAME.$DOMAIN"
518
FORWARD_IPV4=true
518
FORWARD_IPV4=true
519
EOF
519
EOF
520
# /etc/hosts config
520
# /etc/hosts config
521
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
521
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
522
	cat <<EOF > /etc/hosts
522
	cat <<EOF > /etc/hosts
523
127.0.0.1	localhost
523
127.0.0.1	localhost
524
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
524
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
525
EOF
525
EOF
526
# EXTIF (Internet) config
526
# EXTIF (Internet) config
527
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
527
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
528
	if [ $IP_SETTING == "dhcp" ]
528
	if [ $IP_SETTING == "dhcp" ]
529
		then
529
		then
530
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
530
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
531
DEVICE=$EXTIF
531
DEVICE=$EXTIF
532
BOOTPROTO=dhcp
532
BOOTPROTO=dhcp
533
DNS1=127.0.0.1
533
DNS1=127.0.0.1
534
PEERDNS=no
534
PEERDNS=no
535
RESOLV_MODS=yes
535
RESOLV_MODS=yes
536
ONBOOT=yes
536
ONBOOT=yes
537
NOZEROCONF=yes
537
NOZEROCONF=yes
538
METRIC=10
538
METRIC=10
539
MII_NOT_SUPPORTED=yes
539
MII_NOT_SUPPORTED=yes
540
IPV6INIT=no
540
IPV6INIT=no
541
IPV6TO4INIT=no
541
IPV6TO4INIT=no
542
ACCOUNTING=no
542
ACCOUNTING=no
543
USERCTL=no
543
USERCTL=no
544
MTU=$MTU
544
MTU=$MTU
545
EOF
545
EOF
546
		else	
546
		else	
547
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
547
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
548
DEVICE=$EXTIF
548
DEVICE=$EXTIF
549
BOOTPROTO=static
549
BOOTPROTO=static
550
IPADDR=$PUBLIC_IP
550
IPADDR=$PUBLIC_IP
551
NETMASK=$PUBLIC_NETMASK
551
NETMASK=$PUBLIC_NETMASK
552
GATEWAY=$PUBLIC_GATEWAY
552
GATEWAY=$PUBLIC_GATEWAY
553
DNS1=127.0.0.1
553
DNS1=127.0.0.1
554
RESOLV_MODS=yes
554
RESOLV_MODS=yes
555
ONBOOT=yes
555
ONBOOT=yes
556
METRIC=10
556
METRIC=10
557
NOZEROCONF=yes
557
NOZEROCONF=yes
558
MII_NOT_SUPPORTED=yes
558
MII_NOT_SUPPORTED=yes
559
IPV6INIT=no
559
IPV6INIT=no
560
IPV6TO4INIT=no
560
IPV6TO4INIT=no
561
ACCOUNTING=no
561
ACCOUNTING=no
562
USERCTL=no
562
USERCTL=no
563
MTU=$MTU
563
MTU=$MTU
564
EOF
564
EOF
565
	fi
565
	fi
566
# Config INTIF (consultation LAN) in normal mode
566
# Config INTIF (consultation LAN) in normal mode
567
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
567
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
568
DEVICE=$INTIF
568
DEVICE=$INTIF
569
BOOTPROTO=static
569
BOOTPROTO=static
570
ONBOOT=yes
570
ONBOOT=yes
571
NOZEROCONF=yes
571
NOZEROCONF=yes
572
MII_NOT_SUPPORTED=yes
572
MII_NOT_SUPPORTED=yes
573
IPV6INIT=no
573
IPV6INIT=no
574
IPV6TO4INIT=no
574
IPV6TO4INIT=no
575
ACCOUNTING=no
575
ACCOUNTING=no
576
USERCTL=no
576
USERCTL=no
577
EOF
577
EOF
578
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
578
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
579
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
579
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
580
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
580
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
581
DEVICE=$INTIF
581
DEVICE=$INTIF
582
BOOTPROTO=static
582
BOOTPROTO=static
583
IPADDR=$PRIVATE_IP
583
IPADDR=$PRIVATE_IP
584
NETMASK=$PRIVATE_NETMASK
584
NETMASK=$PRIVATE_NETMASK
585
ONBOOT=yes
585
ONBOOT=yes
586
METRIC=10
586
METRIC=10
587
NOZEROCONF=yes
587
NOZEROCONF=yes
588
MII_NOT_SUPPORTED=yes
588
MII_NOT_SUPPORTED=yes
589
IPV6INIT=no
589
IPV6INIT=no
590
IPV6TO4INIT=no
590
IPV6TO4INIT=no
591
ACCOUNTING=no
591
ACCOUNTING=no
592
USERCTL=no
592
USERCTL=no
593
EOF
593
EOF
594
# Mise à l'heure du serveur
594
# Mise à l'heure du serveur
595
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
595
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
596
	cat <<EOF > /etc/ntp/step-tickers
596
	cat <<EOF > /etc/ntp/step-tickers
597
0.fr.pool.ntp.org	# adapt to your country
597
0.fr.pool.ntp.org	# adapt to your country
598
1.fr.pool.ntp.org
598
1.fr.pool.ntp.org
599
2.fr.pool.ntp.org
599
2.fr.pool.ntp.org
600
EOF
600
EOF
601
# Configuration du serveur de temps (sur lui même)
601
# Configuration du serveur de temps (sur lui même)
602
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
602
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
603
	cat <<EOF > /etc/ntp.conf
603
	cat <<EOF > /etc/ntp.conf
604
server 0.fr.pool.ntp.org	# adapt to your country
604
server 0.fr.pool.ntp.org	# adapt to your country
605
server 1.fr.pool.ntp.org
605
server 1.fr.pool.ntp.org
606
server 2.fr.pool.ntp.org
606
server 2.fr.pool.ntp.org
607
server 127.127.1.0   		# local clock si NTP internet indisponible ...
607
server 127.127.1.0   		# local clock si NTP internet indisponible ...
608
fudge 127.127.1.0 stratum 10
608
fudge 127.127.1.0 stratum 10
609
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
609
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
610
restrict 127.0.0.1
610
restrict 127.0.0.1
611
driftfile /var/lib/ntp/drift
611
driftfile /var/lib/ntp/drift
612
logfile /var/log/ntp.log
612
logfile /var/log/ntp.log
613
disable monitor
613
disable monitor
614
EOF
614
EOF
615
 
615
 
616
	chown -R ntp:ntp /var/lib/ntp
616
	chown -R ntp:ntp /var/lib/ntp
617
# Renseignement des fichiers hosts.allow et hosts.deny
617
# Renseignement des fichiers hosts.allow et hosts.deny
618
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
618
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
619
	cat <<EOF > /etc/hosts.allow
619
	cat <<EOF > /etc/hosts.allow
620
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
620
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
621
sshd: ALL
621
sshd: ALL
622
ntpd: $PRIVATE_NETWORK_SHORT
622
ntpd: $PRIVATE_NETWORK_SHORT
623
EOF
623
EOF
624
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
624
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
625
	cat <<EOF > /etc/hosts.deny
625
	cat <<EOF > /etc/hosts.deny
626
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
626
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
627
EOF
627
EOF
628
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
628
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
629
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
629
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
630
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
630
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
631
# load conntrack ftp module
631
# load conntrack ftp module
632
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
632
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
633
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
633
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
634
# load ipt_NETFLOW module
634
# load ipt_NETFLOW module
635
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
635
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
636
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
636
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
637
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
637
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
638
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
638
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
639
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
639
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
640
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
640
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
641
# 
641
# 
642
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
642
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
643
} # End of network ()
643
} # End of network ()
644
 
644
 
645
##################################################################
645
##################################################################
646
##			Function "ACC"				##
646
##			Function "ACC"				##
647
## - installation du centre de gestion (ALCASAR Control Center)	##
647
## - installation du centre de gestion (ALCASAR Control Center)	##
648
## - configuration du serveur web (Apache)			##
648
## - configuration du serveur web (Apache)			##
649
## - définition du 1er comptes de gestion 			##
649
## - définition du 1er comptes de gestion 			##
650
## - sécurisation des accès					##
650
## - sécurisation des accès					##
651
##################################################################
651
##################################################################
652
ACC ()
652
ACC ()
653
{
653
{
654
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
654
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
655
	mkdir $DIR_WEB
655
	mkdir $DIR_WEB
656
# Copie et configuration des fichiers du centre de gestion
656
# Copie et configuration des fichiers du centre de gestion
657
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
657
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
658
	echo "$VERSION" > $DIR_WEB/VERSION
658
	echo "$VERSION" > $DIR_WEB/VERSION
659
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
659
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
660
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
660
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
661
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
661
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
662
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
662
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
663
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
663
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
664
	chown -R apache:apache $DIR_WEB/*
664
	chown -R apache:apache $DIR_WEB/*
665
# create the backup structure :
665
# create the backup structure :
666
# - base = users database
666
# - base = users database
667
# - archive = tarball of "base + http firewall + netflow"
667
# - archive = tarball of "base + http firewall + netflow"
668
# - security = watchdog disconnection)
668
# - security = watchdog disconnection)
669
	for i in base archive security;
669
	for i in base archive security;
670
	do
670
	do
671
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
671
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
672
	done
672
	done
673
	chown -R root:apache $DIR_SAVE
673
	chown -R root:apache $DIR_SAVE
674
# Configuration et sécurisation php
674
# Configuration et sécurisation php
675
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
675
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
676
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
676
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
677
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
677
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
678
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
678
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
679
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
679
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
680
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
680
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
681
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
681
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
682
# Configuration et sécurisation Apache
682
# Configuration et sécurisation Apache
683
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
683
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
684
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
684
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
685
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
685
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
686
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
686
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
687
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
687
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
688
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
688
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
689
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
689
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
690
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
690
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
691
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
691
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
692
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
692
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
693
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
693
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
694
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
694
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
695
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
695
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
696
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
696
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
697
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
697
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
698
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
698
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
699
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
699
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
700
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
700
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
701
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
701
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
702
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
702
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
703
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
703
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
704
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
704
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
705
# Error page management
705
# Error page management
706
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
706
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
707
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
707
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
708
Alias /error/ "/var/www/html/"
708
Alias /error/ "/var/www/html/"
709
<Directory "/usr/share/httpd/error">
709
<Directory "/usr/share/httpd/error">
710
    AllowOverride None
710
    AllowOverride None
711
    Options IncludesNoExec
711
    Options IncludesNoExec
712
    AddOutputFilter Includes html
712
    AddOutputFilter Includes html
713
    AddHandler type-map var
713
    AddHandler type-map var
714
    Require all granted
714
    Require all granted
715
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
715
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
716
    ForceLanguagePriority Prefer Fallback
716
    ForceLanguagePriority Prefer Fallback
717
</Directory>
717
</Directory>
718
ErrorDocument 400 /error/error.php?error=400
718
ErrorDocument 400 /error/error.php?error=400
719
ErrorDocument 401 /error/error.php?error=401
719
ErrorDocument 401 /error/error.php?error=401
720
ErrorDocument 403 /error/error.php?error=403
720
ErrorDocument 403 /error/error.php?error=403
721
ErrorDocument 404 /error/error.php?error=404
721
ErrorDocument 404 /error/error.php?error=404
722
ErrorDocument 405 /error/error.php?error=405
722
ErrorDocument 405 /error/error.php?error=405
723
ErrorDocument 408 /error/error.php?error=408
723
ErrorDocument 408 /error/error.php?error=408
724
ErrorDocument 410 /error/error.php?error=410
724
ErrorDocument 410 /error/error.php?error=410
725
ErrorDocument 411 /error/error.php?error=411
725
ErrorDocument 411 /error/error.php?error=411
726
ErrorDocument 412 /error/error.php?error=412
726
ErrorDocument 412 /error/error.php?error=412
727
ErrorDocument 413 /error/error.php?error=413
727
ErrorDocument 413 /error/error.php?error=413
728
ErrorDocument 414 /error/error.php?error=414
728
ErrorDocument 414 /error/error.php?error=414
729
ErrorDocument 415 /error/error.php?error=415
729
ErrorDocument 415 /error/error.php?error=415
730
ErrorDocument 500 /error/error.php?error=500
730
ErrorDocument 500 /error/error.php?error=500
731
ErrorDocument 501 /error/error.php?error=501
731
ErrorDocument 501 /error/error.php?error=501
732
ErrorDocument 502 /error/error.php?error=502
732
ErrorDocument 502 /error/error.php?error=502
733
ErrorDocument 503 /error/error.php?error=503
733
ErrorDocument 503 /error/error.php?error=503
734
ErrorDocument 506 /error/error.php?error=506
734
ErrorDocument 506 /error/error.php?error=506
735
EOF
735
EOF
736
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
736
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
737
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
737
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
738
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
738
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
739
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
739
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
740
</body>
740
</body>
741
</html>
741
</html>
742
EOF
742
EOF
743
# Définition du premier compte lié au profil 'admin'
743
# Définition du premier compte lié au profil 'admin'
744
	if [ "$mode" = "install" ]
744
	if [ "$mode" = "install" ]
745
	then
745
	then
746
		header_install
746
		header_install
747
		admin_portal=!
747
		admin_portal=!
748
		PTN='^[a-zA-Z0-9-]*$'
748
		PTN='^[a-zA-Z0-9-]*$'
749
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
749
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
750
                	do
750
                	do
751
			header_install
751
			header_install
752
			if [ $Lang == "fr" ]
752
			if [ $Lang == "fr" ]
753
			then 
753
			then 
754
				echo ""
754
				echo ""
755
				echo "Définissez un premier compte d'administration du portail :"
755
				echo "Définissez un premier compte d'administration du portail :"
756
				echo
756
				echo
757
				echo -n "Nom : "
757
				echo -n "Nom : "
758
			else
758
			else
759
				echo ""
759
				echo ""
760
				echo "Define the first account allow to administrate the portal :"
760
				echo "Define the first account allow to administrate the portal :"
761
				echo
761
				echo
762
				echo -n "Account : "
762
				echo -n "Account : "
763
			fi
763
			fi
764
			read admin_portal
764
			read admin_portal
765
			if [ "$admin_portal" == "" ]
765
			if [ "$admin_portal" == "" ]
766
				then
766
				then
767
				admin_portal=!
767
				admin_portal=!
768
			fi
768
			fi
769
			done
769
			done
770
# Creation of keys file for the admin account ("admin")
770
# Creation of keys file for the admin account ("admin")
771
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
771
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
772
		mkdir -p $DIR_DEST_ETC/digest
772
		mkdir -p $DIR_DEST_ETC/digest
773
		chmod 755 $DIR_DEST_ETC/digest
773
		chmod 755 $DIR_DEST_ETC/digest
774
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
774
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
775
			do
775
			do
776
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
776
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
777
			done
777
			done
778
		$DIR_DEST_SBIN/alcasar-profil.sh --list
778
		$DIR_DEST_SBIN/alcasar-profil.sh --list
779
	fi
779
	fi
780
# synchronisation horaire
780
# synchronisation horaire
781
	ntpd -q -g &
781
	ntpd -q -g &
782
# Sécurisation du centre
782
# Sécurisation du centre
783
	rm -f /etc/httpd/conf/webapps.d/alcasar*
783
	rm -f /etc/httpd/conf/webapps.d/alcasar*
784
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
784
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
785
<Directory $DIR_ACC>
785
<Directory $DIR_ACC>
786
	SSLRequireSSL
786
	SSLRequireSSL
787
	AllowOverride None
787
	AllowOverride None
788
	Order deny,allow
788
	Order deny,allow
789
	Deny from all
789
	Deny from all
790
	Allow from 127.0.0.1
790
	Allow from 127.0.0.1
791
	Allow from $PRIVATE_NETWORK_MASK
791
	Allow from $PRIVATE_NETWORK_MASK
792
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
792
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
793
	require valid-user
793
	require valid-user
794
	AuthType digest
794
	AuthType digest
795
	AuthName $HOSTNAME.$DOMAIN
795
	AuthName $HOSTNAME.$DOMAIN
796
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
796
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
797
	AuthUserFile $DIR_DEST_ETC/digest/key_all
797
	AuthUserFile $DIR_DEST_ETC/digest/key_all
798
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
798
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
799
</Directory>
799
</Directory>
800
<Directory $DIR_ACC/admin>
800
<Directory $DIR_ACC/admin>
801
	SSLRequireSSL
801
	SSLRequireSSL
802
	AllowOverride None
802
	AllowOverride None
803
	Order deny,allow
803
	Order deny,allow
804
	Deny from all
804
	Deny from all
805
	Allow from 127.0.0.1
805
	Allow from 127.0.0.1
806
	Allow from $PRIVATE_NETWORK_MASK
806
	Allow from $PRIVATE_NETWORK_MASK
807
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
807
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
808
	require valid-user
808
	require valid-user
809
	AuthType digest
809
	AuthType digest
810
	AuthName $HOSTNAME.$DOMAIN
810
	AuthName $HOSTNAME.$DOMAIN
811
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
811
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
812
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
812
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
813
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
813
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
814
</Directory>
814
</Directory>
815
<Directory $DIR_ACC/manager>
815
<Directory $DIR_ACC/manager>
816
	SSLRequireSSL
816
	SSLRequireSSL
817
	AllowOverride None
817
	AllowOverride None
818
	Order deny,allow
818
	Order deny,allow
819
	Deny from all
819
	Deny from all
820
	Allow from 127.0.0.1
820
	Allow from 127.0.0.1
821
	Allow from $PRIVATE_NETWORK_MASK
821
	Allow from $PRIVATE_NETWORK_MASK
822
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
822
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
823
	require valid-user
823
	require valid-user
824
	AuthType digest
824
	AuthType digest
825
	AuthName $HOSTNAME.$DOMAIN
825
	AuthName $HOSTNAME.$DOMAIN
826
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
826
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
827
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
827
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
828
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
828
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
829
</Directory>
829
</Directory>
830
<Directory $DIR_ACC/backup>
830
<Directory $DIR_ACC/backup>
831
	SSLRequireSSL
831
	SSLRequireSSL
832
	AllowOverride None
832
	AllowOverride None
833
	Order deny,allow
833
	Order deny,allow
834
	Deny from all
834
	Deny from all
835
	Allow from 127.0.0.1
835
	Allow from 127.0.0.1
836
	Allow from $PRIVATE_NETWORK_MASK
836
	Allow from $PRIVATE_NETWORK_MASK
837
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
837
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
838
	require valid-user
838
	require valid-user
839
	AuthType digest
839
	AuthType digest
840
	AuthName $HOSTNAME.$DOMAIN
840
	AuthName $HOSTNAME.$DOMAIN
841
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
841
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
842
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
842
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
843
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
843
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
844
</Directory>
844
</Directory>
845
Alias /save/ "$DIR_SAVE/"
845
Alias /save/ "$DIR_SAVE/"
846
<Directory $DIR_SAVE>
846
<Directory $DIR_SAVE>
847
	SSLRequireSSL
847
	SSLRequireSSL
848
	Options Indexes
848
	Options Indexes
849
	Order deny,allow
849
	Order deny,allow
850
	Deny from all
850
	Deny from all
851
	Allow from 127.0.0.1
851
	Allow from 127.0.0.1
852
	Allow from $PRIVATE_NETWORK_MASK
852
	Allow from $PRIVATE_NETWORK_MASK
853
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
853
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
854
	require valid-user
854
	require valid-user
855
	AuthType digest
855
	AuthType digest
856
	AuthName $HOSTNAME.$DOMAIN
856
	AuthName $HOSTNAME.$DOMAIN
857
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
857
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
858
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
858
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
859
</Directory>
859
</Directory>
860
EOF
860
EOF
861
# Launch after coova
861
# Launch after coova
862
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
862
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
863
} # End of ACC ()
863
} # End of ACC ()
864
 
864
 
865
##########################################################################################
865
##########################################################################################
866
##				Fonction "CA"						##
866
##				Fonction "CA"						##
867
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
867
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
868
##########################################################################################
868
##########################################################################################
869
CA ()
869
CA ()
870
{
870
{
871
	$DIR_DEST_BIN/alcasar-CA.sh
871
	$DIR_DEST_BIN/alcasar-CA.sh
872
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
872
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
873
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
873
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
874
	cat <<EOF > $FIC_VIRTUAL_SSL
874
	cat <<EOF > $FIC_VIRTUAL_SSL
875
# default SSL virtual host, used for all HTTPS requests that do not
875
# default SSL virtual host, used for all HTTPS requests that do not
876
# match a ServerName or ServerAlias in any <VirtualHost> block.
876
# match a ServerName or ServerAlias in any <VirtualHost> block.
877
 
877
 
878
<VirtualHost _default_:443>
878
<VirtualHost _default_:443>
879
# general configuration
879
# general configuration
880
    ServerAdmin root@localhost
880
    ServerAdmin root@localhost
881
    ServerName localhost
881
    ServerName localhost
882
 
882
 
883
# SSL configuration
883
# SSL configuration
884
    SSLEngine on
884
    SSLEngine on
885
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
885
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
886
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
886
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
887
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
887
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
888
    CustomLog logs/ssl_request_log \
888
    CustomLog logs/ssl_request_log \
889
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
889
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
890
    ErrorLog logs/ssl_error_log
890
    ErrorLog logs/ssl_error_log
891
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
891
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
892
</VirtualHost>
892
</VirtualHost>
893
EOF
893
EOF
894
 
894
 
895
	chown -R root:apache /etc/pki
895
	chown -R root:apache /etc/pki
896
	chmod -R 750 /etc/pki
896
	chmod -R 750 /etc/pki
897
} # End of CA ()
897
} # End of CA ()
898
 
898
 
899
##########################################################################################
899
##########################################################################################
900
##			Fonction "init_db"						##
900
##			Fonction "init_db"						##
901
## - Initialisation de la base Mysql							##
901
## - Initialisation de la base Mysql							##
902
## - Affectation du mot de passe de l'administrateur (root)				##
902
## - Affectation du mot de passe de l'administrateur (root)				##
903
## - Suppression des bases et des utilisateurs superflus				##
903
## - Suppression des bases et des utilisateurs superflus				##
904
## - Création de la base 'radius'							##
904
## - Création de la base 'radius'							##
905
## - Installation du schéma de cette base						##
905
## - Installation du schéma de cette base						##
906
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
906
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
907
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
907
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
908
##########################################################################################
908
##########################################################################################
909
init_db ()
909
init_db ()
910
{
910
{
911
	rm -rf /var/lib/mysql # to be sure that there is no former installation
911
	rm -rf /var/lib/mysql # to be sure that there is no former installation
912
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
912
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
913
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
913
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
914
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
914
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
915
	/usr/bin/systemctl start mysqld.service
915
	/usr/bin/systemctl start mysqld.service
916
	sleep 4
916
	sleep 4
917
	mysqladmin -u root password $mysqlpwd
917
	mysqladmin -u root password $mysqlpwd
918
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
918
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
919
# Secure the server
919
# Secure the server
920
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
920
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
921
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
921
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
922
# Create 'radius' database
922
# Create 'radius' database
923
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
923
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
924
# Add an empty radius database structure
924
# Add an empty radius database structure
925
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
925
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
926
# modify the start script in order to close accounting connexion when the system is comming down or up
926
# modify the start script in order to close accounting connexion when the system is comming down or up
927
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
927
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
928
	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
928
	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
929
	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
929
	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
930
	/usr/bin/systemctl daemon-reload
930
	/usr/bin/systemctl daemon-reload
931
} # End of init_db ()
931
} # End of init_db ()
932
 
932
 
933
##########################################################################
933
##########################################################################
934
##			Fonction "radius"				##
934
##			Fonction "radius"				##
935
## - Paramètrage des fichiers de configuration FreeRadius		##
935
## - Paramètrage des fichiers de configuration FreeRadius		##
936
## - Affectation du secret partagé entre coova-chilli et freeradius	##
936
## - Affectation du secret partagé entre coova-chilli et freeradius	##
937
## - Modification de fichier de conf pour l'accès à Mysql		##
937
## - Modification de fichier de conf pour l'accès à Mysql		##
938
##########################################################################
938
##########################################################################
939
radius ()
939
radius ()
940
{
940
{
941
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
941
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
942
	chown -R radius:radius /etc/raddb
942
	chown -R radius:radius /etc/raddb
943
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
943
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
944
# Set radius.conf parameters
944
# Set radius.conf parameters
945
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
945
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
946
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
946
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
947
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
947
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
948
# remove the proxy function
948
# remove the proxy function
949
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
949
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
950
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
950
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
951
# remove EAP module
951
# remove EAP module
952
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
952
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
953
# listen on loopback (should be modified later if EAP enabled)
953
# listen on loopback (should be modified later if EAP enabled)
954
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
954
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
955
# enable the  SQL module (and SQL counter)
955
# enable the  SQL module (and SQL counter)
956
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
956
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
957
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
957
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
958
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
958
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
959
# only include modules for ALCASAR needs
959
# only include modules for ALCASAR needs
960
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
960
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
961
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
961
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
962
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
962
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
963
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
963
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
964
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
964
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
965
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
965
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
966
# remvove virtual server and copy our conf file
966
# remvove virtual server and copy our conf file
967
	rm -f /etc/raddb/sites-enabled/*
967
	rm -f /etc/raddb/sites-enabled/*
968
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
968
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
969
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
969
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
970
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
970
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
971
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
971
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
972
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
972
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
973
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
973
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
974
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
974
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
975
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
975
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
976
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
976
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
977
	cat << EOF > /etc/raddb/clients.conf
977
	cat << EOF > /etc/raddb/clients.conf
978
client 127.0.0.1 {
978
client 127.0.0.1 {
979
	secret = $secretradius
979
	secret = $secretradius
980
	shortname = localhost
980
	shortname = localhost
981
}
981
}
982
EOF
982
EOF
983
# sql.conf modification
983
# sql.conf modification
984
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
984
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
985
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
985
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
986
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
986
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
987
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
987
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
988
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
988
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
989
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
989
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
990
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
990
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
991
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
991
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
992
# counter.conf modification (change the Max-All-Session-Time counter)
992
# counter.conf modification (change the Max-All-Session-Time counter)
993
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
993
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
994
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
994
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
995
	chown -R radius:radius /etc/raddb/sql/mysql/*
995
	chown -R radius:radius /etc/raddb/sql/mysql/*
996
# make certain that mysql is up before radius start
996
# make certain that mysql is up before radius start
997
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
997
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
998
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
998
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
999
	/usr/bin/systemctl daemon-reload
999
	/usr/bin/systemctl daemon-reload
1000
} # End radius ()
1000
} # End radius ()
1001
 
1001
 
1002
##########################################################################
1002
##########################################################################
1003
##			Function "radius_web"				##
1003
##			Function "radius_web"				##
1004
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
1004
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
1005
## - Création du lien vers la page de changement de mot de passe        ##
1005
## - Création du lien vers la page de changement de mot de passe        ##
1006
##########################################################################
1006
##########################################################################
1007
radius_web ()
1007
radius_web ()
1008
{
1008
{
1009
# copie de l'interface d'origine dans la structure Alcasar
1009
# copie de l'interface d'origine dans la structure Alcasar
1010
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
1010
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
1011
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
1011
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
1012
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
1012
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
1013
# copie des fichiers modifiés
1013
# copie des fichiers modifiés
1014
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
1014
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
1015
	chown -R apache:apache $DIR_ACC/manager/
1015
	chown -R apache:apache $DIR_ACC/manager/
1016
# Modification des fichiers de configuration
1016
# Modification des fichiers de configuration
1017
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
1017
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
1018
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1018
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1019
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
1019
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
1020
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
1020
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
1021
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
1021
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
1022
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
1022
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
1023
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
1023
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
1024
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
1024
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
1025
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
1025
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
1026
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
1026
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
1027
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1027
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1028
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
1028
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
1029
	cat <<EOF > /etc/freeradius-web/naslist.conf
1029
	cat <<EOF > /etc/freeradius-web/naslist.conf
1030
nas1_name: alcasar-$ORGANISME
1030
nas1_name: alcasar-$ORGANISME
1031
nas1_model: Portail captif
1031
nas1_model: Portail captif
1032
nas1_ip: $PRIVATE_IP
1032
nas1_ip: $PRIVATE_IP
1033
nas1_port_num: 0
1033
nas1_port_num: 0
1034
nas1_community: public
1034
nas1_community: public
1035
EOF
1035
EOF
1036
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
1036
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
1037
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1037
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1038
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
1038
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
1039
# Ajout du mappage des attributs chillispot
1039
# Ajout du mappage des attributs chillispot
1040
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1040
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1041
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1041
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1042
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1042
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1043
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1043
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1044
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
1044
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
1045
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
1045
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
1046
	chown -R apache:apache /etc/freeradius-web
1046
	chown -R apache:apache /etc/freeradius-web
1047
# Ajout de l'alias vers la page de "changement de mot de passe usager"
1047
# Ajout de l'alias vers la page de "changement de mot de passe usager"
1048
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1048
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1049
<Directory $DIR_WEB/pass>
1049
<Directory $DIR_WEB/pass>
1050
	SSLRequireSSL
1050
	SSLRequireSSL
1051
	AllowOverride None
1051
	AllowOverride None
1052
	Order deny,allow
1052
	Order deny,allow
1053
	Deny from all
1053
	Deny from all
1054
	Allow from 127.0.0.1
1054
	Allow from 127.0.0.1
1055
	Allow from $PRIVATE_NETWORK_MASK
1055
	Allow from $PRIVATE_NETWORK_MASK
1056
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1056
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1057
</Directory>
1057
</Directory>
1058
EOF
1058
EOF
1059
} # End of radius_web ()
1059
} # End of radius_web ()
1060
 
1060
 
1061
##################################################################################
1061
##################################################################################
1062
##			Fonction "chilli"					##
1062
##			Fonction "chilli"					##
1063
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1063
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1064
## - Paramètrage de la page d'authentification (intercept.php)			##
1064
## - Paramètrage de la page d'authentification (intercept.php)			##
1065
##################################################################################
1065
##################################################################################
1066
chilli ()
1066
chilli ()
1067
{
1067
{
1068
# chilli unit for systemd
1068
# chilli unit for systemd
1069
cat << EOF > /lib/systemd/system/chilli.service
1069
cat << EOF > /lib/systemd/system/chilli.service
1070
#  This file is part of systemd.
1070
#  This file is part of systemd.
1071
#
1071
#
1072
#  systemd is free software; you can redistribute it and/or modify it
1072
#  systemd is free software; you can redistribute it and/or modify it
1073
#  under the terms of the GNU General Public License as published by
1073
#  under the terms of the GNU General Public License as published by
1074
#  the Free Software Foundation; either version 2 of the License, or
1074
#  the Free Software Foundation; either version 2 of the License, or
1075
#  (at your option) any later version.
1075
#  (at your option) any later version.
1076
[Unit]
1076
[Unit]
1077
Description=chilli is a captive portal daemon
1077
Description=chilli is a captive portal daemon
1078
After=network.target
1078
After=network.target
1079
 
1079
 
1080
[Service]
1080
[Service]
1081
Type=forking
1081
Type=forking
1082
ExecStart=/usr/libexec/chilli start
1082
ExecStart=/usr/libexec/chilli start
1083
ExecStop=/usr/libexec/chilli stop
1083
ExecStop=/usr/libexec/chilli stop
1084
ExecReload=/usr/libexec/chilli reload
1084
ExecReload=/usr/libexec/chilli reload
1085
PIDFile=/var/run/chilli.pid
1085
PIDFile=/var/run/chilli.pid
1086
 
1086
 
1087
[Install]
1087
[Install]
1088
WantedBy=multi-user.target
1088
WantedBy=multi-user.target
1089
EOF
1089
EOF
1090
# init file creation
1090
# init file creation
1091
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1091
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1092
	cat <<EOF > /usr/libexec/chilli
1092
	cat <<EOF > /usr/libexec/chilli
1093
#!/bin/sh
1093
#!/bin/sh
1094
#
1094
#
1095
# chilli CoovaChilli init
1095
# chilli CoovaChilli init
1096
#
1096
#
1097
# chkconfig: 2345 65 35
1097
# chkconfig: 2345 65 35
1098
# description: CoovaChilli
1098
# description: CoovaChilli
1099
### BEGIN INIT INFO
1099
### BEGIN INIT INFO
1100
# Provides:       chilli
1100
# Provides:       chilli
1101
# Required-Start: network 
1101
# Required-Start: network 
1102
# Should-Start: 
1102
# Should-Start: 
1103
# Required-Stop:  network
1103
# Required-Stop:  network
1104
# Should-Stop: 
1104
# Should-Stop: 
1105
# Default-Start:  2 3 5
1105
# Default-Start:  2 3 5
1106
# Default-Stop:
1106
# Default-Stop:
1107
# Description:    CoovaChilli access controller
1107
# Description:    CoovaChilli access controller
1108
### END INIT INFO
1108
### END INIT INFO
1109
 
1109
 
1110
[ -f /usr/sbin/chilli ] || exit 0
1110
[ -f /usr/sbin/chilli ] || exit 0
1111
. /etc/init.d/functions
1111
. /etc/init.d/functions
1112
CONFIG=/etc/chilli.conf
1112
CONFIG=/etc/chilli.conf
1113
pidfile=/var/run/chilli.pid
1113
pidfile=/var/run/chilli.pid
1114
[ -f \$CONFIG ] || {
1114
[ -f \$CONFIG ] || {
1115
    echo "\$CONFIG Not found"
1115
    echo "\$CONFIG Not found"
1116
    exit 0
1116
    exit 0
1117
}
1117
}
1118
RETVAL=0
1118
RETVAL=0
1119
prog="chilli"
1119
prog="chilli"
1120
case \$1 in
1120
case \$1 in
1121
    start)
1121
    start)
1122
	if [ -f \$pidfile ] ; then 
1122
	if [ -f \$pidfile ] ; then 
1123
		gprintf "chilli is already running"
1123
		gprintf "chilli is already running"
1124
	else
1124
	else
1125
        	gprintf "Starting \$prog: "
1125
        	gprintf "Starting \$prog: "
1126
		rm -f /var/run/chilli* # cleaning
1126
		rm -f /var/run/chilli* # cleaning
1127
        	/sbin/modprobe tun >/dev/null 2>&1
1127
        	/sbin/modprobe tun >/dev/null 2>&1
1128
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1128
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1129
		[ -e /dev/net/tun ] || {
1129
		[ -e /dev/net/tun ] || {
1130
	    	(cd /dev; 
1130
	    	(cd /dev; 
1131
			mkdir net; 
1131
			mkdir net; 
1132
			cd net; 
1132
			cd net; 
1133
			mknod tun c 10 200)
1133
			mknod tun c 10 200)
1134
		}
1134
		}
1135
		ifconfig $INTIF 0.0.0.0
1135
		ifconfig $INTIF 0.0.0.0
1136
		/usr/sbin/ethtool -K $INTIF gro off
1136
		/usr/sbin/ethtool -K $INTIF gro off
1137
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1137
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1138
        	RETVAL=$?
1138
        	RETVAL=$?
1139
	fi
1139
	fi
1140
	;;
1140
	;;
1141
 
1141
 
1142
    reload)
1142
    reload)
1143
	killall -HUP chilli
1143
	killall -HUP chilli
1144
	;;
1144
	;;
1145
 
1145
 
1146
    restart)
1146
    restart)
1147
	\$0 stop
1147
	\$0 stop
1148
        sleep 2
1148
        sleep 2
1149
	\$0 start
1149
	\$0 start
1150
	;;
1150
	;;
1151
    
1151
    
1152
    status)
1152
    status)
1153
        status chilli
1153
        status chilli
1154
        RETVAL=0
1154
        RETVAL=0
1155
        ;;
1155
        ;;
1156
 
1156
 
1157
    stop)
1157
    stop)
1158
	if [ -f \$pidfile ] ; then  
1158
	if [ -f \$pidfile ] ; then  
1159
        	gprintf "Shutting down \$prog: "
1159
        	gprintf "Shutting down \$prog: "
1160
		killproc /usr/sbin/chilli
1160
		killproc /usr/sbin/chilli
1161
		RETVAL=\$?
1161
		RETVAL=\$?
1162
		[ \$RETVAL = 0 ] && rm -f $pidfile
1162
		[ \$RETVAL = 0 ] && rm -f $pidfile
1163
	else	
1163
	else	
1164
        	gprintf "chilli is not running"
1164
        	gprintf "chilli is not running"
1165
	fi
1165
	fi
1166
	;;
1166
	;;
1167
    
1167
    
1168
    *)
1168
    *)
1169
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1169
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1170
        exit 1
1170
        exit 1
1171
esac
1171
esac
1172
echo
1172
echo
1173
EOF
1173
EOF
1174
chmod a+x /usr/libexec/chilli
1174
chmod a+x /usr/libexec/chilli
1175
# conf file creation
1175
# conf file creation
1176
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1176
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1177
	cat <<EOF > /etc/chilli.conf
1177
	cat <<EOF > /etc/chilli.conf
1178
# coova config for ALCASAR
1178
# coova config for ALCASAR
1179
cmdsocket	/var/run/chilli.sock
1179
cmdsocket	/var/run/chilli.sock
1180
unixipc		chilli.$INTIF.ipc
1180
unixipc		chilli.$INTIF.ipc
1181
pidfile		/var/run/chilli.pid
1181
pidfile		/var/run/chilli.pid
1182
net		$PRIVATE_NETWORK_MASK
1182
net		$PRIVATE_NETWORK_MASK
1183
dhcpif		$INTIF
1183
dhcpif		$INTIF
1184
ethers		$DIR_DEST_ETC/alcasar-ethers
1184
ethers		$DIR_DEST_ETC/alcasar-ethers
1185
#nodynip
1185
#nodynip
1186
#statip
1186
#statip
1187
dynip		$PRIVATE_NETWORK_MASK
1187
dynip		$PRIVATE_NETWORK_MASK
1188
domain		$DOMAIN
1188
domain		$DOMAIN
1189
dns1		$PRIVATE_IP
1189
dns1		$PRIVATE_IP
1190
dns2		$PRIVATE_IP
1190
dns2		$PRIVATE_IP
1191
uamlisten	$PRIVATE_IP
1191
uamlisten	$PRIVATE_IP
1192
uamport		3990
1192
uamport		3990
1193
macauth
1193
macauth
1194
macpasswd	password
1194
macpasswd	password
1195
strictmacauth
1195
strictmacauth
1196
locationname	$HOSTNAME.$DOMAIN
1196
locationname	$HOSTNAME.$DOMAIN
1197
radiusserver1	127.0.0.1
1197
radiusserver1	127.0.0.1
1198
radiusserver2	127.0.0.1
1198
radiusserver2	127.0.0.1
1199
radiussecret	$secretradius
1199
radiussecret	$secretradius
1200
radiusauthport	1812
1200
radiusauthport	1812
1201
radiusacctport	1813
1201
radiusacctport	1813
1202
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1202
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1203
radiusnasid	$HOSTNAME.$DOMAIN
1203
radiusnasid	$HOSTNAME.$DOMAIN
1204
uamsecret	$secretuam
1204
uamsecret	$secretuam
1205
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1205
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1206
coaport		3799
1206
coaport		3799
1207
conup		$DIR_DEST_BIN/alcasar-conup.sh
1207
conup		$DIR_DEST_BIN/alcasar-conup.sh
1208
condown		$DIR_DEST_BIN/alcasar-condown.sh
1208
condown		$DIR_DEST_BIN/alcasar-condown.sh
1209
include		$DIR_DEST_ETC/alcasar-uamallowed
1209
include		$DIR_DEST_ETC/alcasar-uamallowed
1210
include		$DIR_DEST_ETC/alcasar-uamdomain
1210
include		$DIR_DEST_ETC/alcasar-uamdomain
1211
#dhcpgateway		none
1211
#dhcpgateway		none
1212
#dhcprelayagent		none
1212
#dhcprelayagent		none
1213
#dhcpgatewayport	none
1213
#dhcpgatewayport	none
1214
EOF
1214
EOF
1215
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1215
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1216
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1216
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1217
# create files for trusted domains and urls
1217
# create files for trusted domains and urls
1218
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1218
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1219
	chown root:apache $DIR_DEST_ETC/alcasar-*
1219
	chown root:apache $DIR_DEST_ETC/alcasar-*
1220
	chmod 660 $DIR_DEST_ETC/alcasar-*
1220
	chmod 660 $DIR_DEST_ETC/alcasar-*
1221
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1221
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1222
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1222
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1223
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1223
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1224
# user 'chilli' creation (in order to run conup/off and up/down scripts
1224
# user 'chilli' creation (in order to run conup/off and up/down scripts
1225
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1225
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1226
	if [ "$chilli_exist" == "1" ]
1226
	if [ "$chilli_exist" == "1" ]
1227
	then
1227
	then
1228
	      userdel -r chilli 2>/dev/null
1228
	      userdel -r chilli 2>/dev/null
1229
	fi
1229
	fi
1230
	groupadd -f chilli
1230
	groupadd -f chilli
1231
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1231
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1232
}  # End of chilli ()
1232
}  # End of chilli ()
1233
 
1233
 
1234
##################################################################
1234
##################################################################
1235
##		Fonction "dansguardian"				##
1235
##		Fonction "dansguardian"				##
1236
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1236
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1237
##################################################################
1237
##################################################################
1238
dansguardian ()
1238
dansguardian ()
1239
{
1239
{
1240
	mkdir /var/dansguardian
1240
	mkdir /var/dansguardian
1241
	chown dansguardian /var/dansguardian
1241
	chown dansguardian /var/dansguardian
1242
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1242
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1243
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1243
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1244
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1244
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1245
# By default the filter is off 
1245
# By default the filter is off 
1246
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1246
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1247
# French deny HTML page
1247
# French deny HTML page
1248
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1248
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1249
# Listen only on LAN side
1249
# Listen only on LAN side
1250
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1250
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1251
# DG send its flow to HAVP
1251
# DG send its flow to HAVP
1252
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1252
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1253
# replace the default deny HTML page
1253
# replace the default deny HTML page
1254
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1254
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1255
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1255
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1256
# Don't log
1256
# Don't log
1257
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1257
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1258
# Run 10 daemons (20 in largest server)
1258
# Run 10 daemons (20 in largest server)
1259
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1259
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1260
# on désactive par défaut le controle de contenu des pages html
1260
# on désactive par défaut le controle de contenu des pages html
1261
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1261
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1262
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1262
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1263
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1263
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1264
# on désactive par défaut le contrôle d'URL par expressions régulières
1264
# on désactive par défaut le contrôle d'URL par expressions régulières
1265
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1265
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1266
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1266
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1267
# on désactive par défaut le contrôle de téléchargement de fichiers
1267
# on désactive par défaut le contrôle de téléchargement de fichiers
1268
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1268
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1269
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1269
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1270
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1270
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1271
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1271
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1272
	touch $DIR_DG/lists/bannedextensionlist
1272
	touch $DIR_DG/lists/bannedextensionlist
1273
	touch $DIR_DG/lists/bannedmimetypelist
1273
	touch $DIR_DG/lists/bannedmimetypelist
1274
# 'Safesearch' regex actualisation
1274
# 'Safesearch' regex actualisation
1275
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1275
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1276
# empty LAN IP list that won't be WEB filtered
1276
# empty LAN IP list that won't be WEB filtered
1277
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1277
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1278
	touch $DIR_DG/lists/exceptioniplist
1278
	touch $DIR_DG/lists/exceptioniplist
1279
# Keep a copy of URL & domain filter configuration files
1279
# Keep a copy of URL & domain filter configuration files
1280
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1280
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1281
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1281
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1282
} # End of dansguardian ()
1282
} # End of dansguardian ()
1283
 
1283
 
1284
##################################################################
1284
##################################################################
1285
##			Fonction "antivirus"			##
1285
##			Fonction "antivirus"			##
1286
## - configuration of havp, libclamav and freshclam		##
1286
## - configuration of havp, libclamav and freshclam		##
1287
##################################################################
1287
##################################################################
1288
antivirus ()		
1288
antivirus ()		
1289
{
1289
{
1290
# create 'havp' user
1290
# create 'havp' user
1291
	havp_exist=`grep havp /etc/passwd|wc -l`
1291
	havp_exist=`grep havp /etc/passwd|wc -l`
1292
	if [ "$havp_exist" == "1" ]
1292
	if [ "$havp_exist" == "1" ]
1293
	then
1293
	then
1294
	      userdel -r havp 2>/dev/null
1294
	      userdel -r havp 2>/dev/null
1295
	      groupdel havp 2>/dev/null
1295
	      groupdel havp 2>/dev/null
1296
	fi
1296
	fi
1297
	groupadd -f havp
1297
	groupadd -f havp
1298
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1298
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1299
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1299
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1300
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1300
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1301
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1301
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1302
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1302
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1303
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1303
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1304
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1304
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1305
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1305
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1306
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1306
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1307
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1307
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1308
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1308
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1309
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1309
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1310
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1310
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1311
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1311
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1312
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1312
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1313
# skip checking of youtube flow (too heavy load / risk too low)
1313
# skip checking of youtube flow (too heavy load / risk too low)
1314
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1314
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1315
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1315
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1316
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1316
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1317
# adapt init script and systemd unit
1317
# adapt init script and systemd unit
1318
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1318
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1319
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1319
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1320
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1320
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1321
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1321
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1322
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1322
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1323
# replace of the intercept page (template)
1323
# replace of the intercept page (template)
1324
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1324
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1325
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1325
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1326
# update virus database every 4 hours (24h/6)
1326
# update virus database every 4 hours (24h/6)
1327
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1327
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1328
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1328
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1329
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1329
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1330
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1330
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1331
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1331
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1332
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1332
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1333
# update now
1333
# update now
1334
	/usr/bin/freshclam --no-warnings
1334
	/usr/bin/freshclam --no-warnings
1335
} # End of antivirus ()
1335
} # End of antivirus ()
1336
 
1336
 
1337
##########################################################################
1337
##########################################################################
1338
##			Fonction "tinyproxy"				##
1338
##			Fonction "tinyproxy"				##
1339
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1339
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1340
##########################################################################
1340
##########################################################################
1341
tinyproxy ()		
1341
tinyproxy ()		
1342
{
1342
{
1343
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1343
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1344
	if [ "$tinyproxy_exist" == "1" ]
1344
	if [ "$tinyproxy_exist" == "1" ]
1345
	then
1345
	then
1346
	      userdel -r tinyproxy 2>/dev/null
1346
	      userdel -r tinyproxy 2>/dev/null
1347
	      groupdel tinyproxy 2>/dev/null
1347
	      groupdel tinyproxy 2>/dev/null
1348
	fi
1348
	fi
1349
	groupadd -f tinyproxy
1349
	groupadd -f tinyproxy
1350
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1350
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1351
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1351
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1352
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1352
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1353
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1353
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1354
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1354
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1355
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1355
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1356
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1356
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1357
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1357
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1358
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1358
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1359
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1359
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1360
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1360
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1361
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1361
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1362
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1362
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1363
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1363
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1364
# Create the systemd unit
1364
# Create the systemd unit
1365
cat << EOF > /lib/systemd/system/tinyproxy.service
1365
cat << EOF > /lib/systemd/system/tinyproxy.service
1366
#  This file is part of systemd.
1366
#  This file is part of systemd.
1367
#
1367
#
1368
#  systemd is free software; you can redistribute it and/or modify it
1368
#  systemd is free software; you can redistribute it and/or modify it
1369
#  under the terms of the GNU General Public License as published by
1369
#  under the terms of the GNU General Public License as published by
1370
#  the Free Software Foundation; either version 2 of the License, or
1370
#  the Free Software Foundation; either version 2 of the License, or
1371
#  (at your option) any later version.
1371
#  (at your option) any later version.
1372
 
1372
 
1373
# This unit launches tinyproxy (a very light proxy).
1373
# This unit launches tinyproxy (a very light proxy).
1374
# The "sleep 2" is needed because the pid file isn't ready for systemd
1374
# The "sleep 2" is needed because the pid file isn't ready for systemd
1375
[Unit]
1375
[Unit]
1376
Description=Tinyproxy Web Proxy Server
1376
Description=Tinyproxy Web Proxy Server
1377
After=network.target iptables.service
1377
After=network.target iptables.service
1378
 
1378
 
1379
[Service]
1379
[Service]
1380
Type=forking
1380
Type=forking
1381
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1381
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1382
ExecStartPre=/bin/sleep 2
1382
ExecStartPre=/bin/sleep 2
1383
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1383
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1384
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1384
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1385
 
1385
 
1386
[Install]
1386
[Install]
1387
WantedBy=multi-user.target
1387
WantedBy=multi-user.target
1388
EOF
1388
EOF
1389
 
1389
 
1390
} # end of tinyproxy
1390
} # end of tinyproxy
1391
##################################################################################
1391
##################################################################################
1392
##			function "ulogd"					##
1392
##			function "ulogd"					##
1393
## - Ulog config for multi-log files 						##
1393
## - Ulog config for multi-log files 						##
1394
##################################################################################
1394
##################################################################################
1395
ulogd ()
1395
ulogd ()
1396
{
1396
{
1397
# Three instances of ulogd (three different logfiles)
1397
# Three instances of ulogd (three different logfiles)
1398
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1398
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1399
	nl=1
1399
	nl=1
1400
	for log_type in traceability ssh ext-access
1400
	for log_type in traceability ssh ext-access
1401
	do
1401
	do
1402
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1402
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1403
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1403
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1404
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1404
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1405
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
1405
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1406
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1406
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1407
		cat << EOF >> /etc/ulogd-$log_type.conf
1407
		cat << EOF >> /etc/ulogd-$log_type.conf
1408
[emu1]
1408
[emu1]
1409
file="/var/log/firewall/$log_type.log"
1409
file="/var/log/firewall/$log_type.log"
1410
sync=1
1410
sync=1
1411
EOF
1411
EOF
1412
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1412
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1413
		nl=`expr $nl + 1`
1413
		nl=`expr $nl + 1`
1414
	done
1414
	done
1415
	chown -R root:apache /var/log/firewall
1415
	chown -R root:apache /var/log/firewall
1416
	chmod 750 /var/log/firewall
1416
	chmod 750 /var/log/firewall
1417
	chmod 640 /var/log/firewall/*
1417
	chmod 640 /var/log/firewall/*
1418
}  # End of ulogd ()
1418
}  # End of ulogd ()
1419
 
1419
 
1420
 
1420
 
1421
##########################################################
1421
##########################################################
1422
##              Function "nfsen"			##
1422
##              Function "nfsen"			##
1423
## - install the nfsen grapher				##
1423
## - install the nfsen grapher				##
1424
## - install the two plugins porttracker & surfmap	##
1424
## - install the two plugins porttracker & surfmap	##
1425
##########################################################
1425
##########################################################
1426
nfsen()
1426
nfsen()
1427
{
1427
{
1428
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1428
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1429
# Add PortTracker plugin
1429
# Add PortTracker plugin
1430
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1430
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1431
	do
1431
	do
1432
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1432
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1433
	done
1433
	done
1434
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1434
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1435
# use of our conf file and init unit
1435
# use of our conf file and init unit
1436
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1436
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1437
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1437
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1438
	DirTmp=$(pwd)
1438
	DirTmp=$(pwd)
1439
	cd /tmp/nfsen-1.3.7/
1439
	cd /tmp/nfsen-1.3.7/
1440
	/usr/bin/perl install.pl etc/nfsen.conf
1440
	/usr/bin/perl install.pl etc/nfsen.conf
1441
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1441
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1442
# Create RRD DB for porttracker (only in it still doesn't exist)
1442
# Create RRD DB for porttracker (only in it still doesn't exist)
1443
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1443
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1444
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1444
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1445
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1445
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1446
	chmod -R 770 /var/log/netflow/porttracker
1446
	chmod -R 770 /var/log/netflow/porttracker
1447
# nfsen unit for systemd
1447
# nfsen unit for systemd
1448
cat << EOF > /lib/systemd/system/nfsen.service
1448
cat << EOF > /lib/systemd/system/nfsen.service
1449
#  This file is part of systemd.
1449
#  This file is part of systemd.
1450
#
1450
#
1451
#  systemd is free software; you can redistribute it and/or modify it
1451
#  systemd is free software; you can redistribute it and/or modify it
1452
#  under the terms of the GNU General Public License as published by
1452
#  under the terms of the GNU General Public License as published by
1453
#  the Free Software Foundation; either version 2 of the License, or
1453
#  the Free Software Foundation; either version 2 of the License, or
1454
#  (at your option) any later version.
1454
#  (at your option) any later version.
1455
 
1455
 
1456
# This unit launches nfsen (a Netflow grapher).
1456
# This unit launches nfsen (a Netflow grapher).
1457
[Unit]
1457
[Unit]
1458
Description= NfSen init script
1458
Description= NfSen init script
1459
After=network.target iptables.service
1459
After=network.target iptables.service
1460
 
1460
 
1461
[Service]
1461
[Service]
1462
Type=oneshot
1462
Type=oneshot
1463
RemainAfterExit=yes
1463
RemainAfterExit=yes
1464
PIDFile=/var/run/nfsen/nfsen.pid
1464
PIDFile=/var/run/nfsen/nfsen.pid
1465
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1465
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1466
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1466
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1467
ExecStart=/usr/bin/nfsen start 
1467
ExecStart=/usr/bin/nfsen start 
1468
ExecStop=/usr/bin/nfsen stop
1468
ExecStop=/usr/bin/nfsen stop
1469
ExecReload=/usr/bin/nfsen restart
1469
ExecReload=/usr/bin/nfsen restart
1470
TimeoutSec=0
1470
TimeoutSec=0
1471
 
1471
 
1472
[Install]
1472
[Install]
1473
WantedBy=multi-user.target
1473
WantedBy=multi-user.target
1474
EOF
1474
EOF
1475
# Add the listen port to collect netflow packet (nfcapd)
1475
# Add the listen port to collect netflow packet (nfcapd)
1476
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1476
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1477
# expire delay for the profile "live"
1477
# expire delay for the profile "live"
1478
	/usr/bin/systemctl start nfsen
1478
	/usr/bin/systemctl start nfsen
1479
	/bin/nfsen -m live -e 62d 2>/dev/null
1479
	/bin/nfsen -m live -e 62d 2>/dev/null
1480
# add SURFmap plugin
1480
# add SURFmap plugin
1481
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1481
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1482
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1482
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1483
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1483
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1484
	cd /tmp/
1484
	cd /tmp/
1485
	/usr/bin/sh SURFmap/install.sh
1485
	/usr/bin/sh SURFmap/install.sh
1486
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1486
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1487
# clear the installation
1487
# clear the installation
1488
	cd $DirTmp
1488
	cd $DirTmp
1489
	rm -rf /tmp/nfsen*
1489
	rm -rf /tmp/nfsen*
1490
	rm -rf /tmp/SURFmap*
1490
	rm -rf /tmp/SURFmap*
1491
} # End of nfsen ()
1491
} # End of nfsen ()
1492
 
1492
 
1493
##################################################
1493
##################################################
1494
##		Function "vnstat"		##
1494
##		Function "vnstat"		##
1495
## Initialization of Vnstat and vnstat phpFE    ##
1495
## Initialization of Vnstat and vnstat phpFE    ##
1496
##################################################
1496
##################################################
1497
vnstat ()
1497
vnstat ()
1498
{
1498
{
1499
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1499
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1500
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1500
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1501
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1501
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1502
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1502
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1503
	/usr/bin/vnstat -u -i $EXTIF
1503
	/usr/bin/vnstat -u -i $EXTIF
1504
} # End of vnstat	
1504
} # End of vnstat	
1505
##################################################
1505
##################################################
1506
##		Function "dnsmasq"		##
1506
##		Function "dnsmasq"		##
1507
##################################################
1507
##################################################
1508
dnsmasq ()
1508
dnsmasq ()
1509
{
1509
{
1510
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1510
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1511
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1511
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1512
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1512
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1513
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1513
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1514
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1514
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1515
	cat << EOF > /etc/dnsmasq.conf 
1515
	cat << EOF > /etc/dnsmasq.conf 
1516
# Configuration file for "dnsmasq in forward mode"
1516
# Configuration file for "dnsmasq in forward mode"
1517
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1517
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1518
listen-address=$PRIVATE_IP
1518
listen-address=$PRIVATE_IP
1519
pid-file=/var/run/dnsmasq.pid
1519
pid-file=/var/run/dnsmasq.pid
1520
listen-address=127.0.0.1
1520
listen-address=127.0.0.1
1521
no-dhcp-interface=$INTIF
1521
no-dhcp-interface=$INTIF
1522
no-dhcp-interface=tun0
1522
no-dhcp-interface=tun0
1523
no-dhcp-interface=lo
1523
no-dhcp-interface=lo
1524
bind-interfaces
1524
bind-interfaces
1525
cache-size=256
1525
cache-size=256
1526
domain=$DOMAIN
1526
domain=$DOMAIN
1527
domain-needed
1527
domain-needed
1528
expand-hosts
1528
expand-hosts
1529
bogus-priv
1529
bogus-priv
1530
filterwin2k
1530
filterwin2k
1531
server=$DNS1
1531
server=$DNS1
1532
server=$DNS2
1532
server=$DNS2
1533
# DHCP service is configured. It will be enabled in "bypass" mode
1533
# DHCP service is configured. It will be enabled in "bypass" mode
1534
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1534
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1535
#dhcp-option=option:router,$PRIVATE_IP
1535
#dhcp-option=option:router,$PRIVATE_IP
1536
#dhcp-option=option:ntp-server,$PRIVATE_IP
1536
#dhcp-option=option:ntp-server,$PRIVATE_IP
1537
 
1537
 
1538
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1538
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1539
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1539
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1540
EOF
1540
EOF
1541
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1541
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1542
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1542
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1543
# Configuration file for "dnsmasq with blacklist"
1543
# Configuration file for "dnsmasq with blacklist"
1544
# Add Toulouse blacklist domains
1544
# Add Toulouse blacklist domains
1545
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1545
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1546
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1546
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1547
pid-file=/var/run/dnsmasq-blacklist.pid
1547
pid-file=/var/run/dnsmasq-blacklist.pid
1548
listen-address=$PRIVATE_IP
1548
listen-address=$PRIVATE_IP
1549
port=54
1549
port=54
1550
no-dhcp-interface=$INTIF
1550
no-dhcp-interface=$INTIF
1551
no-dhcp-interface=tun0
1551
no-dhcp-interface=tun0
1552
no-dhcp-interface=lo
1552
no-dhcp-interface=lo
1553
bind-interfaces
1553
bind-interfaces
1554
cache-size=256
1554
cache-size=256
1555
domain=$DOMAIN
1555
domain=$DOMAIN
1556
domain-needed
1556
domain-needed
1557
expand-hosts
1557
expand-hosts
1558
bogus-priv
1558
bogus-priv
1559
filterwin2k
1559
filterwin2k
1560
server=$DNS1
1560
server=$DNS1
1561
server=$DNS2
1561
server=$DNS2
1562
EOF
1562
EOF
1563
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1563
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1564
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1564
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1565
# Configuration file for "dnsmasq with whitelist"
1565
# Configuration file for "dnsmasq with whitelist"
1566
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1566
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1567
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1567
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1568
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1568
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1569
pid-file=/var/run/dnsmasq-whitelist.pid
1569
pid-file=/var/run/dnsmasq-whitelist.pid
1570
listen-address=$PRIVATE_IP
1570
listen-address=$PRIVATE_IP
1571
port=55
1571
port=55
1572
no-dhcp-interface=$INTIF
1572
no-dhcp-interface=$INTIF
1573
no-dhcp-interface=tun0
1573
no-dhcp-interface=tun0
1574
no-dhcp-interface=lo
1574
no-dhcp-interface=lo
1575
bind-interfaces
1575
bind-interfaces
1576
cache-size=256
1576
cache-size=256
1577
domain=$DOMAIN
1577
domain=$DOMAIN
1578
domain-needed
1578
domain-needed
1579
expand-hosts
1579
expand-hosts
1580
bogus-priv
1580
bogus-priv
1581
filterwin2k
1581
filterwin2k
1582
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1582
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1583
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1583
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1584
EOF
1584
EOF
1585
# 4th dnsmasq listen on udp 56 ("blackhole")
1585
# 4th dnsmasq listen on udp 56 ("blackhole")
1586
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1586
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1587
# Configuration file for "dnsmasq as a blackhole"
1587
# Configuration file for "dnsmasq as a blackhole"
1588
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1588
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1589
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1589
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1590
pid-file=/var/run/dnsmasq-blackhole.pid
1590
pid-file=/var/run/dnsmasq-blackhole.pid
1591
listen-address=$PRIVATE_IP
1591
listen-address=$PRIVATE_IP
1592
port=56
1592
port=56
1593
no-dhcp-interface=$INTIF
1593
no-dhcp-interface=$INTIF
1594
no-dhcp-interface=tun0
1594
no-dhcp-interface=tun0
1595
no-dhcp-interface=lo
1595
no-dhcp-interface=lo
1596
bind-interfaces
1596
bind-interfaces
1597
cache-size=256
1597
cache-size=256
1598
domain=$DOMAIN
1598
domain=$DOMAIN
1599
domain-needed
1599
domain-needed
1600
expand-hosts
1600
expand-hosts
1601
bogus-priv
1601
bogus-priv
1602
filterwin2k
1602
filterwin2k
1603
EOF
1603
EOF
1604
 
1604
 
1605
# the main instance should start after network and chilli (which create tun0)
1605
# the main instance should start after network and chilli (which create tun0)
1606
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1606
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1607
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1607
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1608
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1608
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1609
	for list in blacklist whitelist blackhole
1609
	for list in blacklist whitelist blackhole
1610
	do
1610
	do
1611
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1611
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1612
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1612
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1613
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1613
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1614
	done
1614
	done
1615
} # End dnsmasq
1615
} # End dnsmasq
1616
 
1616
 
1617
##########################################################
1617
##########################################################
1618
##		Fonction "BL"				##
1618
##		Fonction "BL"				##
1619
##########################################################
1619
##########################################################
1620
BL ()
1620
BL ()
1621
{
1621
{
1622
# copy and extract toulouse BL
1622
# copy and extract toulouse BL
1623
	rm -rf $DIR_DG/lists/blacklists
1623
	rm -rf $DIR_DG/lists/blacklists
1624
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1624
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1625
# creation of the OSSI BL and WL categories (domain name and url)
1625
# creation of the OSSI BL and WL categories (domain name and url)
1626
	mkdir $DIR_DG/lists/blacklists/ossi
1626
	mkdir $DIR_DG/lists/blacklists/ossi
1627
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1627
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1628
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1628
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1629
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1629
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1630
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1630
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1631
# creation of file for the rehabilited domains and urls
1631
# creation of file for the rehabilited domains and urls
1632
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1632
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1633
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1633
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1634
	touch $DIR_DG/lists/exceptionsitelist
1634
	touch $DIR_DG/lists/exceptionsitelist
1635
	touch $DIR_DG/lists/exceptionurllist
1635
	touch $DIR_DG/lists/exceptionurllist
1636
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1636
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1637
	cat <<EOF > $DIR_DG/lists/bannedurllist
1637
	cat <<EOF > $DIR_DG/lists/bannedurllist
1638
# Dansguardian filter config for ALCASAR
1638
# Dansguardian filter config for ALCASAR
1639
EOF
1639
EOF
1640
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1640
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1641
# Dansguardian domain filter config for ALCASAR
1641
# Dansguardian domain filter config for ALCASAR
1642
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1642
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1643
#**
1643
#**
1644
# block all SSL and CONNECT tunnels
1644
# block all SSL and CONNECT tunnels
1645
**s
1645
**s
1646
# block all SSL and CONNECT tunnels specified only as an IP
1646
# block all SSL and CONNECT tunnels specified only as an IP
1647
*ips
1647
*ips
1648
# block all sites specified only by an IP
1648
# block all sites specified only by an IP
1649
*ip
1649
*ip
1650
EOF
1650
EOF
1651
# Add Bing and Youtube to the safesearch url regext list (parental control)
1651
# Add Bing and Youtube to the safesearch url regext list (parental control)
1652
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1652
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1653
# Bing - add 'adlt=strict'
1653
# Bing - add 'adlt=strict'
1654
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1654
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1655
# Youtube - add 'edufilter=your_ID' 
1655
# Youtube - add 'edufilter=your_ID' 
1656
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1656
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1657
EOF
1657
EOF
1658
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1658
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1659
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1659
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1660
# adapt the BL to ALCASAR architecture. Enable the default categories
1660
# adapt the BL to ALCASAR architecture. Enable the default categories
1661
	if [ "$mode" != "update" ]; then
1661
	if [ "$mode" != "update" ]; then
1662
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1662
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1663
		$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1663
		$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1664
	fi
1664
	fi
1665
}
1665
}
1666
 
1666
 
1667
##########################################################
1667
##########################################################
1668
##		Fonction "cron"				##
1668
##		Fonction "cron"				##
1669
## - Mise en place des différents fichiers de cron	##
1669
## - Mise en place des différents fichiers de cron	##
1670
##########################################################
1670
##########################################################
1671
cron ()
1671
cron ()
1672
{
1672
{
1673
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1673
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1674
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1674
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1675
	cat <<EOF > /etc/crontab
1675
	cat <<EOF > /etc/crontab
1676
SHELL=/bin/bash
1676
SHELL=/bin/bash
1677
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1677
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1678
MAILTO=root
1678
MAILTO=root
1679
HOME=/
1679
HOME=/
1680
 
1680
 
1681
# run-parts
1681
# run-parts
1682
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1682
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1683
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1683
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1684
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1684
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1685
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1685
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1686
EOF
1686
EOF
1687
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1687
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1688
	cat <<EOF >> /etc/anacrontab
1688
	cat <<EOF >> /etc/anacrontab
1689
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1689
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1690
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1690
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1691
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1691
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1692
EOF
1692
EOF
1693
 
1693
 
1694
	cat <<EOF > /etc/cron.d/alcasar-mysql
1694
	cat <<EOF > /etc/cron.d/alcasar-mysql
1695
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1695
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1696
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1696
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1697
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1697
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1698
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1698
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1699
EOF
1699
EOF
1700
	cat <<EOF > /etc/cron.d/alcasar-archive
1700
	cat <<EOF > /etc/cron.d/alcasar-archive
1701
# Archive des logs et de la base de données (tous les lundi à 5h35)
1701
# Archive des logs et de la base de données (tous les lundi à 5h35)
1702
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1702
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1703
EOF
1703
EOF
1704
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1704
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1705
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1705
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1706
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1706
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1707
EOF
1707
EOF
1708
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1708
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1709
# mise à jour automatique de la distribution tous les jours 3h30
1709
# mise à jour automatique de la distribution tous les jours 3h30
1710
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1710
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1711
EOF
1711
EOF
1712
	#cat << EOF > /etc/cron.d/alcasar-netflow
1712
	#cat << EOF > /etc/cron.d/alcasar-netflow
1713
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1713
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1714
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1714
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1715
#EOF
1715
#EOF
1716
 
1716
 
1717
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1717
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1718
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1718
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1719
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1719
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1720
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1720
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1721
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1721
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1722
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1722
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1723
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1723
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1724
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1724
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1725
	rm -f /etc/cron.daily/freeradius-web
1725
	rm -f /etc/cron.daily/freeradius-web
1726
	rm -f /etc/cron.monthly/freeradius-web
1726
	rm -f /etc/cron.monthly/freeradius-web
1727
	cat << EOF > /etc/cron.d/freeradius-web
1727
	cat << EOF > /etc/cron.d/freeradius-web
1728
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1728
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1729
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1729
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1730
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1730
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1731
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1731
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1732
EOF
1732
EOF
1733
	cat << EOF > /etc/cron.d/alcasar-watchdog
1733
	cat << EOF > /etc/cron.d/alcasar-watchdog
1734
# activation du "chien de garde" (watchdog) toutes les 3'
1734
# activation du "chien de garde" (watchdog) toutes les 3'
1735
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1735
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1736
EOF
1736
EOF
1737
# activation du "chien de garde des services" (watchdog) toutes les 18'
1737
# activation du "chien de garde des services" (watchdog) toutes les 18'
1738
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1738
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1739
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1739
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1740
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1740
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1741
EOF
1741
EOF
1742
# suppression des crons usagers
1742
# suppression des crons usagers
1743
	rm -f /var/spool/cron/*
1743
	rm -f /var/spool/cron/*
1744
} # End cron
1744
} # End cron
1745
 
1745
 
1746
##################################################################
1746
##################################################################
1747
## 			Fonction "Fail2Ban"			##
1747
## 			Fonction "Fail2Ban"			##
1748
##- Modification de la configuration de fail2ban		##
1748
##- Modification de la configuration de fail2ban		##
1749
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1749
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1750
##################################################################
1750
##################################################################
1751
fail2ban()
1751
fail2ban()
1752
{
1752
{
1753
	$DIR_CONF/fail2ban.sh
1753
	$DIR_CONF/fail2ban.sh
1754
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1754
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1755
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1755
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1756
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1756
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1757
	chmod 644 /var/log/fail2ban.log
1757
	chmod 644 /var/log/fail2ban.log
1758
	chmod 644 /var/Save/security/watchdog.log
1758
	chmod 644 /var/Save/security/watchdog.log
1759
	/usr/bin/touch /var/log/auth.log
1759
	/usr/bin/touch /var/log/auth.log
1760
# fail2ban unit
1760
# fail2ban unit
1761
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1761
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1762
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1762
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1763
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1763
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1764
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1764
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1765
} #Fin de fail2ban_install()
1765
} #Fin de fail2ban_install()
1766
 
1766
 
1767
##################################################################
1767
##################################################################
1768
## 			Fonction "gammu_smsd"			##
1768
## 			Fonction "gammu_smsd"			##
1769
## - Creation de la base de donnée Gammu			##
1769
## - Creation de la base de donnée Gammu			##
1770
## - Creation du fichier de config: gammu_smsd_conf		##
1770
## - Creation du fichier de config: gammu_smsd_conf		##
1771
##								##
1771
##								##
1772
##################################################################
1772
##################################################################
1773
gammu_smsd()
1773
gammu_smsd()
1774
{
1774
{
1775
# Create 'gammu' databse
1775
# Create 'gammu' databse
1776
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1776
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1777
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1777
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1778
# Add a gammu database structure
1778
# Add a gammu database structure
1779
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1779
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1780
 
1780
 
1781
# config file for the daemon
1781
# config file for the daemon
1782
cat << EOF > /etc/gammu_smsd_conf
1782
cat << EOF > /etc/gammu_smsd_conf
1783
[gammu]
1783
[gammu]
1784
port = /dev/ttyUSB0
1784
port = /dev/ttyUSB0
1785
connection = at115200
1785
connection = at115200
1786
 
1786
 
1787
;########################################################
1787
;########################################################
1788
 
1788
 
1789
[smsd]
1789
[smsd]
1790
 
1790
 
1791
PIN = 1234
1791
PIN = 1234
1792
 
1792
 
1793
logfile = /var/log/gammu-smsd/gammu-smsd.log
1793
logfile = /var/log/gammu-smsd/gammu-smsd.log
1794
logformat = textall
1794
logformat = textall
1795
debuglevel = 0
1795
debuglevel = 0
1796
 
1796
 
1797
service = sql
1797
service = sql
1798
driver = native_mysql
1798
driver = native_mysql
1799
user = $DB_USER
1799
user = $DB_USER
1800
password = $radiuspwd
1800
password = $radiuspwd
1801
pc = localhost
1801
pc = localhost
1802
database = $DB_GAMMU
1802
database = $DB_GAMMU
1803
 
1803
 
1804
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1804
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1805
 
1805
 
1806
StatusFrequency = 30
1806
StatusFrequency = 30
1807
;LoopSleep = 2
1807
;LoopSleep = 2
1808
 
1808
 
1809
;ResetFrequency = 300
1809
;ResetFrequency = 300
1810
;HardResetFrequency = 120
1810
;HardResetFrequency = 120
1811
 
1811
 
1812
CheckSecurity = 1 
1812
CheckSecurity = 1 
1813
CheckSignal = 1
1813
CheckSignal = 1
1814
CheckBattery = 0
1814
CheckBattery = 0
1815
EOF
1815
EOF
1816
 
1816
 
1817
chmod 755 /etc/gammu_smsd_conf
1817
chmod 755 /etc/gammu_smsd_conf
1818
 
1818
 
1819
#Creation dossier de log Gammu-smsd
1819
#Creation dossier de log Gammu-smsd
1820
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1820
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1821
chmod 755 /var/log/gammu-smsd
1821
chmod 755 /var/log/gammu-smsd
1822
 
1822
 
1823
#Edition du script sql gammu <-> radius
1823
#Edition du script sql gammu <-> radius
1824
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1824
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1825
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1825
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1826
 
1826
 
1827
#Création de la règle udev pour les Huawei // idVendor: 12d1
1827
#Création de la règle udev pour les Huawei // idVendor: 12d1
1828
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1828
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1829
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
1829
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
1830
EOF
1830
EOF
1831
 
1831
 
1832
} # END gammu_smsd()
1832
} # END gammu_smsd()
1833
 
1833
 
1834
##################################################################
1834
##################################################################
1835
##			Fonction "post_install"			##
1835
##			Fonction "post_install"			##
1836
## - Modification des bannières (locales et ssh) et des prompts ##
1836
## - Modification des bannières (locales et ssh) et des prompts ##
1837
## - Installation de la structure de chiffrement pour root	##
1837
## - Installation de la structure de chiffrement pour root	##
1838
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1838
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1839
## - Mise en place du la rotation des logs			##
1839
## - Mise en place du la rotation des logs			##
1840
## - Configuration dans le cas d'une mise à jour		##
1840
## - Configuration dans le cas d'une mise à jour		##
1841
##################################################################
1841
##################################################################
1842
post_install()
1842
post_install()
1843
{
1843
{
1844
# création de la bannière locale
1844
# création de la bannière locale
1845
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1845
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1846
	cp -f $DIR_CONF/banner /etc/mageia-release
1846
	cp -f $DIR_CONF/banner /etc/mageia-release
1847
	echo " V$VERSION" >> /etc/mageia-release
1847
	echo " V$VERSION" >> /etc/mageia-release
1848
# création de la bannière SSH
1848
# création de la bannière SSH
1849
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1849
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1850
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1850
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1851
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1851
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1852
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1852
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1853
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1853
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1854
# postfix banner anonymisation
1854
# postfix banner anonymisation
1855
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1855
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1856
# sshd écoute côté LAN et WAN
1856
# sshd écoute côté LAN et WAN
1857
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1857
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1858
# sshd autorise les connections root par certificat
1858
# sshd autorise les connections root par certificat
1859
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1859
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1860
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1860
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1861
	echo "SSH=off" >> $CONF_FILE
1861
	echo "SSH=off" >> $CONF_FILE
1862
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1862
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1863
	echo "QOS=off" >> $CONF_FILE
1863
	echo "QOS=off" >> $CONF_FILE
1864
	echo "LDAP=off" >> $CONF_FILE
1864
	echo "LDAP=off" >> $CONF_FILE
1865
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1865
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1866
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1866
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1867
	echo "MULTIWAN=off" >> $CONF_FILE
1867
	echo "MULTIWAN=off" >> $CONF_FILE
1868
	echo "FAILOVER=30" >> $CONF_FILE
1868
	echo "FAILOVER=30" >> $CONF_FILE
1869
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1869
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1870
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1870
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1871
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1871
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1872
# Coloration des prompts
1872
# Coloration des prompts
1873
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1873
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1874
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1874
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1875
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1875
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1876
# Droits d'exécution pour utilisateur apache et sysadmin
1876
# Droits d'exécution pour utilisateur apache et sysadmin
1877
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1877
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1878
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1878
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1879
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1879
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1880
# Modify some logrotate files (gammu, ulogd)
1880
# Modify some logrotate files (gammu, ulogd)
1881
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1881
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1882
	chmod 644 /etc/logrotate.d/*
1882
	chmod 644 /etc/logrotate.d/*
1883
# rectification sur versions précédentes de la compression des logs
1883
# rectification sur versions précédentes de la compression des logs
1884
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1884
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1885
# actualisation des fichiers logs compressés
1885
# actualisation des fichiers logs compressés
1886
	for dir in firewall dansguardian httpd
1886
	for dir in firewall dansguardian httpd
1887
	do
1887
	do
1888
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1888
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1889
	done
1889
	done
1890
# create the alcasar-load_balancing unit
1890
# create the alcasar-load_balancing unit
1891
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1891
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1892
#  This file is part of systemd.
1892
#  This file is part of systemd.
1893
#
1893
#
1894
#  systemd is free software; you can redistribute it and/or modify it
1894
#  systemd is free software; you can redistribute it and/or modify it
1895
#  under the terms of the GNU General Public License as published by
1895
#  under the terms of the GNU General Public License as published by
1896
#  the Free Software Foundation; either version 2 of the License, or
1896
#  the Free Software Foundation; either version 2 of the License, or
1897
#  (at your option) any later version.
1897
#  (at your option) any later version.
1898
 
1898
 
1899
# This unit lauches alcasar-load-balancing.sh script.
1899
# This unit lauches alcasar-load-balancing.sh script.
1900
[Unit]
1900
[Unit]
1901
Description=alcasar-load_balancing.sh execution
1901
Description=alcasar-load_balancing.sh execution
1902
After=network.target iptables.service
1902
After=network.target iptables.service
1903
 
1903
 
1904
[Service]
1904
[Service]
1905
Type=oneshot
1905
Type=oneshot
1906
RemainAfterExit=yes
1906
RemainAfterExit=yes
1907
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1907
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1908
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1908
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1909
TimeoutSec=0
1909
TimeoutSec=0
1910
SysVStartPriority=99
1910
SysVStartPriority=99
1911
 
1911
 
1912
[Install]
1912
[Install]
1913
WantedBy=multi-user.target
1913
WantedBy=multi-user.target
1914
EOF
1914
EOF
1915
# processes launched at boot time (Systemctl)
1915
# processes launched at boot time (Systemctl)
1916
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1916
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1917
	do
1917
	do
1918
		/usr/bin/systemctl -q enable $i.service
1918
		/usr/bin/systemctl -q enable $i.service
1919
	done
1919
	done
1920
	
1920
	
1921
# disable processes at boot time (Systemctl)
1921
# disable processes at boot time (Systemctl)
1922
	for i in ulogd
1922
	for i in ulogd
1923
	do
1923
	do
1924
		/usr/bin/systemctl -q disable $i.service
1924
		/usr/bin/systemctl -q disable $i.service
1925
	done
1925
	done
1926
	
1926
	
1927
# Apply French Security Agency (ANSSI) rules
1927
# Apply French Security Agency (ANSSI) rules
1928
# ignore ICMP broadcast (smurf attack)
1928
# ignore ICMP broadcast (smurf attack)
1929
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1929
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1930
# ignore ICMP errors bogus
1930
# ignore ICMP errors bogus
1931
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1931
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1932
# remove ICMP redirects responces
1932
# remove ICMP redirects responces
1933
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1933
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1934
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1934
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1935
# enable SYN Cookies (Syn flood attacks)
1935
# enable SYN Cookies (Syn flood attacks)
1936
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1936
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1937
# enable kernel antispoofing
1937
# enable kernel antispoofing
1938
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1938
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1939
# ignore source routing
1939
# ignore source routing
1940
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1940
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1941
# set conntrack timer to 1h (3600s) instead of 5 weeks
1941
# set conntrack timer to 1h (3600s) instead of 5 weeks
1942
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1942
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1943
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1943
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1944
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1944
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1945
# remove Magic SysReq Keys
1945
# remove Magic SysReq Keys
1946
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1946
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1947
# switch to multi-users runlevel (instead of x11)
1947
# switch to multi-users runlevel (instead of x11)
1948
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1948
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1949
#	GRUB modifications (only one time)
1949
#	GRUB modifications (only one time)
1950
# limit wait time to 3s
1950
# limit wait time to 3s
1951
# create an alcasar entry instead of linux-nonfb
1951
# create an alcasar entry instead of linux-nonfb
1952
# change display to 1024*768 (vga791)
1952
# change display to 1024*768 (vga791)
1953
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1953
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1954
	if [ $grub_already_modified == 0 ]
1954
	if [ $grub_already_modified == 0 ]
1955
		then
1955
		then
1956
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1956
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1957
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1957
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1958
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1958
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1959
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1959
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1960
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1960
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1961
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1961
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1962
	fi
1962
	fi
1963
# Remove unused services and users
1963
# Remove unused services and users
1964
	for svc in sshd
1964
	for svc in sshd
1965
	do
1965
	do
1966
		/usr/bin/systemctl -q disable $svc.service
1966
		/usr/bin/systemctl -q disable $svc.service
1967
	done
1967
	done
1968
# Load and apply the previous conf file
1968
# Load and apply the previous conf file
1969
	if [ "$mode" = "update" ]
1969
	if [ "$mode" = "update" ]
1970
	then
1970
	then
1971
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1971
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1972
		$DIR_DEST_BIN/alcasar-conf.sh --load
1972
		$DIR_DEST_BIN/alcasar-conf.sh --load
1973
		PARENT_SCRIPT=`basename $0`
1973
		PARENT_SCRIPT=`basename $0`
1974
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1974
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1975
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1975
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1976
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1976
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1977
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1977
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1978
	fi
1978
	fi
1979
	rm -f /tmp/alcasar-conf*
1979
	rm -f /tmp/alcasar-conf*
1980
	chown -R root:apache $DIR_DEST_ETC/*
1980
	chown -R root:apache $DIR_DEST_ETC/*
1981
	chmod -R 660 $DIR_DEST_ETC/*
1981
	chmod -R 660 $DIR_DEST_ETC/*
1982
	chmod ug+x $DIR_DEST_ETC/digest
1982
	chmod ug+x $DIR_DEST_ETC/digest
1983
# Apply and save the firewall rules
-
 
1984
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
-
 
1985
	sleep 2
-
 
1986
	cd $DIR_INSTALL
1983
	cd $DIR_INSTALL
1987
	echo ""
1984
	echo ""
1988
	echo "#############################################################################"
1985
	echo "#############################################################################"
1989
	if [ $Lang == "fr" ]
1986
	if [ $Lang == "fr" ]
1990
		then
1987
		then
1991
		echo "#                        Fin d'installation d'ALCASAR                       #"
1988
		echo "#                        Fin d'installation d'ALCASAR                       #"
1992
		echo "#                                                                           #"
1989
		echo "#                                                                           #"
1993
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1990
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1994
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1991
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1995
		echo "#                                                                           #"
1992
		echo "#                                                                           #"
1996
		echo "#############################################################################"
1993
		echo "#############################################################################"
1997
		echo
1994
		echo
1998
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1995
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1999
		echo
1996
		echo
2000
		echo "- Lisez attentivement la documentation d'exploitation"
1997
		echo "- Lisez attentivement la documentation d'exploitation"
2001
		echo
1998
		echo
2002
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1999
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2003
		echo
2000
		echo
2004
		echo "                   Appuyez sur 'Entrée' pour continuer"
2001
		echo "                   Appuyez sur 'Entrée' pour continuer"
2005
	else	
2002
	else	
2006
		echo "#                        Enf of ALCASAR install process                     #"
2003
		echo "#                        Enf of ALCASAR install process                     #"
2007
		echo "#                                                                           #"
2004
		echo "#                                                                           #"
2008
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2005
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2009
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2006
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2010
		echo "#                                                                           #"
2007
		echo "#                                                                           #"
2011
		echo "#############################################################################"
2008
		echo "#############################################################################"
2012
		echo
2009
		echo
2013
		echo "- The system will be rebooted in order to operate ALCASAR"
2010
		echo "- The system will be rebooted in order to operate ALCASAR"
2014
		echo
2011
		echo
2015
		echo "- Read the exploitation documentation"
2012
		echo "- Read the exploitation documentation"
2016
		echo
2013
		echo
2017
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2014
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2018
		echo
2015
		echo
2019
		echo "                   Hit 'Enter' to continue"
2016
		echo "                   Hit 'Enter' to continue"
2020
	fi
2017
	fi
2021
	sleep 2
2018
	sleep 2
2022
	if [ "$mode" != "update" ]
2019
	if [ "$mode" != "update" ]
2023
	then
2020
	then
2024
		read a
2021
		read a
2025
	fi
2022
	fi
2026
	clear
2023
	clear
2027
	reboot
2024
	reboot
2028
} # End post_install ()
2025
} # End post_install ()
2029
 
2026
 
2030
#################################
2027
#################################
2031
#  	Main Install loop  	#
2028
#  	Main Install loop  	#
2032
#################################
2029
#################################
2033
dir_exec=`dirname "$0"`
2030
dir_exec=`dirname "$0"`
2034
if [ $dir_exec != "." ]
2031
if [ $dir_exec != "." ]
2035
then
2032
then
2036
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2033
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2037
	echo "Launch this program from the ALCASAR archive directory"
2034
	echo "Launch this program from the ALCASAR archive directory"
2038
	exit 0
2035
	exit 0
2039
fi
2036
fi
2040
VERSION=`cat $DIR_INSTALL/VERSION`
2037
VERSION=`cat $DIR_INSTALL/VERSION`
2041
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2038
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2042
nb_args=$#
2039
nb_args=$#
2043
args=$1
2040
args=$1
2044
if [ $nb_args -eq 0 ]
2041
if [ $nb_args -eq 0 ]
2045
then
2042
then
2046
	nb_args=1
2043
	nb_args=1
2047
	args="-h"
2044
	args="-h"
2048
fi
2045
fi
2049
chmod -R u+x $DIR_SCRIPTS/*
2046
chmod -R u+x $DIR_SCRIPTS/*
2050
case $args in
2047
case $args in
2051
	-\? | -h* | --h*)
2048
	-\? | -h* | --h*)
2052
		echo "$usage"
2049
		echo "$usage"
2053
		exit 0
2050
		exit 0
2054
		;;
2051
		;;
2055
	-i | --install)
2052
	-i | --install)
2056
		header_install
2053
		header_install
2057
		license
2054
		license
2058
		header_install
2055
		header_install
2059
		testing
2056
		testing
2060
# RPMs install
2057
# RPMs install
2061
		$DIR_SCRIPTS/alcasar-urpmi.sh
2058
		$DIR_SCRIPTS/alcasar-urpmi.sh
2062
		if [ "$?" != "0" ]
2059
		if [ "$?" != "0" ]
2063
		then
2060
		then
2064
			exit 0
2061
			exit 0
2065
		fi
2062
		fi
2066
		if [ -e $CONF_FILE ]
2063
		if [ -e $CONF_FILE ]
2067
		then
2064
		then
2068
# Uninstall the running version
2065
# Uninstall the running version
2069
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2066
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2070
		fi
2067
		fi
2071
# Test if manual update	
2068
# Test if manual update	
2072
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2069
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2073
		then
2070
		then
2074
			header_install
2071
			header_install
2075
			if [ $Lang == "fr" ]
2072
			if [ $Lang == "fr" ]
2076
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2073
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2077
				else echo "The configuration file of an old version has been found";
2074
				else echo "The configuration file of an old version has been found";
2078
			fi
2075
			fi
2079
			response=0
2076
			response=0
2080
			PTN='^[oOnNyY]$'
2077
			PTN='^[oOnNyY]$'
2081
			until [[ $(expr $response : $PTN) -gt 0 ]]
2078
			until [[ $(expr $response : $PTN) -gt 0 ]]
2082
			do
2079
			do
2083
				if [ $Lang == "fr" ]
2080
				if [ $Lang == "fr" ]
2084
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2081
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2085
					else echo -n "Do you want to use it (Y/n)?";
2082
					else echo -n "Do you want to use it (Y/n)?";
2086
				 fi
2083
				 fi
2087
				read response
2084
				read response
2088
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2085
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2089
				then rm -f /tmp/alcasar-conf*
2086
				then rm -f /tmp/alcasar-conf*
2090
				fi
2087
				fi
2091
			done
2088
			done
2092
		fi
2089
		fi
2093
# Test if update
2090
# Test if update
2094
		if [ -e /tmp/alcasar-conf* ] 
2091
		if [ -e /tmp/alcasar-conf* ] 
2095
		then
2092
		then
2096
			if [ $Lang == "fr" ]
2093
			if [ $Lang == "fr" ]
2097
				then echo "#### Installation avec mise à jour ####";
2094
				then echo "#### Installation avec mise à jour ####";
2098
				else echo "#### Installation with update     ####";
2095
				else echo "#### Installation with update     ####";
2099
			fi
2096
			fi
2100
# Extract the central configuration file
2097
# Extract the central configuration file
2101
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2098
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2102
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2099
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2103
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2100
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2104
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2101
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2105
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2102
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2106
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2103
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2107
			mode="update"
2104
			mode="update"
2108
		fi
2105
		fi
2109
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2106
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2110
		do
2107
		do
2111
			$func
2108
			$func
2112
# echo "*** 'debug' : end of function $func ***"; read a
2109
# echo "*** 'debug' : end of function $func ***"; read a
2113
		done
2110
		done
2114
		;;
2111
		;;
2115
	-u | --uninstall)
2112
	-u | --uninstall)
2116
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
2113
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
2117
		then
2114
		then
2118
			if [ $Lang == "fr" ]
2115
			if [ $Lang == "fr" ]
2119
				then echo "ALCASAR n'est pas installé!";
2116
				then echo "ALCASAR n'est pas installé!";
2120
				else echo "ALCASAR isn't installed!";
2117
				else echo "ALCASAR isn't installed!";
2121
			fi
2118
			fi
2122
			exit 0
2119
			exit 0
2123
		fi
2120
		fi
2124
		response=0
2121
		response=0
2125
		PTN='^[oOnN]$'
2122
		PTN='^[oOnN]$'
2126
		until [[ $(expr $response : $PTN) -gt 0 ]]
2123
		until [[ $(expr $response : $PTN) -gt 0 ]]
2127
		do
2124
		do
2128
			if [ $Lang == "fr" ]
2125
			if [ $Lang == "fr" ]
2129
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2126
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2130
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2127
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2131
			fi
2128
			fi
2132
			read response
2129
			read response
2133
		done
2130
		done
2134
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2131
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2135
		then
2132
		then
2136
			$DIR_SCRIPTS/alcasar-conf.sh --create
2133
			$DIR_SCRIPTS/alcasar-conf.sh --create
2137
		else	
2134
		else	
2138
			rm -f /tmp/alcasar-conf*
2135
			rm -f /tmp/alcasar-conf*
2139
		fi
2136
		fi
2140
# Uninstall the running version
2137
# Uninstall the running version
2141
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2138
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2142
		;;
2139
		;;
2143
	*)
2140
	*)
2144
		echo "Argument inconnu :$1";
2141
		echo "Argument inconnu :$1";
2145
		echo "Unknown argument :$1";
2142
		echo "Unknown argument :$1";
2146
		echo "$usage"
2143
		echo "$usage"
2147
		exit 1
2144
		exit 1
2148
		;;
2145
		;;
2149
esac
2146
esac
2150
# end of script
2147
# end of script
2151
 
2148
 
2152
 
2149