Subversion Repositories ALCASAR

Rev

Rev 1832 | Rev 1834 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1832 Rev 1833
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 1832 2016-04-24 14:19:20Z richard $ 
2
#  $Id: alcasar.sh 1833 2016-04-24 15:32:42Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
-
 
32
#	time			: NTPd configuration
32
#	ACC			: ALCASAR Control Center installation
33
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
34
#	CA			: Certification Authority initialization
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	init_db			: Initilization of radius database managed with MariaDB
35
#	radius			: FreeRadius initialisation
36
#	radius			: FreeRadius initialisation
36
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
-
 
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
42
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	post_install		: Security, log rotation, etc.
49
#	post_install		: Security, log rotation, etc.
50
 
50
 
51
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
53
Lang=`echo $LANG|cut -c 1-2`
53
Lang=`echo $LANG|cut -c 1-2`
54
mode="install"
54
mode="install"
55
# ******* Files parameters - paramètres fichiers *********
55
# ******* Files parameters - paramètres fichiers *********
56
DIR_INSTALL=`pwd`				# current directory 
56
DIR_INSTALL=`pwd`				# current directory 
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
59
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
60
DIR_WEB="/var/www/html"				# directory of APACHE
60
DIR_WEB="/var/www/html"				# directory of APACHE
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
64
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
64
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
65
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
65
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
66
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
66
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
67
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
67
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
68
# ******* DBMS parameters - paramètres SGBD ********
68
# ******* DBMS parameters - paramètres SGBD ********
69
DB_RADIUS="radius"				# database name used by FreeRadius server
69
DB_RADIUS="radius"				# database name used by FreeRadius server
70
DB_USER="radius"				# user name allows to request the users database
70
DB_USER="radius"				# user name allows to request the users database
71
DB_GAMMU="gammu"				# database name used by Gammu-smsd
71
DB_GAMMU="gammu"				# database name used by Gammu-smsd
72
# ******* Network parameters - paramètres réseau *******
72
# ******* Network parameters - paramètres réseau *******
73
HOSTNAME="alcasar"				# default hostname
73
HOSTNAME="alcasar"				# default hostname
74
DOMAIN="localdomain"				# default local domain
74
DOMAIN="localdomain"				# default local domain
75
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
75
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
76
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
76
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
77
MTU="1500"
77
MTU="1500"
78
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
78
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
79
# ****** Paths - chemin des commandes *******
79
# ****** Paths - chemin des commandes *******
80
SED="/bin/sed -i"
80
SED="/bin/sed -i"
81
# ****************** End of global parameters *********************
81
# ****************** End of global parameters *********************
82
 
82
 
83
license ()
83
license ()
84
{
84
{
85
	if [ $Lang == "fr" ]
85
	if [ $Lang == "fr" ]
86
	then
86
	then
87
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
87
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
88
	else
88
	else
89
		cat $DIR_INSTALL/gpl-warning.txt | more
89
		cat $DIR_INSTALL/gpl-warning.txt | more
90
	fi
90
	fi
91
	response=0
91
	response=0
92
	PTN='^[oOyYnN]$'
92
	PTN='^[oOyYnN]$'
93
	until [[ $(expr $response : $PTN) -gt 0 ]]
93
	until [[ $(expr $response : $PTN) -gt 0 ]]
94
	do
94
	do
95
		if [ $Lang == "fr" ]
95
		if [ $Lang == "fr" ]
96
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
96
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
97
			else echo -n "Do you accept the terms of this license (Y/n)? : "
97
			else echo -n "Do you accept the terms of this license (Y/n)? : "
98
		fi
98
		fi
99
		read response
99
		read response
100
	done
100
	done
101
	if [ "$response" = "n" ] || [ "$response" = "N" ]
101
	if [ "$response" = "n" ] || [ "$response" = "N" ]
102
	then
102
	then
103
		exit 1
103
		exit 1
104
	fi
104
	fi
105
}
105
}
106
 
106
 
107
header_install ()
107
header_install ()
108
{
108
{
109
	clear
109
	clear
110
	echo "-----------------------------------------------------------------------------"
110
	echo "-----------------------------------------------------------------------------"
111
	echo "                     ALCASAR V$VERSION Installation"
111
	echo "                     ALCASAR V$VERSION Installation"
112
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
112
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
113
	echo "-----------------------------------------------------------------------------"
113
	echo "-----------------------------------------------------------------------------"
114
}
114
}
115
 
115
 
116
##################################################################
116
##################################################################
117
##			Function "testing"			##
117
##			Function "testing"			##
118
## - Test of Mageia version					##
118
## - Test of Mageia version					##
119
## - Test of ALCASAR version (if already installed)		##
119
## - Test of ALCASAR version (if already installed)		##
120
## - Test of free space on /var  (>10G)				##
120
## - Test of free space on /var  (>10G)				##
121
## - Test of Internet access					##
121
## - Test of Internet access					##
122
##################################################################
122
##################################################################
123
testing ()
123
testing ()
124
{
124
{
125
# Test of Mageia version
125
# Test of Mageia version
126
# extract the current Mageia version and hardware architecture (i586 ou X64)
126
# extract the current Mageia version and hardware architecture (i586 ou X64)
127
	fic=`cat /etc/product.id`
127
	fic=`cat /etc/product.id`
128
	unknown_os=0
128
	unknown_os=0
129
	old="$IFS"
129
	old="$IFS"
130
	IFS=","
130
	IFS=","
131
	set $fic
131
	set $fic
132
	for i in $*
132
	for i in $*
133
	do
133
	do
134
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
134
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
135
			then 
135
			then 
136
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
136
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
137
			unknown_os=`expr $unknown_os + 1`
137
			unknown_os=`expr $unknown_os + 1`
138
		fi
138
		fi
139
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
139
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
140
			then 
140
			then 
141
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
141
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
142
			unknown_os=`expr $unknown_os + 1`
142
			unknown_os=`expr $unknown_os + 1`
143
		fi
143
		fi
144
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
144
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
145
			then 
145
			then 
146
			ARCH=`echo $i|cut -d"=" -f2`
146
			ARCH=`echo $i|cut -d"=" -f2`
147
			unknown_os=`expr $unknown_os + 1`
147
			unknown_os=`expr $unknown_os + 1`
148
		fi
148
		fi
149
	done
149
	done
150
	IFS="$old"
150
	IFS="$old"
151
# Test if ALCASAR is already installed
151
# Test if ALCASAR is already installed
152
	if [ -e $CONF_FILE ]
152
	if [ -e $CONF_FILE ]
153
	then
153
	then
154
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
154
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
155
		if [ $Lang == "fr" ]
155
		if [ $Lang == "fr" ]
156
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
156
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
157
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
157
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
158
		fi
158
		fi
159
		response=0
159
		response=0
160
		PTN='^[oOnNyY]$'
160
		PTN='^[oOnNyY]$'
161
		until [[ $(expr $response : $PTN) -gt 0 ]]
161
		until [[ $(expr $response : $PTN) -gt 0 ]]
162
		do
162
		do
163
			if [ $Lang == "fr" ]
163
			if [ $Lang == "fr" ]
164
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
164
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
165
				else echo -n "Do you want to update (Y/n)?";
165
				else echo -n "Do you want to update (Y/n)?";
166
			 fi
166
			 fi
167
			read response
167
			read response
168
		done
168
		done
169
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
169
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
170
		then
170
		then
171
			rm -f /tmp/alcasar-conf*
171
			rm -f /tmp/alcasar-conf*
172
		else
172
		else
173
# Retrieve former NICname
173
# Retrieve former NICname
174
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
174
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
175
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
175
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
176
# Create the current conf file
176
# Create the current conf file
177
			$DIR_SCRIPTS/alcasar-conf.sh --create
177
			$DIR_SCRIPTS/alcasar-conf.sh --create
178
			mode="update"
178
			mode="update"
179
		fi
179
		fi
180
	fi
180
	fi
181
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
181
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
182
		then
182
		then
183
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
183
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
184
			then
184
			then
185
			echo
185
			echo
186
			if [ $Lang == "fr" ]
186
			if [ $Lang == "fr" ]
187
				then	
187
				then	
188
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
188
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
189
				echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
189
				echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
190
				echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
190
				echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
191
				echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
191
				echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
192
			else
192
			else
193
				echo "The automatic update of ALCASAR can't be performed."
193
				echo "The automatic update of ALCASAR can't be performed."
194
				echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
194
				echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
195
				echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
195
				echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
196
				echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
196
				echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
197
			fi
197
			fi
198
		else
198
		else
199
			if [ $Lang == "fr" ]
199
			if [ $Lang == "fr" ]
200
				then	
200
				then	
201
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
201
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
202
			else
202
			else
203
				echo "The installation of ALCASAR can't be performed."
203
				echo "The installation of ALCASAR can't be performed."
204
			fi
204
			fi
205
		fi
205
		fi
206
		echo
206
		echo
207
		if [ $Lang == "fr" ]
207
		if [ $Lang == "fr" ]
208
			then	
208
			then	
209
			echo "Le système d'exploitation doit être remplacé (Mageia5)"
209
			echo "Le système d'exploitation doit être remplacé (Mageia5)"
210
		else
210
		else
211
			echo "The OS must be replaced (Mageia5)"
211
			echo "The OS must be replaced (Mageia5)"
212
		fi
212
		fi
213
		exit 0
213
		exit 0
214
	fi
214
	fi
215
	if [ ! -d /var/log/netflow/porttracker ]
215
	if [ ! -d /var/log/netflow/porttracker ]
216
		then
216
		then
217
# Test of free space on /var
217
# Test of free space on /var
218
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
218
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
219
		if [ $free_space -lt 10 ]
219
		if [ $free_space -lt 10 ]
220
			then
220
			then
221
			if [ $Lang == "fr" ]
221
			if [ $Lang == "fr" ]
222
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
222
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
223
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
223
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
224
			fi
224
			fi
225
		exit 0
225
		exit 0
226
		fi
226
		fi
227
	fi
227
	fi
228
	if [ $Lang == "fr" ]
228
	if [ $Lang == "fr" ]
229
		then echo -n "Tests des paramètres réseau : "
229
		then echo -n "Tests des paramètres réseau : "
230
		else echo -n "Network parameters tests : "
230
		else echo -n "Network parameters tests : "
231
	fi
231
	fi
232
# Test of Ethernet links state
232
# Test of Ethernet links state
233
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
233
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
234
	for i in $DOWN_IF
234
	for i in $DOWN_IF
235
	do
235
	do
236
		if [ $Lang == "fr" ]
236
		if [ $Lang == "fr" ]
237
		then 
237
		then 
238
			echo "Échec"
238
			echo "Échec"
239
			echo "Le lien réseau de la carte $i n'est pas actif."
239
			echo "Le lien réseau de la carte $i n'est pas actif."
240
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
240
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
241
		else
241
		else
242
			echo "Failed"
242
			echo "Failed"
243
			echo "The link state of $i interface is down."
243
			echo "The link state of $i interface is down."
244
			echo "Make sure that this network card is connected to a switch or an A.P."
244
			echo "Make sure that this network card is connected to a switch or an A.P."
245
		fi
245
		fi
246
		exit 0
246
		exit 0
247
	done
247
	done
248
	echo -n "."
248
	echo -n "."
249
 
249
 
250
# Test EXTIF config files
250
# Test EXTIF config files
251
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
251
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
252
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
252
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
253
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
253
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
254
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
254
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
255
	then
255
	then
256
		if [ $Lang == "fr" ]
256
		if [ $Lang == "fr" ]
257
		then 
257
		then 
258
			echo "Échec"
258
			echo "Échec"
259
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
259
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
260
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
260
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
261
			echo "Appliquez les changements : 'systemctl restart network'"
261
			echo "Appliquez les changements : 'systemctl restart network'"
262
		else
262
		else
263
			echo "Failed"
263
			echo "Failed"
264
			echo "The Internet connected network card ($EXTIF) isn't well configured."
264
			echo "The Internet connected network card ($EXTIF) isn't well configured."
265
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
265
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
266
			echo "Apply the new configuration 'systemctl restart network'"
266
			echo "Apply the new configuration 'systemctl restart network'"
267
		fi
267
		fi
268
		echo "DEVICE=$EXTIF"
268
		echo "DEVICE=$EXTIF"
269
		echo "IPADDR="
269
		echo "IPADDR="
270
		echo "NETMASK="
270
		echo "NETMASK="
271
		echo "GATEWAY="
271
		echo "GATEWAY="
272
		echo "DNS1="
272
		echo "DNS1="
273
		echo "DNS2="
273
		echo "DNS2="
274
		echo "ONBOOT=yes"
274
		echo "ONBOOT=yes"
275
		exit 0
275
		exit 0
276
	fi
276
	fi
277
	echo -n "."
277
	echo -n "."
278
 
278
 
279
# Test if router is alive (Box FAI)
279
# Test if router is alive (Box FAI)
280
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
280
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
281
		if [ $Lang == "fr" ]
281
		if [ $Lang == "fr" ]
282
		then 
282
		then 
283
			echo "Échec"
283
			echo "Échec"
284
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
284
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
285
			echo "Réglez ce problème puis relancez ce script."
285
			echo "Réglez ce problème puis relancez ce script."
286
		else
286
		else
287
			echo "Failed"
287
			echo "Failed"
288
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
288
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
289
			echo "Resolv this problem, then restart this script."
289
			echo "Resolv this problem, then restart this script."
290
		fi
290
		fi
291
		exit 0
291
		exit 0
292
	fi
292
	fi
293
	echo -n "."
293
	echo -n "."
294
# On teste le lien vers le routeur par defaut
294
# On teste le lien vers le routeur par defaut
295
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
295
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
296
	if [ $(expr $arp_reply) -eq 0 ]
296
	if [ $(expr $arp_reply) -eq 0 ]
297
	       	then
297
	       	then
298
		if [ $Lang == "fr" ]
298
		if [ $Lang == "fr" ]
299
		then 
299
		then 
300
			echo "Échec"
300
			echo "Échec"
301
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
301
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
302
			echo "Réglez ce problème puis relancez ce script."
302
			echo "Réglez ce problème puis relancez ce script."
303
		else
303
		else
304
			echo "Failed"
304
			echo "Failed"
305
			echo "The Internet gateway doesn't answered"
305
			echo "The Internet gateway doesn't answered"
306
			echo "Resolv this problem, then restart this script."
306
			echo "Resolv this problem, then restart this script."
307
		fi
307
		fi
308
		exit 0
308
		exit 0
309
	fi
309
	fi
310
	echo -n "."
310
	echo -n "."
311
# On teste la connectivité Internet
311
# On teste la connectivité Internet
312
	rm -rf /tmp/con_ok.html
312
	rm -rf /tmp/con_ok.html
313
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
313
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
314
	if [ ! -e /tmp/con_ok.html ]
314
	if [ ! -e /tmp/con_ok.html ]
315
	then
315
	then
316
		if [ $Lang == "fr" ]
316
		if [ $Lang == "fr" ]
317
		then 
317
		then 
318
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
318
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
319
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
319
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
320
			echo "Vérifiez la validité des adresses IP des DNS."
320
			echo "Vérifiez la validité des adresses IP des DNS."
321
		else
321
		else
322
			echo "The Internet connection try failed (google.fr)."
322
			echo "The Internet connection try failed (google.fr)."
323
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
323
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
324
			echo "Verify the DNS IP addresses"
324
			echo "Verify the DNS IP addresses"
325
		fi
325
		fi
326
		exit 0
326
		exit 0
327
	fi
327
	fi
328
	rm -rf /tmp/con_ok.html
328
	rm -rf /tmp/con_ok.html
329
	echo ". : ok"
329
	echo ". : ok"
330
} # end of testing ()
330
} # end of testing ()
331
 
331
 
332
##################################################################
332
##################################################################
333
##			Function "init"				##
333
##			Function "init"				##
334
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
334
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
335
## - Installation et modification des scripts du portail	##
335
## - Installation et modification des scripts du portail	##
336
##################################################################
336
##################################################################
337
init ()
337
init ()
338
{
338
{
339
	if [ "$mode" != "update" ]
339
	if [ "$mode" != "update" ]
340
	then
340
	then
341
# On affecte le nom d'organisme
341
# On affecte le nom d'organisme
342
		header_install
342
		header_install
343
		ORGANISME=!
343
		ORGANISME=!
344
		PTN='^[a-zA-Z0-9-]*$'
344
		PTN='^[a-zA-Z0-9-]*$'
345
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
345
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
346
                do
346
                do
347
			if [ $Lang == "fr" ]
347
			if [ $Lang == "fr" ]
348
			       	then echo -n "Entrez le nom de votre organisme : "
348
			       	then echo -n "Entrez le nom de votre organisme : "
349
				else echo -n "Enter the name of your organism : "
349
				else echo -n "Enter the name of your organism : "
350
			fi
350
			fi
351
			read ORGANISME
351
			read ORGANISME
352
			if [ "$ORGANISME" == "" ]
352
			if [ "$ORGANISME" == "" ]
353
				then
353
				then
354
				ORGANISME=!
354
				ORGANISME=!
355
			fi
355
			fi
356
		done
356
		done
357
	fi
357
	fi
358
# On crée aléatoirement les mots de passe et les secrets partagés
358
# On crée aléatoirement les mots de passe et les secrets partagés
359
	rm -f $PASSWD_FILE
359
	rm -f $PASSWD_FILE
360
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
360
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
361
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
361
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
362
	echo "$grubpwd" >> $PASSWD_FILE
362
	echo "$grubpwd" >> $PASSWD_FILE
363
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
363
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
364
	$SED "/^password.*/d" /boot/grub/menu.lst
364
	$SED "/^password.*/d" /boot/grub/menu.lst
365
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
365
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
366
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
366
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
367
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
367
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
368
	echo "root / $mysqlpwd" >> $PASSWD_FILE
368
	echo "root / $mysqlpwd" >> $PASSWD_FILE
369
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
369
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
370
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
370
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
371
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
371
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
372
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
372
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
373
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
373
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
374
	echo "$secretuam" >> $PASSWD_FILE
374
	echo "$secretuam" >> $PASSWD_FILE
375
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
375
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
376
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
376
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
377
	echo "$secretradius" >> $PASSWD_FILE
377
	echo "$secretradius" >> $PASSWD_FILE
378
	chmod 640 $PASSWD_FILE
378
	chmod 640 $PASSWD_FILE
379
#  copy scripts in in /usr/local/bin
379
#  copy scripts in in /usr/local/bin
380
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
380
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
381
#  copy conf files in /usr/local/etc
381
#  copy conf files in /usr/local/etc
382
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
382
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
383
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
383
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
384
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
384
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
385
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
385
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
386
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
386
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
# generate central conf file
387
# generate central conf file
388
	cat <<EOF > $CONF_FILE
388
	cat <<EOF > $CONF_FILE
389
##########################################
389
##########################################
390
##                                      ##
390
##                                      ##
391
##          ALCASAR Parameters          ##
391
##          ALCASAR Parameters          ##
392
##                                      ##
392
##                                      ##
393
##########################################
393
##########################################
394
 
394
 
395
INSTALL_DATE=$DATE
395
INSTALL_DATE=$DATE
396
VERSION=$VERSION
396
VERSION=$VERSION
397
ORGANISM=$ORGANISME
397
ORGANISM=$ORGANISME
398
HOSTNAME=$HOSTNAME
398
HOSTNAME=$HOSTNAME
399
DOMAIN=$DOMAIN
399
DOMAIN=$DOMAIN
400
EOF
400
EOF
401
	chmod o-rwx $CONF_FILE
401
	chmod o-rwx $CONF_FILE
402
} # End of init ()
402
} # End of init ()
403
 
403
 
404
##################################################################
404
##################################################################
405
##			Function "network"			##
405
##			Function "network"			##
406
## - Définition du plan d'adressage du réseau de consultation	##
406
## - Définition du plan d'adressage du réseau de consultation	##
407
## - Nommage DNS du système 					##
407
## - Nommage DNS du système 					##
408
## - Configuration de l'interface INTIF (réseau de consultation)##
408
## - Configuration de l'interface INTIF (réseau de consultation)##
409
## - Modification du fichier /etc/hosts				##
409
## - Modification du fichier /etc/hosts				##
410
## - Configuration du serveur de temps (NTP)			##
-
 
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
410
## - Renseignement des fichiers hosts.allow et hosts.deny	##
412
##################################################################
411
##################################################################
413
network ()
412
network ()
414
{
413
{
415
	header_install
414
	header_install
416
	if [ "$mode" != "update" ]
415
	if [ "$mode" != "update" ]
417
		then
416
		then
418
		if [ $Lang == "fr" ]
417
		if [ $Lang == "fr" ]
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
418
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
419
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
421
		fi
420
		fi
422
		response=0
421
		response=0
423
		PTN='^[oOyYnN]$'
422
		PTN='^[oOyYnN]$'
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
423
		until [[ $(expr $response : $PTN) -gt 0 ]]
425
		do
424
		do
426
			if [ $Lang == "fr" ]
425
			if [ $Lang == "fr" ]
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
426
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
427
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
429
			fi
428
			fi
430
			read response
429
			read response
431
		done
430
		done
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
431
		if [ "$response" = "n" ] || [ "$response" = "N" ]
433
		then
432
		then
434
			PRIVATE_IP_MASK="0"
433
			PRIVATE_IP_MASK="0"
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
434
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
435
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
437
			do
436
			do
438
				if [ $Lang == "fr" ]
437
				if [ $Lang == "fr" ]
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
438
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
439
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
441
				fi
440
				fi
442
				read PRIVATE_IP_MASK
441
				read PRIVATE_IP_MASK
443
			done
442
			done
444
		else
443
		else
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
444
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
446
		fi
445
		fi
447
	else
446
	else
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
447
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
449
		rm -rf conf/etc/alcasar.conf
448
		rm -rf conf/etc/alcasar.conf
450
	fi
449
	fi
451
# Define LAN side global parameters
450
# Define LAN side global parameters
452
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
451
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
453
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
452
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
454
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
453
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
455
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
454
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
456
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
455
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
457
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
456
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
458
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
457
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
459
		then
458
		then
460
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
459
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
461
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
460
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
462
	fi	
461
	fi	
463
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
462
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
464
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
463
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
465
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
464
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
466
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
465
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
467
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
466
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
468
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
467
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
469
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
468
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
470
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
469
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
471
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
470
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
472
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
471
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
473
# Define Internet parameters
472
# Define Internet parameters
474
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
473
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
475
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
474
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
476
	if [ $nb_dns == 2 ]
475
	if [ $nb_dns == 2 ]
477
		then
476
		then
478
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
477
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
479
	fi
478
	fi
480
	DNS1=${DNS1:=208.67.220.220}
479
	DNS1=${DNS1:=208.67.220.220}
481
	DNS2=${DNS2:=208.67.222.222}
480
	DNS2=${DNS2:=208.67.222.222}
482
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
481
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
483
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
482
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
484
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
483
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
485
# Wrtie the conf file
484
# Wrtie the conf file
486
	echo "EXTIF=$EXTIF" >> $CONF_FILE
485
	echo "EXTIF=$EXTIF" >> $CONF_FILE
487
	echo "INTIF=$INTIF" >> $CONF_FILE
486
	echo "INTIF=$INTIF" >> $CONF_FILE
488
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
487
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
489
	if [ $IP_SETTING == "dhcp" ]
488
	if [ $IP_SETTING == "dhcp" ]
490
		then
489
		then
491
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
490
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
492
		echo "GW=dhcp" >> $CONF_FILE
491
		echo "GW=dhcp" >> $CONF_FILE
493
	else
492
	else
494
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
493
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
495
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
494
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
496
	fi
495
	fi
497
	echo "DNS1=$DNS1" >> $CONF_FILE
496
	echo "DNS1=$DNS1" >> $CONF_FILE
498
	echo "DNS2=$DNS2" >> $CONF_FILE
497
	echo "DNS2=$DNS2" >> $CONF_FILE
499
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
498
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
500
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
499
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
501
	echo "DHCP=on" >> $CONF_FILE
500
	echo "DHCP=on" >> $CONF_FILE
502
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
501
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
503
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
502
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
503
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
505
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
504
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
506
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
505
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
507
	echo "INT_DNS_IP=none" >> $CONF_FILE
506
	echo "INT_DNS_IP=none" >> $CONF_FILE
508
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
507
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
509
# network default
508
# network default
510
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
509
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
511
	cat <<EOF > /etc/sysconfig/network
510
	cat <<EOF > /etc/sysconfig/network
512
NETWORKING=yes
511
NETWORKING=yes
513
FORWARD_IPV4=true
512
FORWARD_IPV4=true
514
EOF
513
EOF
515
# /etc/hosts config
514
# /etc/hosts config
516
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
517
	cat <<EOF > /etc/hosts
516
	cat <<EOF > /etc/hosts
518
127.0.0.1	localhost
517
127.0.0.1	localhost
519
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
520
EOF
519
EOF
521
# EXTIF (Internet) config
520
# EXTIF (Internet) config
522
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
523
	if [ $IP_SETTING == "dhcp" ]
522
	if [ $IP_SETTING == "dhcp" ]
524
		then
523
		then
525
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
524
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
526
DEVICE=$EXTIF
525
DEVICE=$EXTIF
527
BOOTPROTO=dhcp
526
BOOTPROTO=dhcp
528
DNS1=127.0.0.1
527
DNS1=127.0.0.1
529
PEERDNS=no
528
PEERDNS=no
530
RESOLV_MODS=yes
529
RESOLV_MODS=yes
531
ONBOOT=yes
530
ONBOOT=yes
532
NOZEROCONF=yes
531
NOZEROCONF=yes
533
METRIC=10
532
METRIC=10
534
MII_NOT_SUPPORTED=yes
533
MII_NOT_SUPPORTED=yes
535
IPV6INIT=no
534
IPV6INIT=no
536
IPV6TO4INIT=no
535
IPV6TO4INIT=no
537
ACCOUNTING=no
536
ACCOUNTING=no
538
USERCTL=no
537
USERCTL=no
539
MTU=$MTU
538
MTU=$MTU
540
EOF
539
EOF
541
		else	
540
		else	
542
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
541
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
543
DEVICE=$EXTIF
542
DEVICE=$EXTIF
544
BOOTPROTO=static
543
BOOTPROTO=static
545
IPADDR=$PUBLIC_IP
544
IPADDR=$PUBLIC_IP
546
NETMASK=$PUBLIC_NETMASK
545
NETMASK=$PUBLIC_NETMASK
547
GATEWAY=$PUBLIC_GATEWAY
546
GATEWAY=$PUBLIC_GATEWAY
548
DNS1=127.0.0.1
547
DNS1=127.0.0.1
549
RESOLV_MODS=yes
548
RESOLV_MODS=yes
550
ONBOOT=yes
549
ONBOOT=yes
551
METRIC=10
550
METRIC=10
552
NOZEROCONF=yes
551
NOZEROCONF=yes
553
MII_NOT_SUPPORTED=yes
552
MII_NOT_SUPPORTED=yes
554
IPV6INIT=no
553
IPV6INIT=no
555
IPV6TO4INIT=no
554
IPV6TO4INIT=no
556
ACCOUNTING=no
555
ACCOUNTING=no
557
USERCTL=no
556
USERCTL=no
558
MTU=$MTU
557
MTU=$MTU
559
EOF
558
EOF
560
	fi
559
	fi
561
# Config INTIF (consultation LAN) in normal mode
560
# Config INTIF (consultation LAN) in normal mode
562
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
561
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
563
DEVICE=$INTIF
562
DEVICE=$INTIF
564
BOOTPROTO=static
563
BOOTPROTO=static
565
ONBOOT=yes
564
ONBOOT=yes
566
NOZEROCONF=yes
565
NOZEROCONF=yes
567
MII_NOT_SUPPORTED=yes
566
MII_NOT_SUPPORTED=yes
568
IPV6INIT=no
567
IPV6INIT=no
569
IPV6TO4INIT=no
568
IPV6TO4INIT=no
570
ACCOUNTING=no
569
ACCOUNTING=no
571
USERCTL=no
570
USERCTL=no
572
EOF
571
EOF
573
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
572
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
574
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
573
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
575
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
574
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
576
DEVICE=$INTIF
575
DEVICE=$INTIF
577
BOOTPROTO=static
576
BOOTPROTO=static
578
IPADDR=$PRIVATE_IP
577
IPADDR=$PRIVATE_IP
579
NETMASK=$PRIVATE_NETMASK
578
NETMASK=$PRIVATE_NETMASK
580
ONBOOT=yes
579
ONBOOT=yes
581
METRIC=10
580
METRIC=10
582
NOZEROCONF=yes
581
NOZEROCONF=yes
583
MII_NOT_SUPPORTED=yes
582
MII_NOT_SUPPORTED=yes
584
IPV6INIT=no
583
IPV6INIT=no
585
IPV6TO4INIT=no
584
IPV6TO4INIT=no
586
ACCOUNTING=no
585
ACCOUNTING=no
587
USERCTL=no
586
USERCTL=no
588
EOF
587
EOF
589
# Mise à l'heure du serveur
-
 
590
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
-
 
591
	cat <<EOF > /etc/ntp/step-tickers
-
 
592
0.fr.pool.ntp.org	# adapt to your country
-
 
593
1.fr.pool.ntp.org
-
 
594
2.fr.pool.ntp.org
-
 
595
EOF
-
 
596
# Configuration du serveur de temps (sur lui même)
-
 
597
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
-
 
598
	cat <<EOF > /etc/ntp.conf
-
 
599
server 0.fr.pool.ntp.org	# adapt to your country
-
 
600
server 1.fr.pool.ntp.org
-
 
601
server 2.fr.pool.ntp.org
-
 
602
server 127.127.1.0   		# local clock si NTP internet indisponible ...
-
 
603
fudge 127.127.1.0 stratum 10
-
 
604
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
-
 
605
restrict 127.0.0.1
-
 
606
driftfile /var/lib/ntp/drift
-
 
607
logfile /var/log/ntp.log
-
 
608
disable monitor
-
 
609
EOF
-
 
610
 
-
 
611
	chown -R ntp:ntp /var/lib/ntp
-
 
612
# Renseignement des fichiers hosts.allow et hosts.deny
588
# Renseignement des fichiers hosts.allow et hosts.deny
613
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
589
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
614
	cat <<EOF > /etc/hosts.allow
590
	cat <<EOF > /etc/hosts.allow
615
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
591
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
616
sshd: ALL
592
sshd: ALL
617
ntpd: $PRIVATE_NETWORK_SHORT
593
ntpd: $PRIVATE_NETWORK_SHORT
618
EOF
594
EOF
619
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
595
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
620
	cat <<EOF > /etc/hosts.deny
596
	cat <<EOF > /etc/hosts.deny
621
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
597
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
622
EOF
598
EOF
623
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
599
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
624
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
600
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
625
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
601
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
626
# load conntrack ftp module
602
# load conntrack ftp module
627
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
603
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
628
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
604
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
629
# load ipt_NETFLOW module
605
# load ipt_NETFLOW module
630
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
606
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
631
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
607
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
632
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
608
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
633
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
609
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
634
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
610
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
635
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
611
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
636
# 
612
# 
637
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
613
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
638
} # End of network ()
614
} # End of network ()
639
 
615
 
640
##################################################################
616
##################################################################
-
 
617
##			Function "time"				##
-
 
618
## - Configuring NTP server					##
-
 
619
##################################################################
-
 
620
time ()
-
 
621
{
-
 
622
# Set the Internet time server
-
 
623
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
-
 
624
	cat <<EOF > /etc/ntp/step-tickers
-
 
625
0.fr.pool.ntp.org	# adapt to your country
-
 
626
1.fr.pool.ntp.org
-
 
627
2.fr.pool.ntp.org
-
 
628
EOF
-
 
629
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
-
 
630
	cat <<EOF > /etc/ntp.conf
-
 
631
server 0.fr.pool.ntp.org	# adapt to your country
-
 
632
server 1.fr.pool.ntp.org
-
 
633
server 2.fr.pool.ntp.org
-
 
634
server 127.127.1.0   		# local clock si NTP internet indisponible ...
-
 
635
fudge 127.127.1.0 stratum 10
-
 
636
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
-
 
637
restrict 127.0.0.1
-
 
638
driftfile /var/lib/ntp/drift
-
 
639
logfile /var/log/ntp.log
-
 
640
disable monitor
-
 
641
EOF
-
 
642
	chown -R ntp:ntp /var/lib/ntp
-
 
643
# Synchronize now
-
 
644
	ntpd -q -g &
-
 
645
} # End of time ()
-
 
646
##################################################################
641
##			Function "ACC"				##
647
##			Function "ACC"				##
642
## - installation du centre de gestion (ALCASAR Control Center)	##
648
## - installation du centre de gestion (ALCASAR Control Center)	##
643
## - configuration du serveur web (Apache)			##
649
## - configuration du serveur web (Apache)			##
644
## - définition du 1er comptes de gestion 			##
650
## - définition du 1er comptes de gestion 			##
645
## - sécurisation des accès					##
651
## - sécurisation des accès					##
646
##################################################################
652
##################################################################
647
ACC ()
653
ACC ()
648
{
654
{
649
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
655
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
650
	mkdir $DIR_WEB
656
	mkdir $DIR_WEB
651
# Copie et configuration des fichiers du centre de gestion
657
# Copy & adapt ACC files
652
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
658
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
653
	echo "$VERSION" > $DIR_WEB/VERSION
659
	echo "$VERSION" > $DIR_WEB/VERSION
654
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
660
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
655
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
661
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
656
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
662
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
657
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
663
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
658
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
664
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
659
	chown -R apache:apache $DIR_WEB/*
665
	chown -R apache:apache $DIR_WEB/*
-
 
666
# copy & adapt "freeradius-web" files
-
 
667
	cp -rf $DIR_CONF/freeradius-web/ /etc/
-
 
668
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
-
 
669
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
-
 
670
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
-
 
671
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
-
 
672
	cat <<EOF > /etc/freeradius-web/naslist.conf
-
 
673
nas1_name: alcasar-$ORGANISME
-
 
674
nas1_model: Network Access Controler
-
 
675
nas1_ip: $PRIVATE_IP
-
 
676
nas1_port_num: 0
-
 
677
nas1_community: public
-
 
678
EOF
-
 
679
	chown -R apache:apache /etc/freeradius-web/
660
# create the backup structure :
680
# create the log & backup structure :
661
# - base = users database
681
# - base = users database
662
# - archive = tarball of "base + http firewall + netflow"
682
# - archive = tarball of "base + http firewall + netflow"
663
# - security = watchdog disconnection)
683
# - security = watchdog log
664
	for i in base archive security;
684
	for i in base archive security;
665
	do
685
	do
666
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
686
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
667
	done
687
	done
668
	chown -R root:apache $DIR_SAVE
688
	chown -R root:apache $DIR_SAVE
669
# Configuration et sécurisation php
689
# Configuring & securing php
670
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
690
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
671
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
691
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
672
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
692
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
673
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
693
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
674
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
694
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
675
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
695
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
676
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
696
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
677
# Configuration et sécurisation Apache
697
# Configuring & sécuring Apache
678
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
698
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
679
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
699
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
680
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
700
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
681
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
701
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
682
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
702
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
683
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
703
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
684
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
704
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
685
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
705
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
686
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
706
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
687
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
707
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
688
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
708
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
689
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
709
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
690
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
710
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
691
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
711
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
692
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
712
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
693
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
713
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
694
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
714
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
695
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
715
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
696
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
716
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
697
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
717
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
698
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
718
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
699
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
719
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
700
# Error page management
720
# Error page management
701
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
721
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
702
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
722
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
703
Alias /error/ "/var/www/html/"
723
Alias /error/ "/var/www/html/"
704
<Directory "/usr/share/httpd/error">
724
<Directory "/usr/share/httpd/error">
705
    AllowOverride None
725
    AllowOverride None
706
    Options IncludesNoExec
726
    Options IncludesNoExec
707
    AddOutputFilter Includes html
727
    AddOutputFilter Includes html
708
    AddHandler type-map var
728
    AddHandler type-map var
709
    Require all granted
729
    Require all granted
710
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
730
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
711
    ForceLanguagePriority Prefer Fallback
731
    ForceLanguagePriority Prefer Fallback
712
</Directory>
732
</Directory>
713
ErrorDocument 400 /error/error.php?error=400
733
ErrorDocument 400 /error/error.php?error=400
714
ErrorDocument 401 /error/error.php?error=401
734
ErrorDocument 401 /error/error.php?error=401
715
ErrorDocument 403 /error/error.php?error=403
735
ErrorDocument 403 /error/error.php?error=403
716
ErrorDocument 404 /error/error.php?error=404
736
ErrorDocument 404 /error/error.php?error=404
717
ErrorDocument 405 /error/error.php?error=405
737
ErrorDocument 405 /error/error.php?error=405
718
ErrorDocument 408 /error/error.php?error=408
738
ErrorDocument 408 /error/error.php?error=408
719
ErrorDocument 410 /error/error.php?error=410
739
ErrorDocument 410 /error/error.php?error=410
720
ErrorDocument 411 /error/error.php?error=411
740
ErrorDocument 411 /error/error.php?error=411
721
ErrorDocument 412 /error/error.php?error=412
741
ErrorDocument 412 /error/error.php?error=412
722
ErrorDocument 413 /error/error.php?error=413
742
ErrorDocument 413 /error/error.php?error=413
723
ErrorDocument 414 /error/error.php?error=414
743
ErrorDocument 414 /error/error.php?error=414
724
ErrorDocument 415 /error/error.php?error=415
744
ErrorDocument 415 /error/error.php?error=415
725
ErrorDocument 500 /error/error.php?error=500
745
ErrorDocument 500 /error/error.php?error=500
726
ErrorDocument 501 /error/error.php?error=501
746
ErrorDocument 501 /error/error.php?error=501
727
ErrorDocument 502 /error/error.php?error=502
747
ErrorDocument 502 /error/error.php?error=502
728
ErrorDocument 503 /error/error.php?error=503
748
ErrorDocument 503 /error/error.php?error=503
729
ErrorDocument 506 /error/error.php?error=506
749
ErrorDocument 506 /error/error.php?error=506
730
EOF
750
EOF
731
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
751
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
732
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
752
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
733
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
753
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
734
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
754
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
735
</body>
755
</body>
736
</html>
756
</html>
737
EOF
757
EOF
738
# Définition du premier compte lié au profil 'admin'
758
# Définition du premier compte lié au profil 'admin'
739
 
-
 
740
# !! remove when > V2.9.2 (we need to create new accounts)
-
 
741
# if [ "$mode" = "install" ]
759
if [ "$mode" = "install" ]
742
#	then
760
	then
743
		header_install
761
		header_install
744
		admin_portal=!
762
		admin_portal=!
745
		PTN='^[a-zA-Z0-9-]*$'
763
		PTN='^[a-zA-Z0-9-]*$'
746
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
764
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
747
                	do
765
                	do
748
			header_install
766
			header_install
749
			if [ $Lang == "fr" ]
767
			if [ $Lang == "fr" ]
750
			then 
768
			then 
751
				echo ""
769
				echo ""
752
				echo "Définissez un premier compte d'administration du portail :"
770
				echo "Définissez un premier compte d'administration du portail :"
753
				echo
771
				echo
754
				echo -n "Nom : "
772
				echo -n "Nom : "
755
			else
773
			else
756
				echo ""
774
				echo ""
757
				echo "Define the first account allow to administrate the portal :"
775
				echo "Define the first account allow to administrate the portal :"
758
				echo
776
				echo
759
				echo -n "Account : "
777
				echo -n "Account : "
760
			fi
778
			fi
761
			read admin_portal
779
			read admin_portal
762
			if [ "$admin_portal" == "" ]
780
			if [ "$admin_portal" == "" ]
763
				then
781
				then
764
				admin_portal=!
782
				admin_portal=!
765
			fi
783
			fi
766
			done
784
			done
767
# Creation of keys file for the admin account ("admin")
785
# Creation of keys file for the admin account ("admin")
768
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
786
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
769
		mkdir -p $DIR_DEST_ETC/digest
787
		mkdir -p $DIR_DEST_ETC/digest
770
		chmod 755 $DIR_DEST_ETC/digest
788
		chmod 755 $DIR_DEST_ETC/digest
771
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
789
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
772
			do
790
			do
773
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
791
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
774
			done
792
			done
775
		$DIR_DEST_BIN/alcasar-profil.sh --list
793
		$DIR_DEST_BIN/alcasar-profil.sh --list
776
# !! remove if > V2.9.2
-
 
777
# fi
794
fi
778
 
-
 
779
# synchronisation horaire
795
# ACC partitioning
780
	ntpd -q -g &
-
 
781
# Sécurisation du centre
-
 
782
	rm -f /etc/httpd/conf/webapps.d/alcasar*
796
	rm -f /etc/httpd/conf/webapps.d/alcasar*
783
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
797
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
784
<Directory $DIR_ACC>
798
<Directory $DIR_ACC>
785
	SSLRequireSSL
799
	SSLRequireSSL
786
	AllowOverride None
800
	AllowOverride None
787
	Order deny,allow
801
	Order deny,allow
788
	Deny from all
802
	Deny from all
789
	Allow from 127.0.0.1
803
	Allow from 127.0.0.1
790
	Allow from $PRIVATE_NETWORK_MASK
804
	Allow from $PRIVATE_NETWORK_MASK
791
	require valid-user
805
	require valid-user
792
	AuthType digest
806
	AuthType digest
793
	AuthName "ALCASAR Control Center (ACC)" 
807
	AuthName "ALCASAR Control Center (ACC)" 
794
	AuthDigestDomain $HOSTNAME.$DOMAIN
808
	AuthDigestDomain $HOSTNAME.$DOMAIN
795
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
809
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
796
	AuthUserFile $DIR_DEST_ETC/digest/key_all
810
	AuthUserFile $DIR_DEST_ETC/digest/key_all
797
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
798
</Directory>
812
</Directory>
799
<Directory $DIR_ACC/admin>
813
<Directory $DIR_ACC/admin>
800
	SSLRequireSSL
814
	SSLRequireSSL
801
	AllowOverride None
815
	AllowOverride None
802
	Order deny,allow
816
	Order deny,allow
803
	Deny from all
817
	Deny from all
804
	Allow from 127.0.0.1
818
	Allow from 127.0.0.1
805
	Allow from $PRIVATE_NETWORK_MASK
819
	Allow from $PRIVATE_NETWORK_MASK
806
	require valid-user
820
	require valid-user
807
	AuthType digest
821
	AuthType digest
808
	AuthName "ALCASAR Control Center (ACC)" 
822
	AuthName "ALCASAR Control Center (ACC)" 
809
	AuthDigestDomain $HOSTNAME.$DOMAIN
823
	AuthDigestDomain $HOSTNAME.$DOMAIN
810
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
824
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
811
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
825
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
812
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
826
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
813
</Directory>
827
</Directory>
814
<Directory $DIR_ACC/manager>
828
<Directory $DIR_ACC/manager>
815
	SSLRequireSSL
829
	SSLRequireSSL
816
	AllowOverride None
830
	AllowOverride None
817
	Order deny,allow
831
	Order deny,allow
818
	Deny from all
832
	Deny from all
819
	Allow from 127.0.0.1
833
	Allow from 127.0.0.1
820
	Allow from $PRIVATE_NETWORK_MASK
834
	Allow from $PRIVATE_NETWORK_MASK
821
	require valid-user
835
	require valid-user
822
	AuthType digest
836
	AuthType digest
823
	AuthName "ALCASAR Control Center (ACC)" 
837
	AuthName "ALCASAR Control Center (ACC)" 
824
	AuthDigestDomain $HOSTNAME.$DOMAIN
838
	AuthDigestDomain $HOSTNAME.$DOMAIN
825
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
839
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
826
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
840
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
827
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
841
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
828
</Directory>
842
</Directory>
829
<Directory $DIR_ACC/backup>
843
<Directory $DIR_ACC/backup>
830
	SSLRequireSSL
844
	SSLRequireSSL
831
	AllowOverride None
845
	AllowOverride None
832
	Order deny,allow
846
	Order deny,allow
833
	Deny from all
847
	Deny from all
834
	Allow from 127.0.0.1
848
	Allow from 127.0.0.1
835
	Allow from $PRIVATE_NETWORK_MASK
849
	Allow from $PRIVATE_NETWORK_MASK
836
	require valid-user
850
	require valid-user
837
	AuthType digest
851
	AuthType digest
838
	AuthName "ALCASAR Control Center (ACC)" 
852
	AuthName "ALCASAR Control Center (ACC)" 
839
	AuthDigestDomain $HOSTNAME.$DOMAIN
853
	AuthDigestDomain $HOSTNAME.$DOMAIN
840
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
854
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
841
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
855
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
842
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
856
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
843
</Directory>
857
</Directory>
844
Alias /save/ "$DIR_SAVE/"
858
Alias /save/ "$DIR_SAVE/"
845
<Directory $DIR_SAVE>
859
<Directory $DIR_SAVE>
846
	SSLRequireSSL
860
	SSLRequireSSL
847
	Options Indexes
861
	Options Indexes
848
	Order deny,allow
862
	Order deny,allow
849
	Deny from all
863
	Deny from all
850
	Allow from 127.0.0.1
864
	Allow from 127.0.0.1
851
	Allow from $PRIVATE_NETWORK_MASK
865
	Allow from $PRIVATE_NETWORK_MASK
852
	require valid-user
866
	require valid-user
853
	AuthType digest
867
	AuthType digest
854
	AuthName "ALCASAR Control Center (ACC)" 
868
	AuthName "ALCASAR Control Center (ACC)" 
855
	AuthDigestDomain $HOSTNAME.$DOMAIN
869
	AuthDigestDomain $HOSTNAME.$DOMAIN
856
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
870
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
857
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
871
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
858
</Directory>
872
</Directory>
-
 
873
<Directory $DIR_WEB/pass>
-
 
874
	SSLRequireSSL
-
 
875
	AllowOverride None
-
 
876
	Order deny,allow
-
 
877
	Deny from all
-
 
878
	Allow from 127.0.0.1
-
 
879
	Allow from $PRIVATE_NETWORK_MASK
-
 
880
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
-
 
881
</Directory>
859
EOF
882
EOF
860
# Launch after coova
883
# Launch after coova (in order to wait tun0 to be up)
861
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
884
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
862
} # End of ACC ()
885
} # End of ACC ()
863
 
886
 
864
##########################################################################################
887
##########################################################################################
865
##				Fonction "CA"						##
888
##				Fonction "CA"						##
866
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
889
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
867
##########################################################################################
890
##########################################################################################
868
CA ()
891
CA ()
869
{
892
{
870
	$DIR_DEST_BIN/alcasar-CA.sh
893
	$DIR_DEST_BIN/alcasar-CA.sh
871
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
894
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
872
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
895
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
873
	cat <<EOF > $FIC_VIRTUAL_SSL
896
	cat <<EOF > $FIC_VIRTUAL_SSL
874
# default SSL virtual host, used for all HTTPS requests that do not
897
# default SSL virtual host, used for all HTTPS requests that do not
875
# match a ServerName or ServerAlias in any <VirtualHost> block.
898
# match a ServerName or ServerAlias in any <VirtualHost> block.
876
 
899
 
877
<VirtualHost _default_:443>
900
<VirtualHost _default_:443>
878
# general configuration
901
# general configuration
879
    ServerAdmin root@localhost
902
    ServerAdmin root@localhost
880
    ServerName $HOSTNAME.$DOMAIN
903
    ServerName $HOSTNAME.$DOMAIN
881
 
904
 
882
# SSL configuration
905
# SSL configuration
883
    SSLEngine on
906
    SSLEngine on
884
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
907
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
885
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
908
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
886
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
909
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
887
    CustomLog logs/ssl_request_log \
910
    CustomLog logs/ssl_request_log \
888
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
911
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
889
    ErrorLog logs/ssl_error_log
912
    ErrorLog logs/ssl_error_log
890
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
913
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
891
</VirtualHost>
914
</VirtualHost>
892
EOF
915
EOF
893
 
-
 
894
	chown -R root:apache /etc/pki
916
	chown -R root:apache /etc/pki
895
	chmod -R 750 /etc/pki
917
	chmod -R 750 /etc/pki
896
} # End of CA ()
918
} # End of CA ()
897
 
919
 
898
##########################################################################################
920
##########################################################################################
899
##			Fonction "init_db"						##
921
##			Fonction "init_db"						##
900
## - Initialisation de la base Mysql							##
922
## - Initialisation de la base Mysql							##
901
## - Affectation du mot de passe de l'administrateur (root)				##
923
## - Affectation du mot de passe de l'administrateur (root)				##
902
## - Suppression des bases et des utilisateurs superflus				##
924
## - Suppression des bases et des utilisateurs superflus				##
903
## - Création de la base 'radius'							##
925
## - Création de la base 'radius'							##
904
## - Installation du schéma de cette base						##
926
## - Installation du schéma de cette base						##
905
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
927
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
906
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
928
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
907
##########################################################################################
929
##########################################################################################
908
init_db ()
930
init_db ()
909
{
931
{
910
	rm -rf /var/lib/mysql # to be sure that there is no former installation
932
	rm -rf /var/lib/mysql # to be sure that there is no former installation
911
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
933
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
912
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
934
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
913
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
935
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
914
	/usr/bin/systemctl start mysqld.service
936
	/usr/bin/systemctl start mysqld.service
915
	sleep 4
937
	sleep 4
916
	mysqladmin -u root password $mysqlpwd
938
	mysqladmin -u root password $mysqlpwd
917
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
939
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
918
# Secure the server
940
# Secure the server
919
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
941
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
920
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
942
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
921
# Create 'radius' database
943
# Create 'radius' database
922
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
944
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
923
# Add an empty radius database structure
945
# Add an empty radius database structure
924
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
946
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
925
# modify the start script in order to close accounting connexion when the system is comming down or up
947
# modify the start script in order to close accounting connexion when the system is comming down or up
926
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
948
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
927
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
949
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
928
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
950
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
929
	/usr/bin/systemctl daemon-reload
951
	/usr/bin/systemctl daemon-reload
930
} # End of init_db ()
952
} # End of init_db ()
931
 
953
 
932
##########################################################################
954
##########################################################################
933
##			Fonction "radius"				##
955
##			Fonction "radius"				##
934
## - Paramètrage des fichiers de configuration FreeRadius		##
956
## - Paramètrage des fichiers de configuration FreeRadius		##
935
## - Affectation du secret partagé entre coova-chilli et freeradius	##
957
## - Affectation du secret partagé entre coova-chilli et freeradius	##
936
## - Modification de fichier de conf pour l'accès à Mysql		##
958
## - Modification de fichier de conf pour l'accès à Mysql		##
937
##########################################################################
959
##########################################################################
938
radius ()
960
radius ()
939
{
961
{
940
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
962
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
941
	chown -R radius:radius /etc/raddb
963
	chown -R radius:radius /etc/raddb
942
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
964
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
943
# Set radius.conf parameters
965
# Set radius.conf parameters
944
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
966
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
945
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
967
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
946
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
968
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
947
# remove the proxy function
969
# remove the proxy function
948
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
970
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
949
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
971
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
950
# remove EAP module
972
# remove EAP module
951
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
973
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
952
# listen on loopback (should be modified later if EAP enabled)
974
# listen on loopback (should be modified later if EAP enabled)
953
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
975
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
954
# enable the  SQL module (and SQL counter)
976
# enable the  SQL module (and SQL counter)
955
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
977
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
956
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
978
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
957
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
979
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
958
# only include modules for ALCASAR needs
980
# only include modules for ALCASAR needs
959
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
981
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
960
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
982
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
961
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
983
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
962
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
984
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
963
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
985
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
964
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
986
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
965
# remvove virtual server and copy our conf file
987
# remvove virtual server and copy our conf file
966
	rm -f /etc/raddb/sites-enabled/*
988
	rm -f /etc/raddb/sites-enabled/*
967
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
989
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
968
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
990
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
969
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
991
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
970
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
992
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
971
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
993
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
972
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
994
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
973
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
995
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
974
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
996
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
975
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
997
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
976
	cat << EOF > /etc/raddb/clients.conf
998
	cat << EOF > /etc/raddb/clients.conf
977
client 127.0.0.1 {
999
client 127.0.0.1 {
978
	secret = $secretradius
1000
	secret = $secretradius
979
	shortname = localhost
1001
	shortname = localhost
980
}
1002
}
981
EOF
1003
EOF
982
# sql.conf modification
1004
# sql.conf modification
983
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1005
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
984
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1006
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
985
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1007
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
986
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1008
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
987
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1009
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
988
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1010
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
989
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1011
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
990
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1012
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
991
# counter.conf modification (change the Max-All-Session-Time counter)
1013
# counter.conf modification (change the Max-All-Session-Time counter)
992
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1014
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
993
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1015
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
994
	chown -R radius:radius /etc/raddb/sql/mysql/*
1016
	chown -R radius:radius /etc/raddb/sql/mysql/*
995
# make certain that mysql is up before radius start
1017
# make certain that mysql is up before radius start
996
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1018
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
997
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1019
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
998
	/usr/bin/systemctl daemon-reload
1020
	/usr/bin/systemctl daemon-reload
999
} # End radius ()
1021
} # End radius ()
1000
 
1022
 
1001
##########################################################################
-
 
1002
##			Function "radius_web"				##
-
 
1003
## - Import, modification et paramètrage de l'interface "freeradius-WEB ##
-
 
1004
## - Création du lien vers la page de changement de mot de passe        ##
-
 
1005
##########################################################################
-
 
1006
radius_web ()
-
 
1007
{
-
 
1008
# copy "freeradius-web" files and conf files in the manager arae of ACC
-
 
1009
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
-
 
1010
	cp -rf $DIR_CONF/freeradius-web/ /etc/
-
 
1011
	chown -R apache:apache $DIR_ACC/manager/
-
 
1012
# adapt the main conf file to Alcasar behaviour
-
 
1013
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
-
 
1014
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
-
 
1015
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
-
 
1016
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
-
 
1017
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
-
 
1018
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
-
 
1019
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
-
 
1020
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
-
 
1021
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
-
 
1022
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
-
 
1023
	cat <<EOF > /etc/freeradius-web/naslist.conf
-
 
1024
nas1_name: alcasar-$ORGANISME
-
 
1025
nas1_model: Portail captif
-
 
1026
nas1_ip: $PRIVATE_IP
-
 
1027
nas1_port_num: 0
-
 
1028
nas1_community: public
-
 
1029
EOF
-
 
1030
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
-
 
1031
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
-
 
1032
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
-
 
1033
# Ajout du mappage des attributs chillispot
-
 
1034
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
-
 
1035
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
-
 
1036
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
-
 
1037
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
-
 
1038
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
-
 
1039
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
-
 
1040
	chown -R apache:apache /etc/freeradius-web
-
 
1041
# Ajout de l'alias vers la page de "changement de mot de passe usager"
-
 
1042
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
-
 
1043
<Directory $DIR_WEB/pass>
-
 
1044
	SSLRequireSSL
-
 
1045
	AllowOverride None
-
 
1046
	Order deny,allow
-
 
1047
	Deny from all
-
 
1048
	Allow from 127.0.0.1
-
 
1049
	Allow from $PRIVATE_NETWORK_MASK
-
 
1050
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
-
 
1051
</Directory>
-
 
1052
EOF
-
 
1053
} # End of radius_web ()
-
 
1054
 
-
 
1055
##################################################################################
1023
##################################################################################
1056
##			Fonction "chilli"					##
1024
##			Fonction "chilli"					##
1057
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1025
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1058
## - Paramètrage de la page d'authentification (intercept.php)			##
1026
## - Paramètrage de la page d'authentification (intercept.php)			##
1059
##################################################################################
1027
##################################################################################
1060
chilli ()
1028
chilli ()
1061
{
1029
{
1062
# chilli unit for systemd
1030
# chilli unit for systemd
1063
cat << EOF > /lib/systemd/system/chilli.service
1031
cat << EOF > /lib/systemd/system/chilli.service
1064
#  This file is part of systemd.
1032
#  This file is part of systemd.
1065
#
1033
#
1066
#  systemd is free software; you can redistribute it and/or modify it
1034
#  systemd is free software; you can redistribute it and/or modify it
1067
#  under the terms of the GNU General Public License as published by
1035
#  under the terms of the GNU General Public License as published by
1068
#  the Free Software Foundation; either version 2 of the License, or
1036
#  the Free Software Foundation; either version 2 of the License, or
1069
#  (at your option) any later version.
1037
#  (at your option) any later version.
1070
[Unit]
1038
[Unit]
1071
Description=chilli is a captive portal daemon
1039
Description=chilli is a captive portal daemon
1072
After=network.target
1040
After=network.target
1073
 
1041
 
1074
[Service]
1042
[Service]
1075
Type=forking
1043
Type=forking
1076
ExecStart=/usr/libexec/chilli start
1044
ExecStart=/usr/libexec/chilli start
1077
ExecStop=/usr/libexec/chilli stop
1045
ExecStop=/usr/libexec/chilli stop
1078
ExecReload=/usr/libexec/chilli reload
1046
ExecReload=/usr/libexec/chilli reload
1079
PIDFile=/var/run/chilli.pid
1047
PIDFile=/var/run/chilli.pid
1080
 
1048
 
1081
[Install]
1049
[Install]
1082
WantedBy=multi-user.target
1050
WantedBy=multi-user.target
1083
EOF
1051
EOF
1084
# init file creation
1052
# init file creation
1085
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1053
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1086
	cat <<EOF > /etc/init.d/chilli
1054
	cat <<EOF > /etc/init.d/chilli
1087
#!/bin/sh
1055
#!/bin/sh
1088
#
1056
#
1089
# chilli CoovaChilli init
1057
# chilli CoovaChilli init
1090
#
1058
#
1091
# chkconfig: 2345 65 35
1059
# chkconfig: 2345 65 35
1092
# description: CoovaChilli
1060
# description: CoovaChilli
1093
### BEGIN INIT INFO
1061
### BEGIN INIT INFO
1094
# Provides:       chilli
1062
# Provides:       chilli
1095
# Required-Start: network 
1063
# Required-Start: network 
1096
# Should-Start: 
1064
# Should-Start: 
1097
# Required-Stop:  network
1065
# Required-Stop:  network
1098
# Should-Stop: 
1066
# Should-Stop: 
1099
# Default-Start:  2 3 5
1067
# Default-Start:  2 3 5
1100
# Default-Stop:
1068
# Default-Stop:
1101
# Description:    CoovaChilli access controller
1069
# Description:    CoovaChilli access controller
1102
### END INIT INFO
1070
### END INIT INFO
1103
 
1071
 
1104
[ -f /usr/sbin/chilli ] || exit 0
1072
[ -f /usr/sbin/chilli ] || exit 0
1105
. /etc/init.d/functions
1073
. /etc/init.d/functions
1106
CONFIG=/etc/chilli.conf
1074
CONFIG=/etc/chilli.conf
1107
pidfile=/var/run/chilli.pid
1075
pidfile=/var/run/chilli.pid
1108
[ -f \$CONFIG ] || {
1076
[ -f \$CONFIG ] || {
1109
    echo "\$CONFIG Not found"
1077
    echo "\$CONFIG Not found"
1110
    exit 0
1078
    exit 0
1111
}
1079
}
1112
RETVAL=0
1080
RETVAL=0
1113
prog="chilli"
1081
prog="chilli"
1114
case \$1 in
1082
case \$1 in
1115
    start)
1083
    start)
1116
	if [ -f \$pidfile ] ; then 
1084
	if [ -f \$pidfile ] ; then 
1117
		gprintf "chilli is already running"
1085
		gprintf "chilli is already running"
1118
	else
1086
	else
1119
        	gprintf "Starting \$prog: "
1087
        	gprintf "Starting \$prog: "
1120
		rm -f /var/run/chilli* # cleaning
1088
		rm -f /var/run/chilli* # cleaning
1121
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1089
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1122
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1090
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1123
		[ -e /dev/net/tun ] || {
1091
		[ -e /dev/net/tun ] || {
1124
	    	(cd /dev; 
1092
	    	(cd /dev; 
1125
			mkdir net; 
1093
			mkdir net; 
1126
			cd net; 
1094
			cd net; 
1127
			mknod tun c 10 200)
1095
			mknod tun c 10 200)
1128
		}
1096
		}
1129
		ifconfig $INTIF 0.0.0.0
1097
		ifconfig $INTIF 0.0.0.0
1130
		/usr/sbin/ethtool -K $INTIF gro off
1098
		/usr/sbin/ethtool -K $INTIF gro off
1131
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1099
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1132
        	RETVAL=$?
1100
        	RETVAL=$?
1133
	fi
1101
	fi
1134
	;;
1102
	;;
1135
 
1103
 
1136
    reload)
1104
    reload)
1137
	killall -HUP chilli
1105
	killall -HUP chilli
1138
	;;
1106
	;;
1139
 
1107
 
1140
    restart)
1108
    restart)
1141
	\$0 stop
1109
	\$0 stop
1142
        sleep 2
1110
        sleep 2
1143
	\$0 start
1111
	\$0 start
1144
	;;
1112
	;;
1145
    
1113
    
1146
    status)
1114
    status)
1147
        status chilli
1115
        status chilli
1148
        RETVAL=0
1116
        RETVAL=0
1149
        ;;
1117
        ;;
1150
 
1118
 
1151
    stop)
1119
    stop)
1152
	if [ -f \$pidfile ] ; then  
1120
	if [ -f \$pidfile ] ; then  
1153
        	gprintf "Shutting down \$prog: "
1121
        	gprintf "Shutting down \$prog: "
1154
		killproc /usr/sbin/chilli
1122
		killproc /usr/sbin/chilli
1155
		RETVAL=\$?
1123
		RETVAL=\$?
1156
		[ \$RETVAL = 0 ] && rm -f $pidfile
1124
		[ \$RETVAL = 0 ] && rm -f $pidfile
1157
	else	
1125
	else	
1158
        	gprintf "chilli is not running"
1126
        	gprintf "chilli is not running"
1159
	fi
1127
	fi
1160
	;;
1128
	;;
1161
    
1129
    
1162
    *)
1130
    *)
1163
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1131
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1164
        exit 1
1132
        exit 1
1165
esac
1133
esac
1166
echo
1134
echo
1167
EOF
1135
EOF
1168
chmod a+x /etc/init.d/chilli
1136
chmod a+x /etc/init.d/chilli
1169
ln -s /etc/init.d/chilli /usr/libexec/chilli
1137
ln -s /etc/init.d/chilli /usr/libexec/chilli
1170
# conf file creation
1138
# conf file creation
1171
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1139
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1172
	cat <<EOF > /etc/chilli.conf
1140
	cat <<EOF > /etc/chilli.conf
1173
# coova config for ALCASAR
1141
# coova config for ALCASAR
1174
cmdsocket	/var/run/chilli.sock
1142
cmdsocket	/var/run/chilli.sock
1175
unixipc		chilli.$INTIF.ipc
1143
unixipc		chilli.$INTIF.ipc
1176
pidfile		/var/run/chilli.pid
1144
pidfile		/var/run/chilli.pid
1177
net		$PRIVATE_NETWORK_MASK
1145
net		$PRIVATE_NETWORK_MASK
1178
dhcpif		$INTIF
1146
dhcpif		$INTIF
1179
ethers		$DIR_DEST_ETC/alcasar-ethers
1147
ethers		$DIR_DEST_ETC/alcasar-ethers
1180
#nodynip
1148
#nodynip
1181
#statip
1149
#statip
1182
dynip		$PRIVATE_NETWORK_MASK
1150
dynip		$PRIVATE_NETWORK_MASK
1183
domain		$DOMAIN
1151
domain		$DOMAIN
1184
dns1		$PRIVATE_IP
1152
dns1		$PRIVATE_IP
1185
dns2		$PRIVATE_IP
1153
dns2		$PRIVATE_IP
1186
uamlisten	$PRIVATE_IP
1154
uamlisten	$PRIVATE_IP
1187
uamport		3990
1155
uamport		3990
1188
macauth
1156
macauth
1189
macpasswd	password
1157
macpasswd	password
1190
strictmacauth
1158
strictmacauth
1191
locationname	$HOSTNAME.$DOMAIN
1159
locationname	$HOSTNAME.$DOMAIN
1192
radiusserver1	127.0.0.1
1160
radiusserver1	127.0.0.1
1193
radiusserver2	127.0.0.1
1161
radiusserver2	127.0.0.1
1194
radiussecret	$secretradius
1162
radiussecret	$secretradius
1195
radiusauthport	1812
1163
radiusauthport	1812
1196
radiusacctport	1813
1164
radiusacctport	1813
1197
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1165
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1198
radiusnasid	$HOSTNAME.$DOMAIN
1166
radiusnasid	$HOSTNAME.$DOMAIN
1199
uamsecret	$secretuam
1167
uamsecret	$secretuam
1200
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1168
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1201
coaport		3799
1169
coaport		3799
1202
conup		$DIR_DEST_BIN/alcasar-conup.sh
1170
conup		$DIR_DEST_BIN/alcasar-conup.sh
1203
condown		$DIR_DEST_BIN/alcasar-condown.sh
1171
condown		$DIR_DEST_BIN/alcasar-condown.sh
1204
include		$DIR_DEST_ETC/alcasar-uamallowed
1172
include		$DIR_DEST_ETC/alcasar-uamallowed
1205
include		$DIR_DEST_ETC/alcasar-uamdomain
1173
include		$DIR_DEST_ETC/alcasar-uamdomain
1206
#dhcpgateway		none
1174
#dhcpgateway		none
1207
#dhcprelayagent		none
1175
#dhcprelayagent		none
1208
#dhcpgatewayport	none
1176
#dhcpgatewayport	none
1209
EOF
1177
EOF
1210
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1178
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1211
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1179
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1212
# create files for trusted domains and urls
1180
# create files for trusted domains and urls
1213
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1181
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1214
	chown root:apache $DIR_DEST_ETC/alcasar-*
1182
	chown root:apache $DIR_DEST_ETC/alcasar-*
1215
	chmod 660 $DIR_DEST_ETC/alcasar-*
1183
	chmod 660 $DIR_DEST_ETC/alcasar-*
1216
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1184
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1217
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1185
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1218
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1186
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1219
# user 'chilli' creation (in order to run conup/off and up/down scripts
1187
# user 'chilli' creation (in order to run conup/off and up/down scripts
1220
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1188
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1221
	if [ "$chilli_exist" == "1" ]
1189
	if [ "$chilli_exist" == "1" ]
1222
	then
1190
	then
1223
	      userdel -r chilli 2>/dev/null
1191
	      userdel -r chilli 2>/dev/null
1224
	fi
1192
	fi
1225
	groupadd -f chilli
1193
	groupadd -f chilli
1226
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1194
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1227
}  # End of chilli ()
1195
}  # End of chilli ()
1228
 
1196
 
1229
##################################################################
1197
##################################################################
1230
##		Fonction "dansguardian"				##
1198
##		Fonction "dansguardian"				##
1231
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1199
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1232
##################################################################
1200
##################################################################
1233
dansguardian ()
1201
dansguardian ()
1234
{
1202
{
1235
	mkdir /var/dansguardian
1203
	mkdir /var/dansguardian
1236
	chown dansguardian /var/dansguardian
1204
	chown dansguardian /var/dansguardian
1237
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1205
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1238
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1206
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1239
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1207
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1240
# By default the filter is off 
1208
# By default the filter is off 
1241
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1209
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1242
# French deny HTML page
1210
# French deny HTML page
1243
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1211
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1244
# Listen only on LAN side
1212
# Listen only on LAN side
1245
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1213
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1246
# DG send its flow to HAVP
1214
# DG send its flow to HAVP
1247
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1215
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1248
# replace the default deny HTML page
1216
# replace the default deny HTML page
1249
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1217
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1250
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1218
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1251
# Don't log
1219
# Don't log
1252
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1220
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1253
# on désactive par défaut le controle de contenu des pages html
1221
# on désactive par défaut le controle de contenu des pages html
1254
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1222
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1255
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1223
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1256
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1224
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1257
# on désactive par défaut le contrôle d'URL par expressions régulières
1225
# on désactive par défaut le contrôle d'URL par expressions régulières
1258
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1226
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1259
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1227
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1260
 
1228
 
1261
# Configure Dansguardian for large site
1229
# Configure Dansguardian for large site
1262
# Minimum number of processus to handle connections
1230
# Minimum number of processus to handle connections
1263
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1231
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1264
# Maximum number of processus to handle connections
1232
# Maximum number of processus to handle connections
1265
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1233
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1266
# Run at least 8 daemons
1234
# Run at least 8 daemons
1267
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1235
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1268
# minimum number of processes to spawn
1236
# minimum number of processes to spawn
1269
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1237
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1270
# maximum age of a child process before it croaks it
1238
# maximum age of a child process before it croaks it
1271
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1239
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1272
	
1240
	
1273
# on désactive par défaut le contrôle de téléchargement de fichiers
1241
# on désactive par défaut le contrôle de téléchargement de fichiers
1274
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1242
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1275
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1243
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1276
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1244
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1277
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1245
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1278
	touch $DIR_DG/lists/bannedextensionlist
1246
	touch $DIR_DG/lists/bannedextensionlist
1279
	touch $DIR_DG/lists/bannedmimetypelist
1247
	touch $DIR_DG/lists/bannedmimetypelist
1280
# 'Safesearch' regex actualisation
1248
# 'Safesearch' regex actualisation
1281
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1249
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1282
# empty LAN IP list that won't be WEB filtered
1250
# empty LAN IP list that won't be WEB filtered
1283
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1251
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1284
	touch $DIR_DG/lists/exceptioniplist
1252
	touch $DIR_DG/lists/exceptioniplist
1285
# Keep a copy of URL & domain filter configuration files
1253
# Keep a copy of URL & domain filter configuration files
1286
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1254
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1287
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1255
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1288
} # End of dansguardian ()
1256
} # End of dansguardian ()
1289
 
1257
 
1290
##################################################################
1258
##################################################################
1291
##			Fonction "antivirus"			##
1259
##			Fonction "antivirus"			##
1292
## - configuration of havp, libclamav and freshclam		##
1260
## - configuration of havp, libclamav and freshclam		##
1293
##################################################################
1261
##################################################################
1294
antivirus ()		
1262
antivirus ()		
1295
{
1263
{
1296
# create 'havp' user
1264
# create 'havp' user
1297
	havp_exist=`grep havp /etc/passwd|wc -l`
1265
	havp_exist=`grep havp /etc/passwd|wc -l`
1298
	if [ "$havp_exist" == "1" ]
1266
	if [ "$havp_exist" == "1" ]
1299
	then
1267
	then
1300
	      userdel -r havp 2>/dev/null
1268
	      userdel -r havp 2>/dev/null
1301
	      groupdel havp 2>/dev/null
1269
	      groupdel havp 2>/dev/null
1302
	fi
1270
	fi
1303
	groupadd -f havp
1271
	groupadd -f havp
1304
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1272
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1305
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1273
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1306
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1274
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1307
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1275
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1308
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1276
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1309
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1277
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1310
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1278
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1311
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1279
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1312
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1280
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1313
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1281
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1314
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1282
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1315
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1283
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1316
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1284
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1317
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1285
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1318
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1286
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1319
# skip checking of youtube flow (too heavy load / risk too low)
1287
# skip checking of youtube flow (too heavy load / risk too low)
1320
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1288
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1321
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1289
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1322
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1290
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1323
# adapt init script and systemd unit
1291
# adapt init script and systemd unit
1324
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1292
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1325
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1293
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1326
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1294
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1327
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1295
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1328
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1296
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1329
# replace of the intercept page (template)
1297
# replace of the intercept page (template)
1330
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1298
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1331
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1299
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1332
# update virus database every 4 hours (24h/6)
1300
# update virus database every 4 hours (24h/6)
1333
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1301
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1334
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1302
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1335
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1303
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1336
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1304
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1337
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1305
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1338
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1306
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1339
# update now
1307
# update now
1340
	/usr/bin/freshclam --no-warnings
1308
	/usr/bin/freshclam --no-warnings
1341
} # End of antivirus ()
1309
} # End of antivirus ()
1342
 
1310
 
1343
##########################################################################
1311
##########################################################################
1344
##			Fonction "tinyproxy"				##
1312
##			Fonction "tinyproxy"				##
1345
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1313
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1346
##########################################################################
1314
##########################################################################
1347
tinyproxy ()		
1315
tinyproxy ()		
1348
{
1316
{
1349
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1317
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1350
	if [ "$tinyproxy_exist" == "1" ]
1318
	if [ "$tinyproxy_exist" == "1" ]
1351
	then
1319
	then
1352
	      userdel -r tinyproxy 2>/dev/null
1320
	      userdel -r tinyproxy 2>/dev/null
1353
	      groupdel tinyproxy 2>/dev/null
1321
	      groupdel tinyproxy 2>/dev/null
1354
	fi
1322
	fi
1355
	groupadd -f tinyproxy
1323
	groupadd -f tinyproxy
1356
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1324
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1357
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1325
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1358
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1326
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1359
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1327
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1360
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1328
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1361
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1329
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1362
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1330
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1363
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1331
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1364
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1332
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1365
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1333
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1366
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1334
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1367
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1335
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1368
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1336
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1369
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1337
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1370
# Create the systemd unit
1338
# Create the systemd unit
1371
cat << EOF > /lib/systemd/system/tinyproxy.service
1339
cat << EOF > /lib/systemd/system/tinyproxy.service
1372
#  This file is part of systemd.
1340
#  This file is part of systemd.
1373
#
1341
#
1374
#  systemd is free software; you can redistribute it and/or modify it
1342
#  systemd is free software; you can redistribute it and/or modify it
1375
#  under the terms of the GNU General Public License as published by
1343
#  under the terms of the GNU General Public License as published by
1376
#  the Free Software Foundation; either version 2 of the License, or
1344
#  the Free Software Foundation; either version 2 of the License, or
1377
#  (at your option) any later version.
1345
#  (at your option) any later version.
1378
 
1346
 
1379
# This unit launches tinyproxy (a very light proxy).
1347
# This unit launches tinyproxy (a very light proxy).
1380
# The "sleep 2" is needed because the pid file isn't ready for systemd
1348
# The "sleep 2" is needed because the pid file isn't ready for systemd
1381
[Unit]
1349
[Unit]
1382
Description=Tinyproxy Web Proxy Server
1350
Description=Tinyproxy Web Proxy Server
1383
After=network.target iptables.service
1351
After=network.target iptables.service
1384
 
1352
 
1385
[Service]
1353
[Service]
1386
Type=forking
1354
Type=forking
1387
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1355
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1388
ExecStartPre=/bin/sleep 2
1356
ExecStartPre=/bin/sleep 2
1389
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1357
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1390
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1358
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1391
 
1359
 
1392
[Install]
1360
[Install]
1393
WantedBy=multi-user.target
1361
WantedBy=multi-user.target
1394
EOF
1362
EOF
1395
 
1363
 
1396
} # end of tinyproxy
1364
} # end of tinyproxy
1397
##################################################################################
1365
##################################################################################
1398
##			function "ulogd"					##
1366
##			function "ulogd"					##
1399
## - Ulog config for multi-log files 						##
1367
## - Ulog config for multi-log files 						##
1400
##################################################################################
1368
##################################################################################
1401
ulogd ()
1369
ulogd ()
1402
{
1370
{
1403
# Three instances of ulogd (three different logfiles)
1371
# Three instances of ulogd (three different logfiles)
1404
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1372
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1405
	nl=1
1373
	nl=1
1406
	for log_type in traceability ssh ext-access
1374
	for log_type in traceability ssh ext-access
1407
	do
1375
	do
1408
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1376
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1409
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1377
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1410
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1378
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1411
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1379
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1412
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1380
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1413
		cat << EOF >> /etc/ulogd-$log_type.conf
1381
		cat << EOF >> /etc/ulogd-$log_type.conf
1414
[emu1]
1382
[emu1]
1415
file="/var/log/firewall/$log_type.log"
1383
file="/var/log/firewall/$log_type.log"
1416
sync=1
1384
sync=1
1417
EOF
1385
EOF
1418
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1386
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1419
		nl=`expr $nl + 1`
1387
		nl=`expr $nl + 1`
1420
	done
1388
	done
1421
	chown -R root:apache /var/log/firewall
1389
	chown -R root:apache /var/log/firewall
1422
	chmod 750 /var/log/firewall
1390
	chmod 750 /var/log/firewall
1423
	chmod 640 /var/log/firewall/*
1391
	chmod 640 /var/log/firewall/*
1424
}  # End of ulogd ()
1392
}  # End of ulogd ()
1425
 
1393
 
1426
 
1394
 
1427
##########################################################
1395
##########################################################
1428
##              Function "nfsen"			##
1396
##              Function "nfsen"			##
1429
## - install the nfsen grapher				##
1397
## - install the nfsen grapher				##
1430
## - install the two plugins porttracker & surfmap	##
1398
## - install the two plugins porttracker & surfmap	##
1431
##########################################################
1399
##########################################################
1432
nfsen()
1400
nfsen()
1433
{
1401
{
1434
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1402
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1435
# Add PortTracker plugin
1403
# Add PortTracker plugin
1436
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1404
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1437
	do
1405
	do
1438
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1406
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1439
	done
1407
	done
1440
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1408
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1441
# use of our conf file and init unit
1409
# use of our conf file and init unit
1442
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1410
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1443
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1411
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1444
	DirTmp=$(pwd)
1412
	DirTmp=$(pwd)
1445
	cd /tmp/nfsen-1.3.7/
1413
	cd /tmp/nfsen-1.3.7/
1446
	/usr/bin/perl install.pl etc/nfsen.conf
1414
	/usr/bin/perl install.pl etc/nfsen.conf
1447
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1415
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1448
# Create RRD DB for porttracker (only in it still doesn't exist)
1416
# Create RRD DB for porttracker (only in it still doesn't exist)
1449
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1417
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1450
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1418
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1451
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1419
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1452
	chmod -R 770 /var/log/netflow/porttracker
1420
	chmod -R 770 /var/log/netflow/porttracker
1453
# nfsen unit for systemd
1421
# nfsen unit for systemd
1454
cat << EOF > /lib/systemd/system/nfsen.service
1422
cat << EOF > /lib/systemd/system/nfsen.service
1455
#  This file is part of systemd.
1423
#  This file is part of systemd.
1456
#
1424
#
1457
#  systemd is free software; you can redistribute it and/or modify it
1425
#  systemd is free software; you can redistribute it and/or modify it
1458
#  under the terms of the GNU General Public License as published by
1426
#  under the terms of the GNU General Public License as published by
1459
#  the Free Software Foundation; either version 2 of the License, or
1427
#  the Free Software Foundation; either version 2 of the License, or
1460
#  (at your option) any later version.
1428
#  (at your option) any later version.
1461
 
1429
 
1462
# This unit launches nfsen (a Netflow grapher).
1430
# This unit launches nfsen (a Netflow grapher).
1463
[Unit]
1431
[Unit]
1464
Description= NfSen init script
1432
Description= NfSen init script
1465
After=network.target iptables.service
1433
After=network.target iptables.service
1466
 
1434
 
1467
[Service]
1435
[Service]
1468
Type=oneshot
1436
Type=oneshot
1469
RemainAfterExit=yes
1437
RemainAfterExit=yes
1470
PIDFile=/var/run/nfsen/nfsen.pid
1438
PIDFile=/var/run/nfsen/nfsen.pid
1471
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1439
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1472
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1440
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1473
ExecStart=/usr/bin/nfsen start 
1441
ExecStart=/usr/bin/nfsen start 
1474
ExecStop=/usr/bin/nfsen stop
1442
ExecStop=/usr/bin/nfsen stop
1475
ExecReload=/usr/bin/nfsen restart
1443
ExecReload=/usr/bin/nfsen restart
1476
TimeoutSec=0
1444
TimeoutSec=0
1477
 
1445
 
1478
[Install]
1446
[Install]
1479
WantedBy=multi-user.target
1447
WantedBy=multi-user.target
1480
EOF
1448
EOF
1481
# Add the listen port to collect netflow packet (nfcapd)
1449
# Add the listen port to collect netflow packet (nfcapd)
1482
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1450
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1483
# expire delay for the profile "live"
1451
# expire delay for the profile "live"
1484
	/usr/bin/systemctl start nfsen
1452
	/usr/bin/systemctl start nfsen
1485
	/bin/nfsen -m live -e 62d 2>/dev/null
1453
	/bin/nfsen -m live -e 62d 2>/dev/null
1486
# add SURFmap plugin
1454
# add SURFmap plugin
1487
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1455
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1488
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1456
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1489
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1457
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1490
	cd /tmp/
1458
	cd /tmp/
1491
	/usr/bin/sh SURFmap/install.sh
1459
	/usr/bin/sh SURFmap/install.sh
1492
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1460
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1493
# clear the installation
1461
# clear the installation
1494
	cd $DirTmp
1462
	cd $DirTmp
1495
	rm -rf /tmp/nfsen*
1463
	rm -rf /tmp/nfsen*
1496
	rm -rf /tmp/SURFmap*
1464
	rm -rf /tmp/SURFmap*
1497
} # End of nfsen ()
1465
} # End of nfsen ()
1498
 
1466
 
1499
##################################################
1467
##################################################
1500
##		Function "vnstat"		##
1468
##		Function "vnstat"		##
1501
## Initialization of Vnstat and vnstat phpFE    ##
1469
## Initialization of Vnstat and vnstat phpFE    ##
1502
##################################################
1470
##################################################
1503
vnstat ()
1471
vnstat ()
1504
{
1472
{
1505
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1473
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1506
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1474
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1507
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1475
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1508
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1476
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1509
	/usr/bin/vnstat -u -i $EXTIF
1477
	/usr/bin/vnstat -u -i $EXTIF
1510
} # End of vnstat	
1478
} # End of vnstat	
1511
##################################################
1479
##################################################
1512
##		Function "dnsmasq"		##
1480
##		Function "dnsmasq"		##
1513
##################################################
1481
##################################################
1514
dnsmasq ()
1482
dnsmasq ()
1515
{
1483
{
1516
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1484
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1517
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1485
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1518
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1486
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1519
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1487
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1520
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1488
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1521
	cat << EOF > /etc/dnsmasq.conf 
1489
	cat << EOF > /etc/dnsmasq.conf 
1522
# Configuration file for "dnsmasq in forward mode"
1490
# Configuration file for "dnsmasq in forward mode"
1523
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1491
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1524
listen-address=$PRIVATE_IP
1492
listen-address=$PRIVATE_IP
1525
pid-file=/var/run/dnsmasq.pid
1493
pid-file=/var/run/dnsmasq.pid
1526
listen-address=127.0.0.1
1494
listen-address=127.0.0.1
1527
no-dhcp-interface=$INTIF
1495
no-dhcp-interface=$INTIF
1528
no-dhcp-interface=tun0
1496
no-dhcp-interface=tun0
1529
no-dhcp-interface=lo
1497
no-dhcp-interface=lo
1530
bind-interfaces
1498
bind-interfaces
1531
cache-size=2048
1499
cache-size=2048
1532
domain=$DOMAIN
1500
domain=$DOMAIN
1533
domain-needed
1501
domain-needed
1534
expand-hosts
1502
expand-hosts
1535
bogus-priv
1503
bogus-priv
1536
filterwin2k
1504
filterwin2k
1537
server=$DNS1
1505
server=$DNS1
1538
server=$DNS2
1506
server=$DNS2
1539
# DHCP service is configured. It will be enabled in "bypass" mode
1507
# DHCP service is configured. It will be enabled in "bypass" mode
1540
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1508
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1541
#dhcp-option=option:router,$PRIVATE_IP
1509
#dhcp-option=option:router,$PRIVATE_IP
1542
#dhcp-option=option:ntp-server,$PRIVATE_IP
1510
#dhcp-option=option:ntp-server,$PRIVATE_IP
1543
 
1511
 
1544
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1512
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1545
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1513
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1546
EOF
1514
EOF
1547
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1515
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1548
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1516
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1549
# Configuration file for "dnsmasq with blacklist"
1517
# Configuration file for "dnsmasq with blacklist"
1550
# Add Toulouse blacklist domains
1518
# Add Toulouse blacklist domains
1551
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1519
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1552
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1520
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1553
pid-file=/var/run/dnsmasq-blacklist.pid
1521
pid-file=/var/run/dnsmasq-blacklist.pid
1554
listen-address=$PRIVATE_IP
1522
listen-address=$PRIVATE_IP
1555
port=54
1523
port=54
1556
no-dhcp-interface=$INTIF
1524
no-dhcp-interface=$INTIF
1557
no-dhcp-interface=tun0
1525
no-dhcp-interface=tun0
1558
no-dhcp-interface=lo
1526
no-dhcp-interface=lo
1559
bind-interfaces
1527
bind-interfaces
1560
cache-size=2048
1528
cache-size=2048
1561
domain=$DOMAIN
1529
domain=$DOMAIN
1562
domain-needed
1530
domain-needed
1563
expand-hosts
1531
expand-hosts
1564
bogus-priv
1532
bogus-priv
1565
filterwin2k
1533
filterwin2k
1566
server=$DNS1
1534
server=$DNS1
1567
server=$DNS2
1535
server=$DNS2
1568
EOF
1536
EOF
1569
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1537
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1570
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1538
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1571
# Configuration file for "dnsmasq with whitelist"
1539
# Configuration file for "dnsmasq with whitelist"
1572
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1540
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1573
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1541
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1574
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1542
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1575
pid-file=/var/run/dnsmasq-whitelist.pid
1543
pid-file=/var/run/dnsmasq-whitelist.pid
1576
listen-address=$PRIVATE_IP
1544
listen-address=$PRIVATE_IP
1577
port=55
1545
port=55
1578
no-dhcp-interface=$INTIF
1546
no-dhcp-interface=$INTIF
1579
no-dhcp-interface=tun0
1547
no-dhcp-interface=tun0
1580
no-dhcp-interface=lo
1548
no-dhcp-interface=lo
1581
bind-interfaces
1549
bind-interfaces
1582
cache-size=1024
1550
cache-size=1024
1583
domain=$DOMAIN
1551
domain=$DOMAIN
1584
domain-needed
1552
domain-needed
1585
expand-hosts
1553
expand-hosts
1586
bogus-priv
1554
bogus-priv
1587
filterwin2k
1555
filterwin2k
1588
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1556
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1589
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1557
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1590
EOF
1558
EOF
1591
# 4th dnsmasq listen on udp 56 ("blackhole")
1559
# 4th dnsmasq listen on udp 56 ("blackhole")
1592
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1560
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1593
# Configuration file for "dnsmasq as a blackhole"
1561
# Configuration file for "dnsmasq as a blackhole"
1594
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1562
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1595
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1563
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1596
pid-file=/var/run/dnsmasq-blackhole.pid
1564
pid-file=/var/run/dnsmasq-blackhole.pid
1597
listen-address=$PRIVATE_IP
1565
listen-address=$PRIVATE_IP
1598
port=56
1566
port=56
1599
no-dhcp-interface=$INTIF
1567
no-dhcp-interface=$INTIF
1600
no-dhcp-interface=tun0
1568
no-dhcp-interface=tun0
1601
no-dhcp-interface=lo
1569
no-dhcp-interface=lo
1602
bind-interfaces
1570
bind-interfaces
1603
cache-size=256
1571
cache-size=256
1604
domain=$DOMAIN
1572
domain=$DOMAIN
1605
domain-needed
1573
domain-needed
1606
expand-hosts
1574
expand-hosts
1607
bogus-priv
1575
bogus-priv
1608
filterwin2k
1576
filterwin2k
1609
EOF
1577
EOF
1610
 
1578
 
1611
# the main instance should start after network and chilli (which create tun0)
1579
# the main instance should start after network and chilli (which create tun0)
1612
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1580
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1613
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1581
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1614
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1582
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1615
	for list in blacklist whitelist blackhole
1583
	for list in blacklist whitelist blackhole
1616
	do
1584
	do
1617
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1585
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1618
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1586
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1619
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1587
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1620
	done
1588
	done
1621
} # End dnsmasq
1589
} # End dnsmasq
1622
 
1590
 
1623
##########################################################
1591
##########################################################
1624
##		Fonction "BL"				##
1592
##		Fonction "BL"				##
1625
##########################################################
1593
##########################################################
1626
BL ()
1594
BL ()
1627
{
1595
{
1628
# copy and extract toulouse BL
1596
# copy and extract toulouse BL
1629
	rm -rf $DIR_DG/lists/blacklists
1597
	rm -rf $DIR_DG/lists/blacklists
1630
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1598
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1631
# creation of the OSSI BL and WL categories (domain name and url)
1599
# creation of the OSSI BL and WL categories (domain name and url)
1632
	mkdir $DIR_DG/lists/blacklists/ossi
1600
	mkdir $DIR_DG/lists/blacklists/ossi
1633
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1601
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1634
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1602
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1635
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1603
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1636
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1604
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1637
# creation of file for the rehabilited domains and urls
1605
# creation of file for the rehabilited domains and urls
1638
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1606
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1639
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1607
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1640
	touch $DIR_DG/lists/exceptionsitelist
1608
	touch $DIR_DG/lists/exceptionsitelist
1641
	touch $DIR_DG/lists/exceptionurllist
1609
	touch $DIR_DG/lists/exceptionurllist
1642
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1610
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1643
	cat <<EOF > $DIR_DG/lists/bannedurllist
1611
	cat <<EOF > $DIR_DG/lists/bannedurllist
1644
# Dansguardian filter config for ALCASAR
1612
# Dansguardian filter config for ALCASAR
1645
EOF
1613
EOF
1646
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1614
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1647
# Dansguardian domain filter config for ALCASAR
1615
# Dansguardian domain filter config for ALCASAR
1648
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1616
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1649
#**
1617
#**
1650
# block all SSL and CONNECT tunnels
1618
# block all SSL and CONNECT tunnels
1651
**s
1619
**s
1652
# block all SSL and CONNECT tunnels specified only as an IP
1620
# block all SSL and CONNECT tunnels specified only as an IP
1653
*ips
1621
*ips
1654
# block all sites specified only by an IP
1622
# block all sites specified only by an IP
1655
*ip
1623
*ip
1656
EOF
1624
EOF
1657
# Add Bing and Youtube to the safesearch url regext list (parental control)
1625
# Add Bing and Youtube to the safesearch url regext list (parental control)
1658
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1626
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1659
# Bing - add 'adlt=strict'
1627
# Bing - add 'adlt=strict'
1660
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1628
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1661
# Youtube - add 'edufilter=your_ID' 
1629
# Youtube - add 'edufilter=your_ID' 
1662
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1630
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1663
EOF
1631
EOF
1664
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1632
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1665
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1633
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1666
# adapt the BL to ALCASAR architecture. Enable the default categories
1634
# adapt the BL to ALCASAR architecture. Enable the default categories
1667
	if [ "$mode" != "update" ]; then
1635
	if [ "$mode" != "update" ]; then
1668
		$DIR_DEST_BIN/alcasar-bl.sh --adapt
1636
		$DIR_DEST_BIN/alcasar-bl.sh --adapt
1669
		$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1637
		$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1670
	fi
1638
	fi
1671
}
1639
}
1672
 
1640
 
1673
##########################################################
1641
##########################################################
1674
##		Fonction "cron"				##
1642
##		Fonction "cron"				##
1675
## - Mise en place des différents fichiers de cron	##
1643
## - Mise en place des différents fichiers de cron	##
1676
##########################################################
1644
##########################################################
1677
cron ()
1645
cron ()
1678
{
1646
{
1679
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1647
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1680
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1648
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1681
	cat <<EOF > /etc/crontab
1649
	cat <<EOF > /etc/crontab
1682
SHELL=/usr/bin/bash
1650
SHELL=/usr/bin/bash
1683
PATH=/usr/sbin:/usr/bin
1651
PATH=/usr/sbin:/usr/bin
1684
MAILTO=root
1652
MAILTO=root
1685
HOME=/
1653
HOME=/
1686
 
1654
 
1687
# run-parts
1655
# run-parts
1688
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1656
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1689
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1657
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1690
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1658
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1691
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1659
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1692
EOF
1660
EOF
1693
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1661
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1694
	cat <<EOF >> /etc/anacrontab
1662
	cat <<EOF >> /etc/anacrontab
1695
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1663
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1696
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1664
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1697
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1665
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1698
EOF
1666
EOF
1699
 
1667
 
1700
	cat <<EOF > /etc/cron.d/alcasar-mysql
1668
	cat <<EOF > /etc/cron.d/alcasar-mysql
1701
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1669
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1702
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1670
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1703
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1671
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1704
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1672
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1705
EOF
1673
EOF
1706
	cat <<EOF > /etc/cron.d/alcasar-archive
1674
	cat <<EOF > /etc/cron.d/alcasar-archive
1707
# Archive des logs et de la base de données (tous les lundi à 5h35)
1675
# Archive des logs et de la base de données (tous les lundi à 5h35)
1708
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1676
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1709
EOF
1677
EOF
1710
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1678
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1711
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1679
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1712
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1680
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1713
EOF
1681
EOF
1714
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1682
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1715
# mise à jour automatique de la distribution tous les jours 3h30
1683
# mise à jour automatique de la distribution tous les jours 3h30
1716
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1684
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1717
EOF
1685
EOF
1718
 
1686
 
1719
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1687
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1720
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1688
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1721
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1689
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1722
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1690
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1723
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1691
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1724
	cat << EOF > /etc/cron.d/freeradius-web
1692
	cat << EOF > /etc/cron.d/freeradius-web
1725
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1693
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1726
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1694
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1727
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1695
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1728
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1696
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1729
EOF
1697
EOF
1730
	cat << EOF > /etc/cron.d/alcasar-watchdog
1698
	cat << EOF > /etc/cron.d/alcasar-watchdog
1731
# activation du "chien de garde" (watchdog) toutes les 3'
1699
# activation du "chien de garde" (watchdog) toutes les 3'
1732
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1700
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1733
EOF
1701
EOF
1734
# Enabling the watchdog every 18'
1702
# Enabling the watchdog every 18'
1735
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1703
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1736
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1704
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1737
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1705
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1738
EOF
1706
EOF
1739
# removing the users crons
1707
# removing the users crons
1740
	rm -f /var/spool/cron/*
1708
	rm -f /var/spool/cron/*
1741
} # End cron
1709
} # End cron
1742
 
1710
 
1743
##################################################################
1711
##################################################################
1744
## 			Fonction "Fail2Ban"			##
1712
## 			Fonction "Fail2Ban"			##
1745
##- Modification de la configuration de fail2ban		##
1713
##- Modification de la configuration de fail2ban		##
1746
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1714
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1747
##################################################################
1715
##################################################################
1748
fail2ban()
1716
fail2ban()
1749
{
1717
{
1750
	$DIR_CONF/fail2ban.sh
1718
	$DIR_CONF/fail2ban.sh
1751
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1719
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1752
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1720
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1753
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1721
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1754
	chmod 644 /var/log/fail2ban.log
1722
	chmod 644 /var/log/fail2ban.log
1755
	chmod 644 /var/Save/security/watchdog.log
1723
	chmod 644 /var/Save/security/watchdog.log
1756
	/usr/bin/touch /var/log/auth.log
1724
	/usr/bin/touch /var/log/auth.log
1757
# fail2ban unit
1725
# fail2ban unit
1758
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1726
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1759
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1727
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1760
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1728
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1761
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1729
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1762
} #Fin de fail2ban_install()
1730
} #Fin de fail2ban_install()
1763
 
1731
 
1764
##################################################################
1732
##################################################################
1765
## 			Fonction "gammu_smsd"			##
1733
## 			Fonction "gammu_smsd"			##
1766
## - Creation de la base de donnée Gammu			##
1734
## - Creation de la base de donnée Gammu			##
1767
## - Creation du fichier de config: gammu_smsd_conf		##
1735
## - Creation du fichier de config: gammu_smsd_conf		##
1768
##								##
1736
##								##
1769
##################################################################
1737
##################################################################
1770
gammu_smsd()
1738
gammu_smsd()
1771
{
1739
{
1772
# Create 'gammu' databse
1740
# Create 'gammu' databse
1773
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1741
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1774
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1742
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1775
# Add a gammu database structure
1743
# Add a gammu database structure
1776
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1744
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1777
 
1745
 
1778
# config file for the daemon
1746
# config file for the daemon
1779
cat << EOF > /etc/gammu_smsd_conf
1747
cat << EOF > /etc/gammu_smsd_conf
1780
[gammu]
1748
[gammu]
1781
port = /dev/ttyUSB0
1749
port = /dev/ttyUSB0
1782
connection = at115200
1750
connection = at115200
1783
 
1751
 
1784
;########################################################
1752
;########################################################
1785
 
1753
 
1786
[smsd]
1754
[smsd]
1787
 
1755
 
1788
PIN = 1234
1756
PIN = 1234
1789
 
1757
 
1790
logfile = /var/log/gammu-smsd/gammu-smsd.log
1758
logfile = /var/log/gammu-smsd/gammu-smsd.log
1791
logformat = textall
1759
logformat = textall
1792
debuglevel = 0
1760
debuglevel = 0
1793
 
1761
 
1794
service = sql
1762
service = sql
1795
driver = native_mysql
1763
driver = native_mysql
1796
user = $DB_USER
1764
user = $DB_USER
1797
password = $radiuspwd
1765
password = $radiuspwd
1798
pc = localhost
1766
pc = localhost
1799
database = $DB_GAMMU
1767
database = $DB_GAMMU
1800
 
1768
 
1801
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1769
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1802
 
1770
 
1803
StatusFrequency = 30
1771
StatusFrequency = 30
1804
;LoopSleep = 2
1772
;LoopSleep = 2
1805
 
1773
 
1806
;ResetFrequency = 300
1774
;ResetFrequency = 300
1807
;HardResetFrequency = 120
1775
;HardResetFrequency = 120
1808
 
1776
 
1809
CheckSecurity = 1 
1777
CheckSecurity = 1 
1810
CheckSignal = 1
1778
CheckSignal = 1
1811
CheckBattery = 0
1779
CheckBattery = 0
1812
EOF
1780
EOF
1813
 
1781
 
1814
chmod 755 /etc/gammu_smsd_conf
1782
chmod 755 /etc/gammu_smsd_conf
1815
 
1783
 
1816
#Creation dossier de log Gammu-smsd
1784
#Creation dossier de log Gammu-smsd
1817
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1785
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1818
chmod 755 /var/log/gammu-smsd
1786
chmod 755 /var/log/gammu-smsd
1819
 
1787
 
1820
#Edition du script sql gammu <-> radius
1788
#Edition du script sql gammu <-> radius
1821
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1789
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1822
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1790
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1823
 
1791
 
1824
#Création de la règle udev pour les Huawei // idVendor: 12d1
1792
#Création de la règle udev pour les Huawei // idVendor: 12d1
1825
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1793
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1826
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1794
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1827
EOF
1795
EOF
1828
 
1796
 
1829
} # END gammu_smsd()
1797
} # END gammu_smsd()
1830
 
1798
 
1831
##################################################################
1799
##################################################################
1832
##			Fonction "post_install"			##
1800
##			Fonction "post_install"			##
1833
## - Modification des bannières (locales et ssh) et des prompts ##
1801
## - Modification des bannières (locales et ssh) et des prompts ##
1834
## - Installation de la structure de chiffrement pour root	##
1802
## - Installation de la structure de chiffrement pour root	##
1835
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1803
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1836
## - Mise en place du la rotation des logs			##
1804
## - Mise en place du la rotation des logs			##
1837
## - Configuration dans le cas d'une mise à jour		##
1805
## - Configuration dans le cas d'une mise à jour		##
1838
##################################################################
1806
##################################################################
1839
post_install()
1807
post_install()
1840
{
1808
{
1841
# création de la bannière locale
1809
# création de la bannière locale
1842
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1810
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1843
	cp -f $DIR_CONF/banner /etc/mageia-release
1811
	cp -f $DIR_CONF/banner /etc/mageia-release
1844
	echo " V$VERSION" >> /etc/mageia-release
1812
	echo " V$VERSION" >> /etc/mageia-release
1845
# création de la bannière SSH
1813
# création de la bannière SSH
1846
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1814
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1847
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1815
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1848
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1816
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1849
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1817
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1850
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1818
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1851
# postfix banner anonymisation
1819
# postfix banner anonymisation
1852
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1820
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1853
# sshd écoute côté LAN et WAN
1821
# sshd écoute côté LAN et WAN
1854
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1822
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1855
# sshd autorise les connections root par certificat
1823
# sshd autorise les connections root par certificat
1856
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1824
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1857
	# Put the default values in conf file
1825
	# Put the default values in conf file
1858
	echo "SSH=off" >> $CONF_FILE
1826
	echo "SSH=off" >> $CONF_FILE
1859
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1827
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1860
	echo "LDAP=off" >> $CONF_FILE
1828
	echo "LDAP=off" >> $CONF_FILE
1861
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1829
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1862
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1830
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1863
	echo "MULTIWAN=off" >> $CONF_FILE
1831
	echo "MULTIWAN=off" >> $CONF_FILE
1864
	echo "FAILOVER=30" >> $CONF_FILE
1832
	echo "FAILOVER=30" >> $CONF_FILE
1865
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1833
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1866
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1834
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1867
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1835
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1868
# Coloration des prompts
1836
# Coloration des prompts
1869
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1837
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1870
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1838
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1871
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1839
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1872
# Droits d'exécution pour utilisateur apache et sysadmin
1840
# Droits d'exécution pour utilisateur apache et sysadmin
1873
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1841
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1874
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1842
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1875
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1843
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1876
# Modify some logrotate files (gammu, ulogd)
1844
# Modify some logrotate files (gammu, ulogd)
1877
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1845
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1878
	chmod 644 /etc/logrotate.d/*
1846
	chmod 644 /etc/logrotate.d/*
1879
# rectification sur versions précédentes de la compression des logs
1847
# rectification sur versions précédentes de la compression des logs
1880
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1848
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1881
# actualisation des fichiers logs compressés
1849
# actualisation des fichiers logs compressés
1882
	for dir in firewall dansguardian httpd
1850
	for dir in firewall dansguardian httpd
1883
	do
1851
	do
1884
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1852
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1885
	done
1853
	done
1886
# create the alcasar-load_balancing unit
1854
# create the alcasar-load_balancing unit
1887
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1855
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1888
#  This file is part of systemd.
1856
#  This file is part of systemd.
1889
#
1857
#
1890
#  systemd is free software; you can redistribute it and/or modify it
1858
#  systemd is free software; you can redistribute it and/or modify it
1891
#  under the terms of the GNU General Public License as published by
1859
#  under the terms of the GNU General Public License as published by
1892
#  the Free Software Foundation; either version 2 of the License, or
1860
#  the Free Software Foundation; either version 2 of the License, or
1893
#  (at your option) any later version.
1861
#  (at your option) any later version.
1894
 
1862
 
1895
# This unit lauches alcasar-load-balancing.sh script.
1863
# This unit lauches alcasar-load-balancing.sh script.
1896
[Unit]
1864
[Unit]
1897
Description=alcasar-load_balancing.sh execution
1865
Description=alcasar-load_balancing.sh execution
1898
After=network.target iptables.service
1866
After=network.target iptables.service
1899
 
1867
 
1900
[Service]
1868
[Service]
1901
Type=oneshot
1869
Type=oneshot
1902
RemainAfterExit=yes
1870
RemainAfterExit=yes
1903
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1871
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1904
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1872
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1905
TimeoutSec=0
1873
TimeoutSec=0
1906
SysVStartPriority=99
1874
SysVStartPriority=99
1907
 
1875
 
1908
[Install]
1876
[Install]
1909
WantedBy=multi-user.target
1877
WantedBy=multi-user.target
1910
EOF
1878
EOF
1911
# processes launched at boot time (Systemctl)
1879
# processes launched at boot time (Systemctl)
1912
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1880
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1913
	do
1881
	do
1914
		/usr/bin/systemctl -q enable $i.service
1882
		/usr/bin/systemctl -q enable $i.service
1915
	done
1883
	done
1916
	
1884
	
1917
# disable processes at boot time (Systemctl)
1885
# disable processes at boot time (Systemctl)
1918
	for i in ulogd
1886
	for i in ulogd
1919
	do
1887
	do
1920
		/usr/bin/systemctl -q disable $i.service
1888
		/usr/bin/systemctl -q disable $i.service
1921
	done
1889
	done
1922
	
1890
	
1923
# Apply French Security Agency (ANSSI) rules
1891
# Apply French Security Agency (ANSSI) rules
1924
# ignore ICMP broadcast (smurf attack)
1892
# ignore ICMP broadcast (smurf attack)
1925
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1893
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1926
# ignore ICMP errors bogus
1894
# ignore ICMP errors bogus
1927
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1895
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1928
# remove ICMP redirects responces
1896
# remove ICMP redirects responces
1929
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1897
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1930
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1898
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1931
# enable SYN Cookies (Syn flood attacks)
1899
# enable SYN Cookies (Syn flood attacks)
1932
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1900
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1933
# enable kernel antispoofing
1901
# enable kernel antispoofing
1934
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1902
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1935
# ignore source routing
1903
# ignore source routing
1936
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1904
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1937
# set conntrack timer to 1h (3600s) instead of 5 weeks
1905
# set conntrack timer to 1h (3600s) instead of 5 weeks
1938
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1906
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1939
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1907
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1940
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1908
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1941
# disable iptables_helpers
1909
# disable iptables_helpers
1942
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1910
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1943
# Switch to the router mode
1911
# Switch to the router mode
1944
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1912
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1945
# remove Magic SysReq Keys
1913
# remove Magic SysReq Keys
1946
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1914
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1947
# switch to multi-users runlevel (instead of x11)
1915
# switch to multi-users runlevel (instead of x11)
1948
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1916
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1949
#	GRUB modifications (only one time)
1917
#	GRUB modifications (only one time)
1950
# limit wait time to 3s
1918
# limit wait time to 3s
1951
# create an alcasar entry instead of linux-nonfb
1919
# create an alcasar entry instead of linux-nonfb
1952
# change display to 1024*768 (vga791)
1920
# change display to 1024*768 (vga791)
1953
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1921
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1954
	if [ $grub_already_modified == 0 ]
1922
	if [ $grub_already_modified == 0 ]
1955
		then
1923
		then
1956
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1924
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1957
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1925
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1958
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1926
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1959
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1927
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1960
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1928
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1961
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1929
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1962
	fi
1930
	fi
1963
# Remove unused services and users
1931
# Remove unused services and users
1964
	for svc in sshd
1932
	for svc in sshd
1965
	do
1933
	do
1966
		/usr/bin/systemctl -q enable $svc.service
1934
		/usr/bin/systemctl -q enable $svc.service
1967
	done
1935
	done
1968
# Load and apply the previous conf file
1936
# Load and apply the previous conf file
1969
	if [ "$mode" = "update" ]
1937
	if [ "$mode" = "update" ]
1970
	then
1938
	then
1971
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1939
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
1972
		$DIR_DEST_BIN/alcasar-conf.sh --load
1940
		$DIR_DEST_BIN/alcasar-conf.sh --load
1973
		PARENT_SCRIPT=`basename $0`
1941
		PARENT_SCRIPT=`basename $0`
1974
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1942
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1975
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1943
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1976
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1944
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1977
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1945
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1978
	fi
1946
	fi
1979
	rm -f /tmp/alcasar-conf*
1947
	rm -f /tmp/alcasar-conf*
1980
	chown -R root:apache $DIR_DEST_ETC/*
1948
	chown -R root:apache $DIR_DEST_ETC/*
1981
	chmod -R 660 $DIR_DEST_ETC/*
1949
	chmod -R 660 $DIR_DEST_ETC/*
1982
	chmod ug+x $DIR_DEST_ETC/digest
1950
	chmod ug+x $DIR_DEST_ETC/digest
1983
	cd $DIR_INSTALL
1951
	cd $DIR_INSTALL
1984
	echo ""
1952
	echo ""
1985
	echo "#############################################################################"
1953
	echo "#############################################################################"
1986
	if [ $Lang == "fr" ]
1954
	if [ $Lang == "fr" ]
1987
		then
1955
		then
1988
		echo "#                        Fin d'installation d'ALCASAR                       #"
1956
		echo "#                        Fin d'installation d'ALCASAR                       #"
1989
		echo "#                                                                           #"
1957
		echo "#                                                                           #"
1990
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1958
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1991
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1959
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1992
		echo "#                                                                           #"
1960
		echo "#                                                                           #"
1993
		echo "#############################################################################"
1961
		echo "#############################################################################"
1994
		echo
1962
		echo
1995
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1963
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1996
		echo
1964
		echo
1997
		echo "- Lisez attentivement la documentation d'exploitation"
1965
		echo "- Lisez attentivement la documentation d'exploitation"
1998
		echo
1966
		echo
1999
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1967
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2000
		echo
1968
		echo
2001
		echo "                   Appuyez sur 'Entrée' pour continuer"
1969
		echo "                   Appuyez sur 'Entrée' pour continuer"
2002
	else	
1970
	else	
2003
		echo "#                        Enf of ALCASAR install process                     #"
1971
		echo "#                        Enf of ALCASAR install process                     #"
2004
		echo "#                                                                           #"
1972
		echo "#                                                                           #"
2005
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1973
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2006
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1974
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2007
		echo "#                                                                           #"
1975
		echo "#                                                                           #"
2008
		echo "#############################################################################"
1976
		echo "#############################################################################"
2009
		echo
1977
		echo
2010
		echo "- The system will be rebooted in order to operate ALCASAR"
1978
		echo "- The system will be rebooted in order to operate ALCASAR"
2011
		echo
1979
		echo
2012
		echo "- Read the exploitation documentation"
1980
		echo "- Read the exploitation documentation"
2013
		echo
1981
		echo
2014
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1982
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2015
		echo
1983
		echo
2016
		echo "                   Hit 'Enter' to continue"
1984
		echo "                   Hit 'Enter' to continue"
2017
	fi
1985
	fi
2018
	sleep 2
1986
	sleep 2
2019
	if [ "$mode" != "update" ]
1987
	if [ "$mode" != "update" ]
2020
	then
1988
	then
2021
		read a
1989
		read a
2022
	fi
1990
	fi
2023
	clear
1991
	clear
2024
	reboot
1992
	reboot
2025
} # End post_install ()
1993
} # End post_install ()
2026
 
1994
 
2027
#################################
1995
#################################
2028
#  	Main Install loop  	#
1996
#  	Main Install loop  	#
2029
#################################
1997
#################################
2030
dir_exec=`dirname "$0"`
1998
dir_exec=`dirname "$0"`
2031
if [ $dir_exec != "." ]
1999
if [ $dir_exec != "." ]
2032
then
2000
then
2033
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2001
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2034
	echo "Launch this program from the ALCASAR archive directory"
2002
	echo "Launch this program from the ALCASAR archive directory"
2035
	exit 0
2003
	exit 0
2036
fi
2004
fi
2037
VERSION=`cat $DIR_INSTALL/VERSION`
2005
VERSION=`cat $DIR_INSTALL/VERSION`
2038
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2006
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2039
nb_args=$#
2007
nb_args=$#
2040
args=$1
2008
args=$1
2041
if [ $nb_args -eq 0 ]
2009
if [ $nb_args -eq 0 ]
2042
then
2010
then
2043
	nb_args=1
2011
	nb_args=1
2044
	args="-h"
2012
	args="-h"
2045
fi
2013
fi
2046
chmod -R u+x $DIR_SCRIPTS/*
2014
chmod -R u+x $DIR_SCRIPTS/*
2047
case $args in
2015
case $args in
2048
	-\? | -h* | --h*)
2016
	-\? | -h* | --h*)
2049
		echo "$usage"
2017
		echo "$usage"
2050
		exit 0
2018
		exit 0
2051
		;;
2019
		;;
2052
	-i | --install)
2020
	-i | --install)
2053
		header_install
2021
		header_install
2054
		license
2022
		license
2055
		header_install
2023
		header_install
2056
		testing
2024
		testing
2057
# RPMs install
2025
# RPMs install
2058
		$DIR_SCRIPTS/alcasar-urpmi.sh
2026
		$DIR_SCRIPTS/alcasar-urpmi.sh
2059
		if [ "$?" != "0" ]
2027
		if [ "$?" != "0" ]
2060
		then
2028
		then
2061
			exit 0
2029
			exit 0
2062
		fi
2030
		fi
2063
		if [ -e $CONF_FILE ]
2031
		if [ -e $CONF_FILE ]
2064
		then
2032
		then
2065
# Uninstall the running version
2033
# Uninstall the running version
2066
			$DIR_SCRIPTS/alcasar-uninstall.sh
2034
			$DIR_SCRIPTS/alcasar-uninstall.sh
2067
		fi
2035
		fi
2068
# Test if manual update	
2036
# Test if manual update	
2069
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2037
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2070
		then
2038
		then
2071
			header_install
2039
			header_install
2072
			if [ $Lang == "fr" ]
2040
			if [ $Lang == "fr" ]
2073
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2041
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2074
				else echo "The configuration file of an old version has been found";
2042
				else echo "The configuration file of an old version has been found";
2075
			fi
2043
			fi
2076
			response=0
2044
			response=0
2077
			PTN='^[oOnNyY]$'
2045
			PTN='^[oOnNyY]$'
2078
			until [[ $(expr $response : $PTN) -gt 0 ]]
2046
			until [[ $(expr $response : $PTN) -gt 0 ]]
2079
			do
2047
			do
2080
				if [ $Lang == "fr" ]
2048
				if [ $Lang == "fr" ]
2081
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2049
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2082
					else echo -n "Do you want to use it (Y/n)?";
2050
					else echo -n "Do you want to use it (Y/n)?";
2083
				 fi
2051
				 fi
2084
				read response
2052
				read response
2085
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2053
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2086
				then rm -f /tmp/alcasar-conf*
2054
				then rm -f /tmp/alcasar-conf*
2087
				fi
2055
				fi
2088
			done
2056
			done
2089
		fi
2057
		fi
2090
# Test if update
2058
# Test if update
2091
		if [ -e /tmp/alcasar-conf* ] 
2059
		if [ -e /tmp/alcasar-conf* ] 
2092
		then
2060
		then
2093
			if [ $Lang == "fr" ]
2061
			if [ $Lang == "fr" ]
2094
				then echo "#### Installation avec mise à jour ####";
2062
				then echo "#### Installation avec mise à jour ####";
2095
				else echo "#### Installation with update     ####";
2063
				else echo "#### Installation with update     ####";
2096
			fi
2064
			fi
2097
# Extract the central configuration file
2065
# Extract the central configuration file
2098
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2066
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2099
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2067
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2100
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2068
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2101
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2069
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2102
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2070
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2103
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2071
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2104
			mode="update"
2072
			mode="update"
2105
		fi
2073
		fi
2106
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2074
		for func in init network time ACC CA init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2107
		do
2075
		do
2108
			$func
2076
			$func
2109
# echo "*** 'debug' : end of function $func ***"; read a
2077
# echo "*** 'debug' : end of function $func ***"; read a
2110
		done
2078
		done
2111
		;;
2079
		;;
2112
	-u | --uninstall)
2080
	-u | --uninstall)
2113
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2081
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2114
		then
2082
		then
2115
			if [ $Lang == "fr" ]
2083
			if [ $Lang == "fr" ]
2116
				then echo "ALCASAR n'est pas installé!";
2084
				then echo "ALCASAR n'est pas installé!";
2117
				else echo "ALCASAR isn't installed!";
2085
				else echo "ALCASAR isn't installed!";
2118
			fi
2086
			fi
2119
			exit 0
2087
			exit 0
2120
		fi
2088
		fi
2121
		response=0
2089
		response=0
2122
		PTN='^[oOnN]$'
2090
		PTN='^[oOnN]$'
2123
		until [[ $(expr $response : $PTN) -gt 0 ]]
2091
		until [[ $(expr $response : $PTN) -gt 0 ]]
2124
		do
2092
		do
2125
			if [ $Lang == "fr" ]
2093
			if [ $Lang == "fr" ]
2126
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2094
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2127
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2095
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2128
			fi
2096
			fi
2129
			read response
2097
			read response
2130
		done
2098
		done
2131
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2099
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2132
		then
2100
		then
2133
			$DIR_SCRIPTS/alcasar-conf.sh --create
2101
			$DIR_SCRIPTS/alcasar-conf.sh --create
2134
		else	
2102
		else	
2135
			rm -f /tmp/alcasar-conf*
2103
			rm -f /tmp/alcasar-conf*
2136
		fi
2104
		fi
2137
# Uninstall the running version
2105
# Uninstall the running version
2138
		$DIR_SCRIPTS/alcasar-uninstall.sh
2106
		$DIR_SCRIPTS/alcasar-uninstall.sh
2139
		;;
2107
		;;
2140
	*)
2108
	*)
2141
		echo "Argument inconnu :$1";
2109
		echo "Argument inconnu :$1";
2142
		echo "Unknown argument :$1";
2110
		echo "Unknown argument :$1";
2143
		echo "$usage"
2111
		echo "$usage"
2144
		exit 1
2112
		exit 1
2145
		;;
2113
		;;
2146
esac
2114
esac
2147
# end of script
2115
# end of script
2148
 
2116
 
2149
 
2117