Subversion Repositories ALCASAR

Rev

Rev 2760 | Rev 2764 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2760 Rev 2763
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2760 2019-11-06 12:26:49Z lucas.echard $
2
#  $Id: alcasar.sh 2763 2019-11-10 18:26:57Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC				: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA				: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	unbound			: Name server configuration
42
#	unbound			: Name server configuration
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	msec			: Mandriva security package configuration
49
#	msec			: Mandriva security package configuration
50
#	letsencrypt		: Let's Encrypt client
50
#	letsencrypt		: Let's Encrypt client
51
#	post_install	: Security, log rotation, etc.
51
#	post_install	: Security, log rotation, etc.
52
 
52
 
53
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
53
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
54
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE=`date '+%d %B %Y - %Hh%M'`
55
DATE_SHORT=`date '+%d/%m/%Y'`
55
DATE_SHORT=`date '+%d/%m/%Y'`
56
Lang=`echo $LANG|cut -c 1-2`
56
Lang=`echo $LANG|cut -c 1-2`
57
mode="install"
57
mode="install"
58
# ******* Files parameters - paramètres fichiers *********
58
# ******* Files parameters - paramètres fichiers *********
59
DIR_INSTALL=`pwd`						# current directory
59
DIR_INSTALL=`pwd`						# current directory
60
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
61
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
62
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
62
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
63
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
63
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
72
# ******* DBMS parameters - paramètres SGBD ********
72
# ******* DBMS parameters - paramètres SGBD ********
73
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_RADIUS="radius"						# database name used by FreeRadius server
74
DB_USER="radius"						# user name allows to request the users database
74
DB_USER="radius"						# user name allows to request the users database
75
DB_GAMMU="gammu"						# database name used by Gammu-smsd
75
DB_GAMMU="gammu"						# database name used by Gammu-smsd
76
# ******* Network parameters - paramètres réseau *******
76
# ******* Network parameters - paramètres réseau *******
77
HOSTNAME="alcasar"						# default hostname
77
HOSTNAME="alcasar"						# default hostname
78
DOMAIN="localdomain"					# default local domain
78
DOMAIN="localdomain"					# default local domain
79
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
80
INTIF=''								# INTIF is connected to the consultation network
80
INTIF=''								# INTIF is connected to the consultation network
81
MTU="1500"
81
MTU="1500"
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
83
# ****** Paths - chemin des commandes *******
83
# ****** Paths - chemin des commandes *******
84
SED="/bin/sed -i"
84
SED="/bin/sed -i"
85
# ****************** End of global parameters *********************
85
# ****************** End of global parameters *********************
86
 
86
 
87
license()
87
license()
88
{
88
{
89
	if [ $Lang == "fr" ]
89
	if [ $Lang == "fr" ]
90
	then
90
	then
91
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
92
	else
92
	else
93
		cat $DIR_INSTALL/gpl-warning.txt | more
93
		cat $DIR_INSTALL/gpl-warning.txt | more
94
	fi
94
	fi
95
	response=0
95
	response=0
96
	PTN='^[oOyYnN]?$'
96
	PTN='^[oOyYnN]?$'
97
	until [[ "$response" =~ $PTN ]]
97
	until [[ "$response" =~ $PTN ]]
98
	do
98
	do
99
		if [ $Lang == "fr" ]
99
		if [ $Lang == "fr" ]
100
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
101
			else echo -n "Do you accept the terms of this license (Y/n)? : "
101
			else echo -n "Do you accept the terms of this license (Y/n)? : "
102
		fi
102
		fi
103
		read response
103
		read response
104
	done
104
	done
105
	if [ "$response" = "n" ] || [ "$response" = "N" ]
105
	if [ "$response" = "n" ] || [ "$response" = "N" ]
106
	then
106
	then
107
		exit 1
107
		exit 1
108
	fi
108
	fi
109
} # End of license()
109
} # End of license()
110
 
110
 
111
header_install()
111
header_install()
112
{
112
{
113
	clear
113
	clear
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "                     ALCASAR V$VERSION Installation"
116
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
117
	echo "-----------------------------------------------------------------------------"
117
	echo "-----------------------------------------------------------------------------"
118
} # End of header_install()
118
} # End of header_install()
119
 
119
 
120
########################################################
120
########################################################
121
##                  Function "testing"                ##
121
##                  Function "testing"                ##
122
## - Test Mageia version                              ##
122
## - Test Mageia version                              ##
123
## - Test ALCASAR version (if already installed)      ##
123
## - Test ALCASAR version (if already installed)      ##
124
## - Test free space on /var  (>10G)                  ##
124
## - Test free space on /var  (>10G)                  ##
125
## - Test Internet access                             ##
125
## - Test Internet access                             ##
126
########################################################
126
########################################################
127
testing()
127
testing()
128
{
128
{
129
# Test of Mageia version
129
# Test of Mageia version
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
131
	fic=`cat /etc/product.id`
131
	fic=`cat /etc/product.id`
132
	unknown_os=0
132
	unknown_os=0
133
	old="$IFS"
133
	old="$IFS"
134
	IFS=","
134
	IFS=","
135
	set $fic
135
	set $fic
136
	for i in "$@"
136
	for i in "$@"
137
	do
137
	do
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
139
			then
139
			then
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
141
			unknown_os=`expr $unknown_os + 1`
141
			unknown_os=`expr $unknown_os + 1`
142
		fi
142
		fi
143
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
144
			then
144
			then
145
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
146
			unknown_os=`expr $unknown_os + 1`
146
			unknown_os=`expr $unknown_os + 1`
147
		fi
147
		fi
148
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
149
			then
149
			then
150
			ARCH=`echo $i|cut -d"=" -f2`
150
			ARCH=`echo $i|cut -d"=" -f2`
151
			unknown_os=`expr $unknown_os + 1`
151
			unknown_os=`expr $unknown_os + 1`
152
		fi
152
		fi
153
	done
153
	done
154
	if [ "$ARCH" != "x86_64" ]
154
	if [ "$ARCH" != "x86_64" ]
155
		then
155
		then
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo "Votre architecture matérielle doit être en 64bits"
157
			then echo "Votre architecture matérielle doit être en 64bits"
158
			else echo "You hardware architecture must be 64bits"
158
			else echo "You hardware architecture must be 64bits"
159
		fi
159
		fi
160
		exit 1
160
		exit 1
161
	fi
161
	fi
162
	IFS="$old"
162
	IFS="$old"
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
164
	then
164
	then
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
166
			then
166
			then
167
			echo
167
			echo
168
			if [ $Lang == "fr" ]
168
			if [ $Lang == "fr" ]
169
				then
169
				then
170
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
170
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
171
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
171
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
172
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
172
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
173
				echo "3 - Importez votre base des usagers"
173
				echo "3 - Importez votre base des usagers"
174
			else
174
			else
175
				echo "The automatic update of ALCASAR can't be performed."
175
				echo "The automatic update of ALCASAR can't be performed."
176
				echo "1 - Save your traceability files and the user database"
176
				echo "1 - Save your traceability files and the user database"
177
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
177
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
178
				echo "3 - Import your users database"
178
				echo "3 - Import your users database"
179
			fi
179
			fi
180
		else
180
		else
181
			if [ $Lang == "fr" ]
181
			if [ $Lang == "fr" ]
182
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
182
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
183
				else echo "The installation of ALCASAR can't be performed."
183
				else echo "The installation of ALCASAR can't be performed."
184
			fi
184
			fi
185
		fi
185
		fi
186
		echo
186
		echo
187
		if [ $Lang == "fr" ]
187
		if [ $Lang == "fr" ]
188
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
188
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
189
			else echo "The OS must be replaced (Mageia7.1-64bits)"
189
			else echo "The OS must be replaced (Mageia7.1-64bits)"
190
		fi
190
		fi
191
		exit 1
191
		exit 1
192
	fi
192
	fi
193
 
193
 
194
# Test if ALCASAR is already installed
194
# Test if ALCASAR is already installed
195
	if [ -e $CONF_FILE ]
195
	if [ -e $CONF_FILE ]
196
	then
196
	then
197
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
197
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
198
		if [ $Lang == "fr" ]
198
		if [ $Lang == "fr" ]
199
			then echo "La version $current_version d'ALCASAR est déjà installée"
199
			then echo "La version $current_version d'ALCASAR est déjà installée"
200
			else echo "ALCASAR version $current_version is already installed"
200
			else echo "ALCASAR version $current_version is already installed"
201
		fi
201
		fi
202
		response=0
202
		response=0
203
		PTN='^[12]$'
203
		PTN='^[12]$'
204
		until [[ "$response" =~ $PTN ]]
204
		until [[ "$response" =~ $PTN ]]
205
		do
205
		do
206
			if [ $Lang == "fr" ]
206
			if [ $Lang == "fr" ]
207
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
207
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
208
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
208
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
209
			fi
209
			fi
210
			read response
210
			read response
211
		done
211
		done
212
		if [ "$response" = "2" ]
212
		if [ "$response" = "2" ]
213
		then
213
		then
214
			rm -f /var/tmp/alcasar-conf*
214
			rm -f /var/tmp/alcasar-conf*
215
		else
215
		else
216
# Retrieve former NICname
216
# Retrieve former NICname
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
221
# Create the current conf file
221
# Create the current conf file
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
223
			mode="update"
223
			mode="update"
224
		fi
224
		fi
225
	fi
225
	fi
226
# Test free space on /var
226
# Test free space on /var
227
	if [ ! -d /var/log/netflow/porttracker ]
227
	if [ ! -d /var/log/netflow/porttracker ]
228
		then
228
		then
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
230
		if [ $free_space -lt 10 ]
230
		if [ $free_space -lt 10 ]
231
			then
231
			then
232
			if [ $Lang == "fr" ]
232
			if [ $Lang == "fr" ]
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
235
			fi
235
			fi
236
		exit 0
236
		exit 0
237
		fi
237
		fi
238
	fi
238
	fi
239
 
239
 
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
	if [ -z "$EXTIF" ]; then
241
	if [ -z "$EXTIF" ]; then
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
		if [ -z "$EXTIF" ]; then
243
		if [ -z "$EXTIF" ]; then
244
			if [ "$Lang" == 'fr' ]
244
			if [ "$Lang" == 'fr' ]
245
				then echo -n "Aucune passerelle par défaut configurée"
245
				then echo -n "Aucune passerelle par défaut configurée"
246
				else echo -n "No default gateway configured"
246
				else echo -n "No default gateway configured"
247
			fi
247
			fi
248
			exit 1
248
			exit 1
249
		fi
249
		fi
250
	fi
250
	fi
251
	if [ "$Lang" == 'fr' ]
251
	if [ "$Lang" == 'fr' ]
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
254
	fi
254
	fi
255
 
255
 
256
	if [ -z "$INTIF" ]; then
256
	if [ -z "$INTIF" ]; then
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
259
		if [ $interfacesCount -eq 0 ]; then
259
		if [ $interfacesCount -eq 0 ]; then
260
			if [ "$Lang" == 'fr' ]
260
			if [ "$Lang" == 'fr' ]
261
				then echo "Aucune interface de disponible pour le réseau interne"
261
				then echo "Aucune interface de disponible pour le réseau interne"
262
				else echo "No interface available for the internal network"
262
				else echo "No interface available for the internal network"
263
			fi
263
			fi
264
			exit 1
264
			exit 1
265
		elif [ $interfacesCount -eq 1 ]; then
265
		elif [ $interfacesCount -eq 1 ]; then
266
			INTIF="$interfacesList"
266
			INTIF="$interfacesList"
267
		else
267
		else
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
			if [ "$Lang" == 'fr' ]
270
			if [ "$Lang" == 'fr' ]
271
				then echo 'Liste des interfaces disponible :'
271
				then echo 'Liste des interfaces disponible :'
272
				else echo 'List of available interfaces:'
272
				else echo 'List of available interfaces:'
273
			fi
273
			fi
274
			echo "$interfacesSorted"
274
			echo "$interfacesSorted"
275
			response=''
275
			response=''
276
			while true; do
276
			while true; do
277
				if [ "$Lang" == 'fr' ]
277
				if [ "$Lang" == 'fr' ]
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
				fi
280
				fi
281
				read response
281
				read response
282
 
282
 
283
				[ -z "$response" ] && response="$interfacePreferred"
283
				[ -z "$response" ] && response="$interfacePreferred"
284
 
284
 
285
				# Check if interface exist
285
				# Check if interface exist
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
					INTIF="$response"
287
					INTIF="$response"
288
					break
288
					break
289
				else
289
				else
290
					if [ "$Lang" == 'fr' ]
290
					if [ "$Lang" == 'fr' ]
291
						then echo "Interface \"$response\" introuvable"
291
						then echo "Interface \"$response\" introuvable"
292
						else echo "Interface \"$response\" not found"
292
						else echo "Interface \"$response\" not found"
293
					fi
293
					fi
294
				fi
294
				fi
295
			done
295
			done
296
		fi
296
		fi
297
	fi
297
	fi
298
	if [ "$Lang" == 'fr' ]
298
	if [ "$Lang" == 'fr' ]
299
		then echo "Interface interne utilisée : $INTIF"
299
		then echo "Interface interne utilisée : $INTIF"
300
		else echo "Internal interface used: $INTIF"
300
		else echo "Internal interface used: $INTIF"
301
	fi
301
	fi
302
 
302
 
303
	if [ $Lang == "fr" ]
303
	if [ $Lang == "fr" ]
304
		then echo -n "Tests des paramètres réseau : "
304
		then echo -n "Tests des paramètres réseau : "
305
		else echo -n "Network parameters tests: "
305
		else echo -n "Network parameters tests: "
306
	fi
306
	fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	for i in $IF_INTERFACES
310
	for i in $IF_INTERFACES
311
	do
311
	do
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
			rm -f ifcfg-$i
313
			rm -f ifcfg-$i
314
 
314
 
315
			if [ $Lang == "fr" ]
315
			if [ $Lang == "fr" ]
316
				then echo "Suppression : ifcfg-$i"
316
				then echo "Suppression : ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
318
			fi
318
			fi
319
		fi
319
		fi
320
	done
320
	done
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	echo -n "."
322
	echo -n "."
323
# Test Ethernet NIC links state
323
# Test Ethernet NIC links state
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	if [ ! -z "$interfacesDown" ]; then
325
	if [ ! -z "$interfacesDown" ]; then
326
		for i in $interfacesDown; do
326
		for i in $interfacesDown; do
327
			if [ $Lang == "fr" ]
327
			if [ $Lang == "fr" ]
328
			then
328
			then
329
				echo -e "\nÉchec"
329
				echo -e "\nÉchec"
330
				echo "Le lien réseau de la carte $i n'est pas actif."
330
				echo "Le lien réseau de la carte $i n'est pas actif."
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
			else
332
			else
333
				echo -e "\nFailed"
333
				echo -e "\nFailed"
334
				echo "The link state of $i interface is down."
334
				echo "The link state of $i interface is down."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
336
			fi
336
			fi
337
		done
337
		done
338
		exit 1
338
		exit 1
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test EXTIF config files
341
# Test EXTIF config files
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	then
346
	then
347
		if [ $Lang == "fr" ]
347
		if [ $Lang == "fr" ]
348
		then
348
		then
349
			echo -e "\nÉchec"
349
			echo -e "\nÉchec"
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
			echo "Appliquez les changements : 'systemctl restart network'"
352
			echo "Appliquez les changements : 'systemctl restart network'"
353
		else
353
		else
354
			echo -e "\nFailed"
354
			echo -e "\nFailed"
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
			echo "Apply the new configuration: 'systemctl restart network'"
357
			echo "Apply the new configuration: 'systemctl restart network'"
358
		fi
358
		fi
359
		echo "DEVICE=$EXTIF"
359
		echo "DEVICE=$EXTIF"
360
		echo "IPADDR="
360
		echo "IPADDR="
361
		echo "NETMASK="
361
		echo "NETMASK="
362
		echo "GATEWAY="
362
		echo "GATEWAY="
363
		echo "DNS1="
363
		echo "DNS1="
364
		echo "DNS2="
364
		echo "DNS2="
365
		echo "ONBOOT=yes"
365
		echo "ONBOOT=yes"
366
		exit 1
366
		exit 1
367
	fi
367
	fi
368
	echo -n "."
368
	echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
		if [ $Lang == "fr" ]
371
		if [ $Lang == "fr" ]
372
		then
372
		then
373
			echo -e "\nÉchec"
373
			echo -e "\nÉchec"
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Réglez ce problème puis relancez ce script."
375
			echo "Réglez ce problème puis relancez ce script."
376
		else
376
		else
377
			echo -e "\nFailed"
377
			echo -e "\nFailed"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
			echo "Resolv this problem, then restart this script."
379
			echo "Resolv this problem, then restart this script."
380
		fi
380
		fi
381
		exit 1
381
		exit 1
382
	fi
382
	fi
383
	echo -n "."
383
	echo -n "."
384
# Test if default GW is alive
384
# Test if default GW is alive
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	if [ "$(expr $arp_reply)" -eq 0 ]
386
	if [ "$(expr $arp_reply)" -eq 0 ]
387
		then
387
		then
388
		if [ $Lang == "fr" ]
388
		if [ $Lang == "fr" ]
389
		then
389
		then
390
			echo -e "\nÉchec"
390
			echo -e "\nÉchec"
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Réglez ce problème puis relancez ce script."
392
			echo "Réglez ce problème puis relancez ce script."
393
		else
393
		else
394
			echo -e "\nFailed"
394
			echo -e "\nFailed"
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
			echo "Resolv this problem, then restart this script."
396
			echo "Resolv this problem, then restart this script."
397
		fi
397
		fi
398
		exit 1
398
		exit 1
399
	fi
399
	fi
400
	echo -n "."
400
	echo -n "."
401
# Test Internet connectivity
401
# Test Internet connectivity
402
	domainTested='www.google.com'
402
	domainTested='www.google.com'
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
404
	if [ $? -ne 0 ]; then
404
	if [ $? -ne 0 ]; then
405
		if [ $Lang == "fr" ]
405
		if [ $Lang == "fr" ]
406
		then
406
		then
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
			echo "Vérifiez la validité des adresses IP des DNS."
409
			echo "Vérifiez la validité des adresses IP des DNS."
410
		else
410
		else
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
			echo "Verify the DNS IP addresses"
413
			echo "Verify the DNS IP addresses"
414
		fi
414
		fi
415
		exit 1
415
		exit 1
416
	fi
416
	fi
417
	echo ". : ok"
417
	echo ". : ok"
418
} # End of testing()
418
} # End of testing()
419
 
419
 
420
#######################################################################
420
#######################################################################
421
##                    Function "init"                                ##
421
##                    Function "init"                                ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
#######################################################################
424
#######################################################################
425
init()
425
init()
426
{
426
{
427
	if [ "$mode" != "update" ]
427
	if [ "$mode" != "update" ]
428
	then
428
	then
429
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
430
		header_install
430
		header_install
431
		ORGANISME=!
431
		ORGANISME=!
432
		PTN='^[a-zA-Z0-9-]*$'
432
		PTN='^[a-zA-Z0-9-]*$'
433
		until [[ "$ORGANISME" =~ $PTN ]]
433
		until [[ "$ORGANISME" =~ $PTN ]]
434
		do
434
		do
435
			if [ $Lang == "fr" ]
435
			if [ $Lang == "fr" ]
436
				then echo -n "Entrez le nom de votre organisme : "
436
				then echo -n "Entrez le nom de votre organisme : "
437
				else echo -n "Enter the name of your organism : "
437
				else echo -n "Enter the name of your organism : "
438
			fi
438
			fi
439
			read ORGANISME
439
			read ORGANISME
440
			if [ "$ORGANISME" == "" ]
440
			if [ "$ORGANISME" == "" ]
441
			then
441
			then
442
				ORGANISME=!
442
				ORGANISME=!
443
			fi
443
			fi
444
		done
444
		done
445
	fi
445
	fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
447
# We create random passwords and shared secrets
448
	rm -f $PASSWD_FILE
448
	rm -f $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		grep -v '[eE]nter password:' | \
453
		grep -v '[eE]nter password:' | \
454
		sed -e "s/PBKDF2 hash of your password is //"`
454
		sed -e "s/PBKDF2 hash of your password is //"`
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	chmod 0600 /boot/grub2/user.cfg
458
	chmod 0600 /boot/grub2/user.cfg
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
476
#  copy scripts in in /usr/local/bin
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
#  copy conf files in /usr/local/etc
478
#  copy conf files in /usr/local/etc
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
# generate central conf file
481
# generate central conf file
482
	cat <<EOF > $CONF_FILE
482
	cat <<EOF > $CONF_FILE
483
##########################################
483
##########################################
484
##                                      ##
484
##                                      ##
485
##          ALCASAR Parameters          ##
485
##          ALCASAR Parameters          ##
486
##                                      ##
486
##                                      ##
487
##########################################
487
##########################################
488
 
488
 
489
INSTALL_DATE=$DATE
489
INSTALL_DATE=$DATE
490
VERSION=$VERSION
490
VERSION=$VERSION
491
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
492
EOF
492
EOF
493
	chmod o-rwx $CONF_FILE
493
	chmod o-rwx $CONF_FILE
494
} # End of init()
494
} # End of init()
495
 
495
 
496
#########################################################
496
#########################################################
497
##                    Function "network"               ##
497
##                    Function "network"               ##
498
## - Define the several network address                ##
498
## - Define the several network address                ##
499
## - Define the DNS naming                             ##
499
## - Define the DNS naming                             ##
500
## - INTIF parameters (consultation network)           ##
500
## - INTIF parameters (consultation network)           ##
501
## - Write "/etc/hosts" file                           ##
501
## - Write "/etc/hosts" file                           ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
503
#########################################################
503
#########################################################
504
network()
504
network()
505
{
505
{
506
	header_install
506
	header_install
507
	if [ "$mode" != "update" ]
507
	if [ "$mode" != "update" ]
508
		then
508
		then
509
		if [ $Lang == "fr" ]
509
		if [ $Lang == "fr" ]
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
512
		fi
512
		fi
513
		response=0
513
		response=0
514
		PTN='^[oOyYnN]?$'
514
		PTN='^[oOyYnN]?$'
515
		until [[ "$response" =~ $PTN ]]
515
		until [[ "$response" =~ $PTN ]]
516
		do
516
		do
517
			if [ $Lang == "fr" ]
517
			if [ $Lang == "fr" ]
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
520
			fi
520
			fi
521
			read response
521
			read response
522
		done
522
		done
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
524
		then
524
		then
525
			PRIVATE_IP_MASK="0"
525
			PRIVATE_IP_MASK="0"
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
528
			do
528
			do
529
				if [ $Lang == "fr" ]
529
				if [ $Lang == "fr" ]
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
532
				fi
532
				fi
533
				read PRIVATE_IP_MASK
533
				read PRIVATE_IP_MASK
534
			done
534
			done
535
		else
535
		else
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
537
		fi
537
		fi
538
	else
538
	else
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
540
		rm -f conf/etc/alcasar.conf
540
		rm -f conf/etc/alcasar.conf
541
	fi
541
	fi
542
	header_install
-
 
543
	if [ "$mode" != "update" ]
-
 
544
		then
-
 
545
		if [ $Lang == "fr" ]
-
 
546
			then echo "Par défaut, le nom d'hôte d'ALCASAR est : $HOSTNAME.$DOMAIN"
-
 
547
			else echo "The default ALCASAR hostname is : $HOSTNAME.$DOMAIN"
-
 
548
		fi
-
 
549
		response=0
-
 
550
		PTN='^[oOyYnN]?$'
-
 
551
		until [[ "$response" =~ $PTN ]]
-
 
552
		do
-
 
553
			if [ $Lang == "fr" ]
-
 
554
				then echo -n "Voulez-vous utiliser ce nom d'hôte (recommandé) (O/n)? : "
-
 
555
				else echo -n "Do you want to use this hostname (recommanded) (Y/n)? : "
-
 
556
			fi
-
 
557
			read response
-
 
558
		done
-
 
559
		if [ "$response" = "n" ] || [ "$response" = "N" ]
-
 
560
		then
-
 
561
			if [ $Lang == "fr" ]
-
 
562
				then echo -n "Entrez le nouveau nom d'hôte pleinement qualifié (hôte.domain) : "
-
 
563
				else echo -n "Enter the new full qualified hostname (host.domain) : "
-
 
564
			fi
-
 
565
			read FQDN
-
 
566
			HOSTNAME=`echo $FQDN|cut -d"." -f1`
-
 
567
			DOMAIN=`echo $FQDN|cut -d"." -f2`
-
 
568
		fi
-
 
569
	fi
-
 
570
# Define LAN side global parameters
542
# Define LAN side global parameters
571
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
572
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
573
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
574
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
575
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
576
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
577
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
578
	then
550
	then
579
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
580
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
581
	fi
553
	fi
582
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
583
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
584
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
585
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
586
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
587
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
588
# Define Internet parameters
560
# Define Internet parameters
589
	if [ "$mode" != "update" ]
561
	if [ "$mode" != "update" ]
590
	then
562
	then
591
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
563
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
592
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
564
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
593
	else
565
	else
594
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
566
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
595
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
567
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
596
	fi
568
	fi
597
    DNS1=${DNS1:=208.67.220.220}
569
    DNS1=${DNS1:=208.67.220.220}
598
	DNS2=${DNS2:=208.67.222.222}
570
	DNS2=${DNS2:=208.67.222.222}
599
#	if [ "$DNS1" == "" ]
571
#	if [ "$DNS1" == "" ]
600
#	then
572
#	then
601
#		if [ $Lang == "fr" ]
573
#		if [ $Lang == "fr" ]
602
#		then
574
#		then
603
#			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
575
#			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
604
#			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
576
#			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
605
#		else
577
#		else
606
#			echo "The IP address of DNS servers are not set correctly"
578
#			echo "The IP address of DNS servers are not set correctly"
607
#			echo "Check the extern network card configuration ($EXTIF)"
579
#			echo "Check the extern network card configuration ($EXTIF)"
608
#		fi
580
#		fi
609
#		exit 0
581
#		exit 0
610
#	fi
582
#	fi
611
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
583
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
612
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
584
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
613
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
585
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
614
# Write network parameters in the conf file
586
# Write network parameters in the conf file
615
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
587
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
616
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
588
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
617
	echo "EXTIF=$EXTIF" >> $CONF_FILE
589
	echo "EXTIF=$EXTIF" >> $CONF_FILE
618
	echo "INTIF=$INTIF" >> $CONF_FILE
590
	echo "INTIF=$INTIF" >> $CONF_FILE
619
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
591
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
620
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
592
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
621
	for i in $INTERFACES
593
	for i in $INTERFACES
622
	do
594
	do
623
		SUB=`echo ${i:0:2}`
595
		SUB=`echo ${i:0:2}`
624
		if [ $SUB = "wl" ]
596
		if [ $SUB = "wl" ]
625
			then WIFIF=$i
597
			then WIFIF=$i
626
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
598
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
627
			then LANIF=$i
599
			then LANIF=$i
628
		fi
600
		fi
629
	done
601
	done
630
	if [ -n "$WIFIF" ]
602
	if [ -n "$WIFIF" ]
631
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
603
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
632
	elif [ -n "$LANIF" ]
604
	elif [ -n "$LANIF" ]
633
		then echo "LANIF=$LANIF" >> $CONF_FILE
605
		then echo "LANIF=$LANIF" >> $CONF_FILE
634
	fi
606
	fi
635
	#########################################################################################################
607
	#########################################################################################################
636
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
608
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
637
	if [ $IP_SETTING == "dhcp" ]
609
	if [ $IP_SETTING == "dhcp" ]
638
	then
610
	then
639
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
611
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
640
		echo "GW=dhcp" >> $CONF_FILE
612
		echo "GW=dhcp" >> $CONF_FILE
641
	else
613
	else
642
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
614
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
643
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
615
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
644
	fi
616
	fi
645
	echo "DNS1=$DNS1" >> $CONF_FILE
617
	echo "DNS1=$DNS1" >> $CONF_FILE
646
	echo "DNS2=$DNS2" >> $CONF_FILE
618
	echo "DNS2=$DNS2" >> $CONF_FILE
647
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
619
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
648
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
620
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
649
	echo "DHCP=on" >> $CONF_FILE
621
	echo "DHCP=on" >> $CONF_FILE
650
	echo "EXT_DHCP_IP=" >> $CONF_FILE
622
	echo "EXT_DHCP_IP=" >> $CONF_FILE
651
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
623
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
652
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
624
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
653
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
625
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
654
	echo "INT_DNS_IP=" >> $CONF_FILE
626
	echo "INT_DNS_IP=" >> $CONF_FILE
655
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
627
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
656
# network default
628
# network default
657
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
629
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
658
	cat <<EOF > /etc/sysconfig/network
630
	cat <<EOF > /etc/sysconfig/network
659
NETWORKING=yes
631
NETWORKING=yes
660
FORWARD_IPV4=true
632
FORWARD_IPV4=true
661
EOF
633
EOF
662
# write "/etc/hosts"
634
# write "/etc/hosts"
663
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
635
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
664
	cat <<EOF > /etc/hosts
636
	cat <<EOF > /etc/hosts
665
127.0.0.1	localhost
637
127.0.0.1	localhost
666
$PRIVATE_IP	$HOSTNAME
638
$PRIVATE_IP	$HOSTNAME
667
EOF
639
EOF
668
# write EXTIF (Internet) config
640
# write EXTIF (Internet) config
669
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
641
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
670
	if [ $IP_SETTING == "dhcp" ]
642
	if [ $IP_SETTING == "dhcp" ]
671
	then
643
	then
672
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
644
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
673
DEVICE=$EXTIF
645
DEVICE=$EXTIF
674
BOOTPROTO=dhcp
646
BOOTPROTO=dhcp
675
DNS1=127.0.0.1
647
DNS1=127.0.0.1
676
PEERDNS=no
648
PEERDNS=no
677
RESOLV_MODS=yes
649
RESOLV_MODS=yes
678
ONBOOT=yes
650
ONBOOT=yes
679
NOZEROCONF=yes
651
NOZEROCONF=yes
680
METRIC=10
652
METRIC=10
681
MII_NOT_SUPPORTED=yes
653
MII_NOT_SUPPORTED=yes
682
IPV6INIT=no
654
IPV6INIT=no
683
IPV6TO4INIT=no
655
IPV6TO4INIT=no
684
ACCOUNTING=no
656
ACCOUNTING=no
685
USERCTL=no
657
USERCTL=no
686
MTU=$MTU
658
MTU=$MTU
687
EOF
659
EOF
688
	else
660
	else
689
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
661
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
690
DEVICE=$EXTIF
662
DEVICE=$EXTIF
691
BOOTPROTO=static
663
BOOTPROTO=static
692
IPADDR=$PUBLIC_IP
664
IPADDR=$PUBLIC_IP
693
NETMASK=$PUBLIC_NETMASK
665
NETMASK=$PUBLIC_NETMASK
694
GATEWAY=$PUBLIC_GATEWAY
666
GATEWAY=$PUBLIC_GATEWAY
695
DNS1=127.0.0.1
667
DNS1=127.0.0.1
696
RESOLV_MODS=yes
668
RESOLV_MODS=yes
697
ONBOOT=yes
669
ONBOOT=yes
698
METRIC=10
670
METRIC=10
699
NOZEROCONF=yes
671
NOZEROCONF=yes
700
MII_NOT_SUPPORTED=yes
672
MII_NOT_SUPPORTED=yes
701
IPV6INIT=no
673
IPV6INIT=no
702
IPV6TO4INIT=no
674
IPV6TO4INIT=no
703
ACCOUNTING=no
675
ACCOUNTING=no
704
USERCTL=no
676
USERCTL=no
705
MTU=$MTU
677
MTU=$MTU
706
EOF
678
EOF
707
	fi
679
	fi
708
# write INTIF (consultation LAN) in normal mode
680
# write INTIF (consultation LAN) in normal mode
709
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
681
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
710
DEVICE=$INTIF
682
DEVICE=$INTIF
711
BOOTPROTO=static
683
BOOTPROTO=static
712
ONBOOT=yes
684
ONBOOT=yes
713
NOZEROCONF=yes
685
NOZEROCONF=yes
714
MII_NOT_SUPPORTED=yes
686
MII_NOT_SUPPORTED=yes
715
IPV6INIT=no
687
IPV6INIT=no
716
IPV6TO4INIT=no
688
IPV6TO4INIT=no
717
ACCOUNTING=no
689
ACCOUNTING=no
718
USERCTL=no
690
USERCTL=no
719
EOF
691
EOF
720
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
692
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
721
# write INTIF in bypass mode (see "alcasar-bypass.sh")
693
# write INTIF in bypass mode (see "alcasar-bypass.sh")
722
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
694
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
723
DEVICE=$INTIF
695
DEVICE=$INTIF
724
BOOTPROTO=static
696
BOOTPROTO=static
725
IPADDR=$PRIVATE_IP
697
IPADDR=$PRIVATE_IP
726
NETMASK=$PRIVATE_NETMASK
698
NETMASK=$PRIVATE_NETMASK
727
ONBOOT=yes
699
ONBOOT=yes
728
METRIC=10
700
METRIC=10
729
NOZEROCONF=yes
701
NOZEROCONF=yes
730
MII_NOT_SUPPORTED=yes
702
MII_NOT_SUPPORTED=yes
731
IPV6INIT=no
703
IPV6INIT=no
732
IPV6TO4INIT=no
704
IPV6TO4INIT=no
733
ACCOUNTING=no
705
ACCOUNTING=no
734
USERCTL=no
706
USERCTL=no
735
EOF
707
EOF
736
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
708
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
737
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
709
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
738
	then
710
	then
739
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
711
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
740
DEVICE=$WIFIF
712
DEVICE=$WIFIF
741
BOOTPROTO=static
713
BOOTPROTO=static
742
ONBOOT=yes
714
ONBOOT=yes
743
NOZEROCONF=yes
715
NOZEROCONF=yes
744
MII_NOT_SUPPORTED=yes
716
MII_NOT_SUPPORTED=yes
745
IPV6INIT=no
717
IPV6INIT=no
746
IPV6TO4INIT=no
718
IPV6TO4INIT=no
747
ACCOUNTING=no
719
ACCOUNTING=no
748
USERCTL=no
720
USERCTL=no
749
EOF
721
EOF
750
	elif [ -n "$LANIF" ]
722
	elif [ -n "$LANIF" ]
751
	then
723
	then
752
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
724
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
753
DEVICE=$LANIF
725
DEVICE=$LANIF
754
BOOTPROTO=static
726
BOOTPROTO=static
755
ONBOOT=yes
727
ONBOOT=yes
756
NOZEROCONF=yes
728
NOZEROCONF=yes
757
MII_NOT_SUPPORTED=yes
729
MII_NOT_SUPPORTED=yes
758
IPV6INIT=no
730
IPV6INIT=no
759
IPV6TO4INIT=no
731
IPV6TO4INIT=no
760
ACCOUNTING=no
732
ACCOUNTING=no
761
USERCTL=no
733
USERCTL=no
762
EOF
734
EOF
763
	fi
735
	fi
764
	#########################################################################################################
736
	#########################################################################################################
765
# write hosts.allow & hosts.deny
737
# write hosts.allow & hosts.deny
766
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
738
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
767
	cat <<EOF > /etc/hosts.allow
739
	cat <<EOF > /etc/hosts.allow
768
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
740
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
769
sshd: ALL
741
sshd: ALL
770
ntpd: $PRIVATE_NETWORK_SHORT
742
ntpd: $PRIVATE_NETWORK_SHORT
771
EOF
743
EOF
772
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
744
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
773
	cat <<EOF > /etc/hosts.deny
745
	cat <<EOF > /etc/hosts.deny
774
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
746
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
775
EOF
747
EOF
776
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
748
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
777
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
749
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
778
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
750
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
779
# load conntrack ftp module
751
# load conntrack ftp module
780
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
752
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
781
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
753
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
782
# load ipt_NETFLOW module
754
# load ipt_NETFLOW module
783
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
755
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
784
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
756
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
785
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
757
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
786
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
758
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
787
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
759
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
788
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
760
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
789
#
761
#
790
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
762
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
791
} # End of network()
763
} # End of network()
792
 
764
 
-
 
765
##################################################################
-
 
766
##                      Fonction "CA"                           ##
-
 
767
## - Creating the CA and the server certificate (lighttpd)      ##
-
 
768
##################################################################
-
 
769
CA()
-
 
770
{
-
 
771
	$DIR_DEST_BIN/alcasar-CA.sh
-
 
772
	chown -R root:apache /etc/pki
-
 
773
	chmod -R 750 /etc/pki
-
 
774
} # End of CA()
-
 
775
 
793
###################################################
776
###################################################
794
##                  Function "ACC"               ##
777
##                  Function "ACC"               ##
795
## - copy ALCASAR Control Center (ACC) files     ##
778
## - copy ALCASAR Control Center (ACC) files     ##
796
## - configuration of the web server (Lighttpd)  ##
779
## - configuration of the web server (Lighttpd)  ##
797
## - creation of the first ACC admin account     ##
780
## - creation of the first ACC admin account     ##
798
## - secure the ACC access                       ##
781
## - secure the ACC access                       ##
799
###################################################
782
###################################################
800
ACC()
783
ACC()
801
{
784
{
802
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
785
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
803
	mkdir $DIR_WEB
786
	mkdir $DIR_WEB
804
# Copy & adapt ACC files
787
# Copy & adapt ACC files
805
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
788
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
806
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
789
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
807
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
790
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
808
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
791
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
809
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
792
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
810
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
793
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
811
	chown -R apache:apache $DIR_WEB/*
794
	chown -R apache:apache $DIR_WEB/*
812
# copy & adapt "freeradius-web" files
795
# copy & adapt "freeradius-web" files
813
	cp -rf $DIR_CONF/freeradius-web/ /etc/
796
	cp -rf $DIR_CONF/freeradius-web/ /etc/
814
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
797
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
815
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
798
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
816
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
799
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
817
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
800
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
818
	cat <<EOF > /etc/freeradius-web/naslist.conf
801
	cat <<EOF > /etc/freeradius-web/naslist.conf
819
nas1_name: alcasar-$ORGANISME
802
nas1_name: alcasar-$ORGANISME
820
nas1_model: Network Access Controler
803
nas1_model: Network Access Controler
821
nas1_ip: $PRIVATE_IP
804
nas1_ip: $PRIVATE_IP
822
nas1_port_num: 0
805
nas1_port_num: 0
823
nas1_community: public
806
nas1_community: public
824
EOF
807
EOF
825
	chown -R apache:apache /etc/freeradius-web/
808
	chown -R apache:apache /etc/freeradius-web/
826
# create the log & backup structure :
809
# create the log & backup structure :
827
# - base = users database
810
# - base = users database
828
# - archive = tarball of "base + http firewall + netflow"
811
# - archive = tarball of "base + http firewall + netflow"
829
# - security = watchdog log
812
# - security = watchdog log
830
	for i in base archive security activity_report;
813
	for i in base archive security activity_report;
831
	do
814
	do
832
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
815
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
833
	done
816
	done
834
	chown -R root:apache $DIR_SAVE
817
	chown -R root:apache $DIR_SAVE
835
# Configuring & securing php
818
# Configuring & securing php
836
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
819
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
837
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
820
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
838
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
821
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
839
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
822
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
840
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
823
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
841
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
824
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
842
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
825
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
843
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
826
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
844
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
827
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
845
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
828
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
846
# Configuring & securing Lighttpd
829
# Configuring & securing Lighttpd
847
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
830
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
848
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
831
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
849
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
832
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
850
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
833
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
851
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
834
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
852
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
835
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
853
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
836
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
854
 
837
 
855
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
838
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
856
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
839
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
857
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
840
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
858
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
841
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
859
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
842
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
860
 
843
 
861
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
844
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
862
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
845
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
863
 
846
 
864
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
847
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
865
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
848
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
866
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
849
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
867
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
850
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
868
 
851
 
869
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
852
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
870
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
853
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
871
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
854
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
872
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
855
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
873
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
856
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
874
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
857
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
875
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
858
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
876
 
859
 
877
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
860
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
878
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
861
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
879
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
862
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
880
 
863
 
881
	chown -R apache:apache /var/log/lighttpd
864
	chown -R apache:apache /var/log/lighttpd
882
#	/usr/bin/systemctl start lighttpd
865
#	/usr/bin/systemctl start lighttpd
883
#	/usr/bin/systemctl start php-fpm
866
#	/usr/bin/systemctl start php-fpm
884
 
867
 
885
# Creation of the first account (in 'admin' profile)
868
# Creation of the first account (in 'admin' profile)
886
	if [ "$mode" = "install" ]
869
	if [ "$mode" = "install" ]
887
	then
870
	then
888
		header_install
871
		header_install
889
# Creation of keys file for the admin account ("admin")
872
# Creation of keys file for the admin account ("admin")
890
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
873
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
891
		mkdir -p $DIR_DEST_ETC/digest
874
		mkdir -p $DIR_DEST_ETC/digest
892
		chmod 755 $DIR_DEST_ETC/digest
875
		chmod 755 $DIR_DEST_ETC/digest
893
		if [ $Lang == "fr" ]
876
		if [ $Lang == "fr" ]
894
			then echo "Création du premier compte administrateur : "
877
			then echo "Création du premier compte administrateur : "
895
			else echo "Creation of the first admin account : "
878
			else echo "Creation of the first admin account : "
896
		fi
879
		fi
897
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
880
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
898
		do
881
		do
899
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
882
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
900
		done
883
		done
901
	fi
884
	fi
902
 
885
 
903
	# Run lighttpd after coova (in order waiting tun0 to be up)
886
	# Run lighttpd after coova (in order waiting tun0 to be up)
904
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
887
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
905
	# Log file for ACC access imputability
888
	# Log file for ACC access imputability
906
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
889
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
907
	chown root:apache /var/Save/security/acc_access.log
890
	chown root:apache /var/Save/security/acc_access.log
908
	chmod 664 /var/Save/security/acc_access.log
891
	chmod 664 /var/Save/security/acc_access.log
909
} # End of ACC()
892
} # End of ACC()
910
 
893
 
911
##################################################################
-
 
912
##                      Fonction "CA"                           ##
-
 
913
## - Creating the CA and the server certificate (lighttpd)      ##
-
 
914
##################################################################
-
 
915
CA()
-
 
916
{
-
 
917
	$DIR_DEST_BIN/alcasar-CA.sh
-
 
918
	chown -R root:apache /etc/pki
-
 
919
	chmod -R 750 /etc/pki
-
 
920
} # End of CA()
-
 
921
 
-
 
922
#############################################################
894
#############################################################
923
##               Function "time_server"                    ##
895
##               Function "time_server"                    ##
924
## - Configuring NTP server                                ##
896
## - Configuring NTP server                                ##
925
#############################################################
897
#############################################################
926
time_server()
898
time_server()
927
{
899
{
928
# Set the Internet time server
900
# Set the Internet time server
929
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
901
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
930
	cat <<EOF > /etc/ntp/step-tickers
902
	cat <<EOF > /etc/ntp/step-tickers
931
0.fr.pool.ntp.org	# adapt to your country
903
0.fr.pool.ntp.org	# adapt to your country
932
1.fr.pool.ntp.org
904
1.fr.pool.ntp.org
933
2.fr.pool.ntp.org
905
2.fr.pool.ntp.org
934
EOF
906
EOF
935
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
907
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
936
	cat <<EOF > /etc/ntp.conf
908
	cat <<EOF > /etc/ntp.conf
937
server 0.fr.pool.ntp.org	# adapt to your country
909
server 0.fr.pool.ntp.org	# adapt to your country
938
server 1.fr.pool.ntp.org
910
server 1.fr.pool.ntp.org
939
server 2.fr.pool.ntp.org
911
server 2.fr.pool.ntp.org
940
server 127.127.1.0   		# local clock si NTP internet indisponible ...
912
server 127.127.1.0   		# local clock si NTP internet indisponible ...
941
fudge 127.127.1.0 stratum 10
913
fudge 127.127.1.0 stratum 10
942
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
914
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
943
restrict 127.0.0.1
915
restrict 127.0.0.1
944
driftfile /var/lib/ntp/drift
916
driftfile /var/lib/ntp/drift
945
logfile /var/log/ntp.log
917
logfile /var/log/ntp.log
946
disable monitor
918
disable monitor
947
EOF
919
EOF
948
	chown -R ntp:ntp /var/lib/ntp
920
	chown -R ntp:ntp /var/lib/ntp
949
# Synchronize now
921
# Synchronize now
950
	ntpd -4 -q -g &
922
	ntpd -4 -q -g &
951
} # End of time_server()
923
} # End of time_server()
952
 
924
 
953
#####################################################################
925
#####################################################################
954
##                     Function "init_db"                          ##
926
##                     Function "init_db"                          ##
955
## - Mysql initialization                                          ##
927
## - Mysql initialization                                          ##
956
## - Set admin (root) password                                     ##
928
## - Set admin (root) password                                     ##
957
## - Remove unused users & databases                               ##
929
## - Remove unused users & databases                               ##
958
## - Radius database creation                                      ##
930
## - Radius database creation                                      ##
959
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
931
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
960
#####################################################################
932
#####################################################################
961
init_db()
933
init_db()
962
{
934
{
963
	if [ "`systemctl is-active mysqld`" == "active" ]
935
	if [ "`systemctl is-active mysqld`" == "active" ]
964
	then
936
	then
965
		systemctl stop mysqld
937
		systemctl stop mysqld
966
	fi
938
	fi
967
	rm -rf /var/lib/mysql # to be sure that there is no former installation
939
	rm -rf /var/lib/mysql # to be sure that there is no former installation
968
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
940
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
969
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
941
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
970
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
942
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
971
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
943
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
972
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
944
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
973
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
945
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
974
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
946
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
975
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
947
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
976
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
948
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
977
	/usr/bin/systemctl start mysqld
949
	/usr/bin/systemctl start mysqld
978
	nb_round=1
950
	nb_round=1
979
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
951
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
980
	do
952
	do
981
		nb_round=`expr $nb_round + 1`
953
		nb_round=`expr $nb_round + 1`
982
		sleep 2
954
		sleep 2
983
	done
955
	done
984
	if [ ! -S /var/lib/mysql/mysql.sock ]
956
	if [ ! -S /var/lib/mysql/mysql.sock ]
985
	then
957
	then
986
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
958
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
987
		exit
959
		exit
988
	fi
960
	fi
989
# Secure the server
961
# Secure the server
990
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
962
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
991
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
963
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
992
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
964
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
993
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
965
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
994
# Create 'radius' database
966
# Create 'radius' database
995
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
967
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
996
# Add an empty radius database structure
968
# Add an empty radius database structure
997
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
969
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
998
# modify the start script in order to close accounting connexion when the system is comming down or up
970
# modify the start script in order to close accounting connexion when the system is comming down or up
999
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
971
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1000
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
972
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1001
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
973
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1002
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
974
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
1003
	/usr/bin/systemctl daemon-reload
975
	/usr/bin/systemctl daemon-reload
1004
} # End of init_db()
976
} # End of init_db()
1005
 
977
 
1006
###################################################################
978
###################################################################
1007
##                       Function "freeradius"                   ##
979
##                       Function "freeradius"                   ##
1008
## - Set the configuration files                                 ##
980
## - Set the configuration files                                 ##
1009
## - Set the shared secret between coova-chilli and freeradius   ##
981
## - Set the shared secret between coova-chilli and freeradius   ##
1010
## - Adapt the Mysql conf file and counters                      ##
982
## - Adapt the Mysql conf file and counters                      ##
1011
###################################################################
983
###################################################################
1012
freeradius()
984
freeradius()
1013
{
985
{
1014
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
986
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1015
	chown -R radius:radius /etc/raddb
987
	chown -R radius:radius /etc/raddb
1016
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
988
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1017
# Set radius global parameters (radius.conf)
989
# Set radius global parameters (radius.conf)
1018
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
990
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1019
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
991
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1020
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
992
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1021
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
993
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
1022
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
994
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
1023
# Add ALCASAR & Coovachilli dictionaries
995
# Add ALCASAR & Coovachilli dictionaries
1024
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
996
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
1025
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
997
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
1026
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
998
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
1027
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
999
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
1028
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
1000
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
1029
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1001
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1030
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1002
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1031
	cat << EOF > /etc/raddb/clients.conf
1003
	cat << EOF > /etc/raddb/clients.conf
1032
client localhost {
1004
client localhost {
1033
	ipaddr = 127.0.0.1
1005
	ipaddr = 127.0.0.1
1034
	secret = $secretradius
1006
	secret = $secretradius
1035
	shortname = chilli
1007
	shortname = chilli
1036
	nas_type = other
1008
	nas_type = other
1037
}
1009
}
1038
EOF
1010
EOF
1039
# Set Virtual server
1011
# Set Virtual server
1040
    # Remvoveing all except "alcasar virtual site")
1012
    # Remvoveing all except "alcasar virtual site")
1041
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1013
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1042
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1014
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1043
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1015
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1044
	chown radius:apache /etc/raddb/sites-available/alcasar*
1016
	chown radius:apache /etc/raddb/sites-available/alcasar*
1045
	chmod 660 /etc/raddb/sites-available/alcasar*
1017
	chmod 660 /etc/raddb/sites-available/alcasar*
1046
	rm -f /etc/raddb/sites-enabled/*
1018
	rm -f /etc/raddb/sites-enabled/*
1047
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1019
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1048
# Set modules
1020
# Set modules
1049
	# Add custom LDAP "available module"
1021
	# Add custom LDAP "available module"
1050
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1022
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1051
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1023
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1052
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1024
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1053
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1025
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1054
	rm -rf  /etc/raddb/mods-enabled/*
1026
	rm -rf  /etc/raddb/mods-enabled/*
1055
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1027
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1056
	do
1028
	do
1057
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1029
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1058
	done
1030
	done
1059
# Configure SQL module
1031
# Configure SQL module
1060
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1032
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1061
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1062
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1063
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1035
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1064
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1036
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1065
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1037
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1066
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1038
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1067
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1039
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1068
	# no TLS encryption on 127.0.0.1
1040
	# no TLS encryption on 127.0.0.1
1069
	$SED "s?^[\t] ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1041
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1070
	$SED "s?^[\t] ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1042
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1071
	$SED "s?^[\t] ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1043
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1072
	$SED "s?^[\t] ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1044
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1073
	$SED "s?^[\t] ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1045
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1074
	$SED "s?^[\t] ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1046
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1075
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1047
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1076
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1048
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1077
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1049
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1078
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1050
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1079
# sqlcounter modifications
1051
# sqlcounter modifications
1080
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1052
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1081
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1053
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1082
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1054
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1083
# make certain that mysql is up before freeradius start
1055
# make certain that mysql is up before freeradius start
1084
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1056
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1085
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1057
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1086
	/usr/bin/systemctl daemon-reload
1058
	/usr/bin/systemctl daemon-reload
1087
# Allow apache to change some conf files (ie : ldap on/off)
1059
# Allow apache to change some conf files (ie : ldap on/off)
1088
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1060
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1089
} # End of freeradius()
1061
} # End of freeradius()
1090
 
1062
 
1091
#############################################################################
1063
#############################################################################
1092
##                           Function "chilli"                             ##
1064
##                           Function "chilli"                             ##
1093
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1065
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1094
## - Adapt the authentication web page (intercept.php)                     ##
1066
## - Adapt the authentication web page (intercept.php)                     ##
1095
#############################################################################
1067
#############################################################################
1096
chilli()
1068
chilli()
1097
{
1069
{
1098
# chilli unit for systemd
1070
# chilli unit for systemd
1099
	cat << EOF > /lib/systemd/system/chilli.service
1071
	cat << EOF > /lib/systemd/system/chilli.service
1100
#  This file is part of systemd.
1072
#  This file is part of systemd.
1101
#
1073
#
1102
#  systemd is free software; you can redistribute it and/or modify it
1074
#  systemd is free software; you can redistribute it and/or modify it
1103
#  under the terms of the GNU General Public License as published by
1075
#  under the terms of the GNU General Public License as published by
1104
#  the Free Software Foundation; either version 2 of the License, or
1076
#  the Free Software Foundation; either version 2 of the License, or
1105
#  (at your option) any later version.
1077
#  (at your option) any later version.
1106
[Unit]
1078
[Unit]
1107
Description=chilli is a captive portal daemon
1079
Description=chilli is a captive portal daemon
1108
After=network.target
1080
After=network.target
1109
 
1081
 
1110
[Service]
1082
[Service]
1111
Type=forking
1083
Type=forking
1112
ExecStart=/usr/libexec/chilli start
1084
ExecStart=/usr/libexec/chilli start
1113
ExecStop=/usr/libexec/chilli stop
1085
ExecStop=/usr/libexec/chilli stop
1114
ExecReload=/usr/libexec/chilli reload
1086
ExecReload=/usr/libexec/chilli reload
1115
PIDFile=/var/run/chilli.pid
1087
PIDFile=/var/run/chilli.pid
1116
 
1088
 
1117
[Install]
1089
[Install]
1118
WantedBy=multi-user.target
1090
WantedBy=multi-user.target
1119
EOF
1091
EOF
1120
# init file creation
1092
# init file creation
1121
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1093
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1122
	cat <<EOF > /etc/init.d/chilli
1094
	cat <<EOF > /etc/init.d/chilli
1123
#!/bin/sh
1095
#!/bin/sh
1124
#
1096
#
1125
# chilli CoovaChilli init
1097
# chilli CoovaChilli init
1126
#
1098
#
1127
# chkconfig: 2345 65 35
1099
# chkconfig: 2345 65 35
1128
# description: CoovaChilli
1100
# description: CoovaChilli
1129
### BEGIN INIT INFO
1101
### BEGIN INIT INFO
1130
# Provides:       chilli
1102
# Provides:       chilli
1131
# Required-Start: network
1103
# Required-Start: network
1132
# Should-Start:
1104
# Should-Start:
1133
# Required-Stop:  network
1105
# Required-Stop:  network
1134
# Should-Stop:
1106
# Should-Stop:
1135
# Default-Start:  2 3 5
1107
# Default-Start:  2 3 5
1136
# Default-Stop:
1108
# Default-Stop:
1137
# Description:    CoovaChilli access controller
1109
# Description:    CoovaChilli access controller
1138
### END INIT INFO
1110
### END INIT INFO
1139
 
1111
 
1140
[ -f /usr/sbin/chilli ] || exit 0
1112
[ -f /usr/sbin/chilli ] || exit 0
1141
. /etc/init.d/functions
1113
. /etc/init.d/functions
1142
CONFIG=/etc/chilli.conf
1114
CONFIG=/etc/chilli.conf
1143
pidfile=/var/run/chilli.pid
1115
pidfile=/var/run/chilli.pid
1144
[ -f \$CONFIG ] || {
1116
[ -f \$CONFIG ] || {
1145
	echo "\$CONFIG Not found"
1117
	echo "\$CONFIG Not found"
1146
	exit 0
1118
	exit 0
1147
}
1119
}
1148
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1120
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1149
RETVAL=0
1121
RETVAL=0
1150
prog="chilli"
1122
prog="chilli"
1151
case \$1 in
1123
case \$1 in
1152
	start)
1124
	start)
1153
		if [ -f \$pidfile ] ; then
1125
		if [ -f \$pidfile ] ; then
1154
			gprintf "chilli is already running"
1126
			gprintf "chilli is already running"
1155
		else
1127
		else
1156
			gprintf "Starting \$prog: "
1128
			gprintf "Starting \$prog: "
1157
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1129
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1158
			rm -f /var/run/chilli* # cleaning
1130
			rm -f /var/run/chilli* # cleaning
1159
			/usr/sbin/modprobe tun >/dev/null 2>&1
1131
			/usr/sbin/modprobe tun >/dev/null 2>&1
1160
			echo 1 > /proc/sys/net/ipv4/ip_forward
1132
			echo 1 > /proc/sys/net/ipv4/ip_forward
1161
			[ -e /dev/net/tun ] || {
1133
			[ -e /dev/net/tun ] || {
1162
				(cd /dev;
1134
				(cd /dev;
1163
				mkdir net;
1135
				mkdir net;
1164
				cd net;
1136
				cd net;
1165
				mknod tun c 10 200)
1137
				mknod tun c 10 200)
1166
			}
1138
			}
1167
			ifconfig $INTIF 0.0.0.0
1139
			ifconfig $INTIF 0.0.0.0
1168
			/usr/sbin/ethtool -K $INTIF gro off
1140
			/usr/sbin/ethtool -K $INTIF gro off
1169
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1141
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1170
			RETVAL=\$?
1142
			RETVAL=\$?
1171
		fi
1143
		fi
1172
		;;
1144
		;;
1173
 
1145
 
1174
	reload)
1146
	reload)
1175
		killall -HUP chilli
1147
		killall -HUP chilli
1176
		;;
1148
		;;
1177
 
1149
 
1178
	restart)
1150
	restart)
1179
		\$0 stop
1151
		\$0 stop
1180
		sleep 2
1152
		sleep 2
1181
		\$0 start
1153
		\$0 start
1182
		;;
1154
		;;
1183
 
1155
 
1184
	status)
1156
	status)
1185
		status chilli
1157
		status chilli
1186
		RETVAL=0
1158
		RETVAL=0
1187
		;;
1159
		;;
1188
 
1160
 
1189
	stop)
1161
	stop)
1190
		if [ -f \$pidfile ] ; then
1162
		if [ -f \$pidfile ] ; then
1191
			gprintf "Shutting down \$prog: "
1163
			gprintf "Shutting down \$prog: "
1192
			killproc /usr/sbin/chilli
1164
			killproc /usr/sbin/chilli
1193
			RETVAL=\$?
1165
			RETVAL=\$?
1194
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1166
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1195
			[ -e \$current_users_file ] && rm -f \$current_users_file
1167
			[ -e \$current_users_file ] && rm -f \$current_users_file
1196
		else
1168
		else
1197
			gprintf "chilli is not running"
1169
			gprintf "chilli is not running"
1198
		fi
1170
		fi
1199
		;;
1171
		;;
1200
 
1172
 
1201
	*)
1173
	*)
1202
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1174
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1203
		exit 1
1175
		exit 1
1204
esac
1176
esac
1205
echo
1177
echo
1206
EOF
1178
EOF
1207
	chmod a+x /etc/init.d/chilli
1179
	chmod a+x /etc/init.d/chilli
1208
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1180
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1209
# conf file creation
1181
# conf file creation
1210
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1182
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1211
	#NTP Option configuration for DHCP
1183
	#NTP Option configuration for DHCP
1212
	#DHCP Options : rfc2132
1184
	#DHCP Options : rfc2132
1213
		#dhcp option value will be convert in hexa.
1185
		#dhcp option value will be convert in hexa.
1214
		#NTP option (or 'option 42') is like :
1186
		#NTP option (or 'option 42') is like :
1215
		#
1187
		#
1216
		#    Code   Len         Address 1               Address 2
1188
		#    Code   Len         Address 1               Address 2
1217
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1189
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1218
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1190
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1219
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1191
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1220
		#
1192
		#
1221
		#Code : 42 => 2a
1193
		#Code : 42 => 2a
1222
		#Len : 4 => 04
1194
		#Len : 4 => 04
1223
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1195
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1224
	cat <<EOF > /etc/chilli.conf
1196
	cat <<EOF > /etc/chilli.conf
1225
# coova config for ALCASAR
1197
# coova config for ALCASAR
1226
cmdsocket	/var/run/chilli.sock
1198
cmdsocket	/var/run/chilli.sock
1227
unixipc		chilli.$INTIF.ipc
1199
unixipc		chilli.$INTIF.ipc
1228
pidfile		/var/run/chilli.pid
1200
pidfile		/var/run/chilli.pid
1229
net		$PRIVATE_NETWORK_MASK
1201
net		$PRIVATE_NETWORK_MASK
1230
dhcpif		$INTIF
1202
dhcpif		$INTIF
1231
ethers		$DIR_DEST_ETC/alcasar-ethers
1203
ethers		$DIR_DEST_ETC/alcasar-ethers
1232
#nodynip
1204
#nodynip
1233
#statip
1205
#statip
1234
dynip		$PRIVATE_NETWORK_MASK
1206
dynip		$PRIVATE_NETWORK_MASK
1235
domain		$DOMAIN
1207
domain		$DOMAIN
1236
dns1		$PRIVATE_IP
1208
dns1		$PRIVATE_IP
1237
dns2		$PRIVATE_IP
1209
dns2		$PRIVATE_IP
1238
uamlisten	$PRIVATE_IP
1210
uamlisten	$PRIVATE_IP
1239
uamport		3990
1211
uamport		3990
1240
uamuiport	3991
1212
uamuiport	3991
1241
macauth
1213
macauth
1242
macpasswd	password
1214
macpasswd	password
1243
strictmacauth
1215
strictmacauth
1244
locationname	$HOSTNAME.$DOMAIN
1216
locationname	$HOSTNAME.$DOMAIN
1245
radiusserver1	127.0.0.1
1217
radiusserver1	127.0.0.1
1246
radiusserver2	127.0.0.1
1218
radiusserver2	127.0.0.1
1247
radiussecret	$secretradius
1219
radiussecret	$secretradius
1248
radiusauthport	1812
1220
radiusauthport	1812
1249
radiusacctport	1813
1221
radiusacctport	1813
1250
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1222
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1251
redirurl
1223
redirurl
1252
radiusnasid	$HOSTNAME.$DOMAIN
1224
radiusnasid	$HOSTNAME.$DOMAIN
1253
uamsecret	$secretuam
1225
uamsecret	$secretuam
1254
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1226
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1255
coaport		3799
1227
coaport		3799
1256
conup		$DIR_DEST_BIN/alcasar-conup.sh
1228
conup		$DIR_DEST_BIN/alcasar-conup.sh
1257
condown		$DIR_DEST_BIN/alcasar-condown.sh
1229
condown		$DIR_DEST_BIN/alcasar-condown.sh
1258
macup		$DIR_DEST_BIN/alcasar-macup.sh
1230
macup		$DIR_DEST_BIN/alcasar-macup.sh
1259
include		$DIR_DEST_ETC/alcasar-uamallowed
1231
include		$DIR_DEST_ETC/alcasar-uamallowed
1260
include		$DIR_DEST_ETC/alcasar-uamdomain
1232
include		$DIR_DEST_ETC/alcasar-uamdomain
1261
dhcpopt		2a04$PRIVATE_IP_HEXA
1233
dhcpopt		2a04$PRIVATE_IP_HEXA
1262
#dhcpgateway		none
1234
#dhcpgateway		none
1263
#dhcprelayagent		none
1235
#dhcprelayagent		none
1264
#dhcpgatewayport	none
1236
#dhcpgatewayport	none
1265
sslkeyfile	/etc/pki/tls/private/alcasar.key
1237
sslkeyfile	/etc/pki/tls/private/alcasar.key
1266
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1238
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1267
redirssl
1239
redirssl
1268
uamuissl
1240
uamuissl
1269
EOF
1241
EOF
1270
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1242
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1271
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1243
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1272
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1244
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1273
# create files for trusted domains and urls
1245
# create files for trusted domains and urls
1274
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1246
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1275
	chown root:apache $DIR_DEST_ETC/alcasar-*
1247
	chown root:apache $DIR_DEST_ETC/alcasar-*
1276
	chmod 660 $DIR_DEST_ETC/alcasar-*
1248
	chmod 660 $DIR_DEST_ETC/alcasar-*
1277
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1249
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1278
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1250
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1279
# user 'chilli' creation (in order to run conup/off and up/down scripts
1251
# user 'chilli' creation (in order to run conup/off and up/down scripts
1280
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1252
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1281
	if [ "$chilli_exist" == "1" ]
1253
	if [ "$chilli_exist" == "1" ]
1282
	then
1254
	then
1283
		userdel -r chilli 2>/dev/null
1255
		userdel -r chilli 2>/dev/null
1284
	fi
1256
	fi
1285
	groupadd -f chilli
1257
	groupadd -f chilli
1286
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1258
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1287
}  # End of chilli()
1259
}  # End of chilli()
1288
 
1260
 
1289
################################################################
1261
################################################################
1290
##                   Function "e2guardian"                    ##
1262
##                   Function "e2guardian"                    ##
1291
## - Set the parameters of this HTML proxy (as controler)     ##
1263
## - Set the parameters of this HTML proxy (as controler)     ##
1292
################################################################
1264
################################################################
1293
e2guardian()
1265
e2guardian()
1294
{
1266
{
1295
	mkdir -p /var/e2guardian /var/log/e2guardian
1267
	mkdir -p /var/e2guardian /var/log/e2guardian
1296
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1268
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1297
# Adapt systemd unit
1269
# Adapt systemd unit
1298
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1270
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1299
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1271
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1300
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1272
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1301
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1273
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1302
 
1274
 
1303
# Adapt the main conf file
1275
# Adapt the main conf file
1304
# French deny HTML page
1276
# French deny HTML page
1305
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1277
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1306
# Listen only on LAN side
1278
# Listen only on LAN side
1307
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1279
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1308
# The port that E2guardian listens to
1280
# The port that E2guardian listens to HTTP
1309
	$SED "s?^filterports =*?filteports = 8080?g" $DIR_DG/e2guardian.conf
1281
	$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf
-
 
1282
# The port that E2guardian listens to HTTPS
-
 
1283
	$SED "s?^transparenthttpsport =*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1310
# DG send its flow to HAVP (127.0.0.1:8090)
1284
# DG send its flow to HAVP (127.0.0.1:8090)
1311
	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
1285
	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
1312
	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1286
	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1313
# Don't log
1287
# Don't log
1314
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1288
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1315
# Disable HTML content control
1289
# Disable HTML content control
1316
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1290
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1317
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1291
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1318
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1292
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1319
# Disable URL control with regex
1293
# Disable URL control with regex
1320
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1294
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1321
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1295
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1322
 
1296
 
1323
# Adapt the first group file (only one for instance)
1297
# Adapt the first group file (only one for instance)
1324
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1298
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1325
# Reporting (deny page) in HTML
1299
# Reporting (deny page) in HTML
1326
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1300
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1327
 
1301
 
1328
# Replace the default deny HTML page (only fr & uk)
1302
# Replace the default deny HTML page (only fr & uk)
1329
	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1303
	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1330
	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/french/template.html.default
1304
	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/french/template.html.default
1331
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1305
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1332
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1306
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1333
# Dont filtering files by extension or mime-type (empty list)
1307
# Dont filtering files by extension or mime-type (empty list)
1334
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1308
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1335
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1309
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1336
	touch $DIR_DG/lists/bannedextensionlist
1310
	touch $DIR_DG/lists/bannedextensionlist
1337
	touch $DIR_DG/lists/bannedmimetypelist
1311
	touch $DIR_DG/lists/bannedmimetypelist
1338
# Empty LAN IP list that won't be WEB filtered
1312
# Empty LAN IP list that won't be WEB filtered
1339
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1313
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1340
	touch $DIR_DG/lists/exceptioniplist
1314
	touch $DIR_DG/lists/exceptioniplist
1341
# Creation of ALCASAR banned site list
1315
# Creation of ALCASAR banned site list
1342
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1316
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1343
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1317
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1344
# E2guardian domain filter config for ALCASAR
1318
# E2guardian domain filter config for ALCASAR
1345
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1319
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1346
#**
1320
#**
1347
# block all SSL and CONNECT tunnels
1321
# block all SSL and CONNECT tunnels
1348
**s
1322
**s
1349
# block all SSL and CONNECT tunnels specified only as an IP
1323
# block all SSL and CONNECT tunnels specified only as an IP
1350
*ips
1324
*ips
1351
# block all sites specified only by an IP
1325
# block all sites specified only by an IP
1352
*ip
1326
*ip
1353
EOF
1327
EOF
1354
# Creation of ALCASAR banned URL list (empty)
1328
# Creation of ALCASAR banned URL list (empty)
1355
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1329
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1356
	cat <<EOF > $DIR_DG/lists/bannedurllist
1330
	cat <<EOF > $DIR_DG/lists/bannedurllist
1357
# E2guardian filter config for ALCASAR
1331
# E2guardian filter config for ALCASAR
1358
EOF
1332
EOF
1359
# Creation of file for the rehabilited domains and urls
1333
# Creation of file for the rehabilited domains and urls
1360
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1334
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1361
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1335
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1362
	touch $DIR_DG/lists/exceptionsitelist
1336
	touch $DIR_DG/lists/exceptionsitelist
1363
	touch $DIR_DG/lists/exceptionurllist
1337
	touch $DIR_DG/lists/exceptionurllist
1364
# Add Bing to the safesearch url regext list (parental control)
1338
# Add Bing to the safesearch url regext list (parental control)
1365
	[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1339
	[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1366
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1340
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1367
# Bing - add 'adlt=strict'
1341
# Bing - add 'adlt=strict'
1368
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1342
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1369
EOF
1343
EOF
1370
# 'Safesearch' regex actualisation
1344
# 'Safesearch' regex actualisation
1371
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1345
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1372
# change the google safesearch ("safe=strict" instead of "safe=vss")
1346
# change the google safesearch ("safe=strict" instead of "safe=vss")
1373
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1347
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1374
} # End of e2guardian()
1348
} # End of e2guardian()
1375
 
1349
 
1376
##################################################################
1350
##################################################################
1377
##                     Function "antivirus"                     ##
1351
##                     Function "antivirus"                     ##
1378
## - Set the parameters of havp, libclamav and freshclam        ##
1352
## - Set the parameters of havp, libclamav and freshclam        ##
1379
##################################################################
1353
##################################################################
1380
antivirus()
1354
antivirus()
1381
{
1355
{
1382
# create 'havp' user
1356
# create 'havp' user
1383
	havp_exist=`grep -c ^havp: /etc/passwd`
1357
	havp_exist=`grep -c ^havp: /etc/passwd`
1384
	if [ "$havp_exist" == "1" ]
1358
	if [ "$havp_exist" == "1" ]
1385
	then
1359
	then
1386
		userdel -r havp 2>/dev/null
1360
		userdel -r havp 2>/dev/null
1387
		groupdel havp 2>/dev/null
1361
		groupdel havp 2>/dev/null
1388
	fi
1362
	fi
1389
	groupadd -f havp
1363
	groupadd -f havp
1390
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1364
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1391
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1365
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1392
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1366
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1393
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1367
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1394
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1368
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1395
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1369
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1396
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1370
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1397
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1371
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1398
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1372
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1399
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1373
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1400
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1374
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1401
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1375
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1402
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1376
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1403
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1377
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1404
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1378
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1405
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1379
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1406
# skip checking of youtube flow (too heavy load / risk too low)
1380
# skip checking of youtube flow (too heavy load / risk too low)
1407
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1381
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1408
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1382
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1409
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1383
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1410
# adapt init script and systemd unit
1384
# adapt init script and systemd unit
1411
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1385
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1412
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1386
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1413
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1387
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1414
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1388
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1415
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1389
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1416
# replace of the intercept page (template)
1390
# replace of the intercept page (template)
1417
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1391
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1418
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1392
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1419
# update virus database every 4 hours (24h/6)
1393
# update virus database every 4 hours (24h/6)
1420
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1394
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1421
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1395
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1422
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1396
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1423
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1397
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1424
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1398
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1425
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1399
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1426
# update now
1400
# update now
1427
	/usr/bin/freshclam --no-warnings
1401
	/usr/bin/freshclam --no-warnings
1428
} # End of antivirus()
1402
} # End of antivirus()
1429
 
1403
 
1430
################################################################################
1404
################################################################################
1431
##                           Function "tinyproxy"                             ##
1405
##                           Function "tinyproxy"                             ##
1432
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1406
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1433
################################################################################
1407
################################################################################
1434
tinyproxy()
1408
tinyproxy()
1435
{
1409
{
1436
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1410
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1437
	if [ "$tinyproxy_exist" == "1" ]
1411
	if [ "$tinyproxy_exist" == "1" ]
1438
	then
1412
	then
1439
		userdel -r tinyproxy 2>/dev/null
1413
		userdel -r tinyproxy 2>/dev/null
1440
		groupdel tinyproxy 2>/dev/null
1414
		groupdel tinyproxy 2>/dev/null
1441
	fi
1415
	fi
1442
	groupadd -f tinyproxy
1416
	groupadd -f tinyproxy
1443
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1417
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1444
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1418
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1445
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1419
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1446
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1420
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1447
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1421
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1448
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1422
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1449
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1423
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1450
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1424
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1451
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1425
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1452
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1426
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1453
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1427
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1454
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1428
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1455
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1429
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1456
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1430
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1457
# Create the systemd unit
1431
# Create the systemd unit
1458
cat << EOF > /lib/systemd/system/tinyproxy.service
1432
cat << EOF > /lib/systemd/system/tinyproxy.service
1459
#  This file is part of systemd.
1433
#  This file is part of systemd.
1460
#
1434
#
1461
#  systemd is free software; you can redistribute it and/or modify it
1435
#  systemd is free software; you can redistribute it and/or modify it
1462
#  under the terms of the GNU General Public License as published by
1436
#  under the terms of the GNU General Public License as published by
1463
#  the Free Software Foundation; either version 2 of the License, or
1437
#  the Free Software Foundation; either version 2 of the License, or
1464
#  (at your option) any later version.
1438
#  (at your option) any later version.
1465
 
1439
 
1466
# This unit launches tinyproxy (a very light proxy).
1440
# This unit launches tinyproxy (a very light proxy).
1467
# The "sleep 2" is needed because the pid file isn't ready for systemd
1441
# The "sleep 2" is needed because the pid file isn't ready for systemd
1468
[Unit]
1442
[Unit]
1469
Description=Tinyproxy Web Proxy Server
1443
Description=Tinyproxy Web Proxy Server
1470
After=network.target iptables.service
1444
After=network.target iptables.service
1471
 
1445
 
1472
[Service]
1446
[Service]
1473
Type=forking
1447
Type=forking
1474
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1448
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1475
ExecStartPre=/bin/sleep 2
1449
ExecStartPre=/bin/sleep 2
1476
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1450
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1477
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1451
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1478
 
1452
 
1479
[Install]
1453
[Install]
1480
WantedBy=multi-user.target
1454
WantedBy=multi-user.target
1481
EOF
1455
EOF
1482
 
1456
 
1483
} # end of tinyproxy()
1457
} # end of tinyproxy()
1484
 
1458
 
1485
##############################################################
1459
##############################################################
1486
##                            function "ulogd"              ##
1460
##                            function "ulogd"              ##
1487
## - Ulog config for multi-log files                        ##
1461
## - Ulog config for multi-log files                        ##
1488
##############################################################
1462
##############################################################
1489
ulogd()
1463
ulogd()
1490
{
1464
{
1491
# Three instances of ulogd (three different logfiles)
1465
# Three instances of ulogd (three different logfiles)
1492
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1466
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1493
	nl=1
1467
	nl=1
1494
	for log_type in traceability ssh ext-access
1468
	for log_type in traceability ssh ext-access
1495
	do
1469
	do
1496
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1470
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1497
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1471
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1498
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1472
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1499
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1473
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1500
		cat << EOF >> /etc/ulogd-$log_type.conf
1474
		cat << EOF >> /etc/ulogd-$log_type.conf
1501
[emu1]
1475
[emu1]
1502
file="/var/log/firewall/$log_type.log"
1476
file="/var/log/firewall/$log_type.log"
1503
sync=1
1477
sync=1
1504
EOF
1478
EOF
1505
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1479
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1506
		nl=`expr $nl + 1`
1480
		nl=`expr $nl + 1`
1507
	done
1481
	done
1508
	chown -R root:apache /var/log/firewall
1482
	chown -R root:apache /var/log/firewall
1509
	chmod 750 /var/log/firewall
1483
	chmod 750 /var/log/firewall
1510
	chmod 640 /var/log/firewall/*
1484
	chmod 640 /var/log/firewall/*
1511
}  # End of ulogd()
1485
}  # End of ulogd()
1512
 
1486
 
1513
##########################################################
1487
##########################################################
1514
##                    Function "nfsen"                  ##
1488
##                    Function "nfsen"                  ##
1515
## - install the nfsen grapher                          ##
1489
## - install the nfsen grapher                          ##
1516
## - install the two plugins porttracker & surfmap      ##
1490
## - install the two plugins porttracker & surfmap      ##
1517
##########################################################
1491
##########################################################
1518
nfsen()
1492
nfsen()
1519
{
1493
{
1520
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1494
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1521
# Add PortTracker plugin
1495
# Add PortTracker plugin
1522
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1496
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1523
	do
1497
	do
1524
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1498
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1525
	done
1499
	done
1526
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1500
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1527
# use of our conf file and init unit
1501
# use of our conf file and init unit
1528
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1502
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1529
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1503
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1530
	DirTmp=$(pwd)
1504
	DirTmp=$(pwd)
1531
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1505
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1532
	/usr/bin/perl install.pl etc/nfsen.conf
1506
	/usr/bin/perl install.pl etc/nfsen.conf
1533
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1507
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1534
# Create RRD DB for porttracker (only in it still doesn't exist)
1508
# Create RRD DB for porttracker (only in it still doesn't exist)
1535
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1509
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1536
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1510
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1537
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1511
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1538
	chmod -R 770 /var/log/netflow/porttracker
1512
	chmod -R 770 /var/log/netflow/porttracker
1539
# nfsen unit for systemd
1513
# nfsen unit for systemd
1540
	cat << EOF > /lib/systemd/system/nfsen.service
1514
	cat << EOF > /lib/systemd/system/nfsen.service
1541
#  This file is part of systemd.
1515
#  This file is part of systemd.
1542
#
1516
#
1543
#  systemd is free software; you can redistribute it and/or modify it
1517
#  systemd is free software; you can redistribute it and/or modify it
1544
#  under the terms of the GNU General Public License as published by
1518
#  under the terms of the GNU General Public License as published by
1545
#  the Free Software Foundation; either version 2 of the License, or
1519
#  the Free Software Foundation; either version 2 of the License, or
1546
#  (at your option) any later version.
1520
#  (at your option) any later version.
1547
 
1521
 
1548
# This unit launches nfsen (a Netflow grapher).
1522
# This unit launches nfsen (a Netflow grapher).
1549
[Unit]
1523
[Unit]
1550
Description= NfSen init script
1524
Description= NfSen init script
1551
After=network.target iptables.service
1525
After=network.target iptables.service
1552
 
1526
 
1553
[Service]
1527
[Service]
1554
Type=oneshot
1528
Type=oneshot
1555
RemainAfterExit=yes
1529
RemainAfterExit=yes
1556
PIDFile=/var/run/nfsen/nfsen.pid
1530
PIDFile=/var/run/nfsen/nfsen.pid
1557
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1531
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1558
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1532
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1559
ExecStart=/usr/bin/nfsen start
1533
ExecStart=/usr/bin/nfsen start
1560
ExecStop=/usr/bin/nfsen stop
1534
ExecStop=/usr/bin/nfsen stop
1561
ExecReload=/usr/bin/nfsen restart
1535
ExecReload=/usr/bin/nfsen restart
1562
TimeoutSec=0
1536
TimeoutSec=0
1563
 
1537
 
1564
[Install]
1538
[Install]
1565
WantedBy=multi-user.target
1539
WantedBy=multi-user.target
1566
EOF
1540
EOF
1567
# Add the listen port to collect netflow packet (nfcapd)
1541
# Add the listen port to collect netflow packet (nfcapd)
1568
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1542
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1569
# expire delay for the profile "live"
1543
# expire delay for the profile "live"
1570
	/usr/bin/systemctl start nfsen
1544
	/usr/bin/systemctl start nfsen
1571
	/bin/nfsen -m live -e 62d 2>/dev/null
1545
	/bin/nfsen -m live -e 62d 2>/dev/null
1572
# add SURFmap plugin (waiting for new technical solution)
1546
# add SURFmap plugin (waiting for new technical solution)
1573
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1547
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1574
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1548
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1575
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1549
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1576
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1550
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1577
#	cd /tmp/
1551
#	cd /tmp/
1578
#	/usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
1552
#	/usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
1579
# clear the installation
1553
# clear the installation
1580
#	rm -rf /tmp/SURFmap*
1554
#	rm -rf /tmp/SURFmap*
1581
	rm -rf /tmp/nfsen-*
1555
	rm -rf /tmp/nfsen-*
1582
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1556
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1583
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1557
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1584
} # End of nfsen()
1558
} # End of nfsen()
1585
 
1559
 
1586
###########################################################
1560
###########################################################
1587
##                     Function "vnstat"                 ##
1561
##                     Function "vnstat"                 ##
1588
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1562
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1589
###########################################################
1563
###########################################################
1590
vnstat()
1564
vnstat()
1591
{
1565
{
1592
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1566
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1593
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1567
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1594
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1568
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1595
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1569
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1596
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1570
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1597
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1571
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1598
	/usr/bin/vnstat -i $EXTIF -u --force
-
 
1599
} # End of vnstat()
1572
} # End of vnstat()
1600
 
1573
 
1601
###################################################################
1574
###################################################################
1602
##                     Function "dnsmasq"                        ##
1575
##                     Function "dnsmasq"                        ##
1603
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1576
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1604
###################################################################
1577
###################################################################
1605
dnsmasq()
1578
dnsmasq()
1606
{
1579
{
1607
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1580
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1608
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1581
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1609
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1582
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1610
	cat << EOF > /etc/dnsmasq-whitelist.conf
1583
	cat << EOF > /etc/dnsmasq-whitelist.conf
1611
# Configuration file for "dnsmasq with whitelist"
1584
# Configuration file for "dnsmasq with whitelist"
1612
# ADD Toulouse university whitelist domains
1585
# ADD Toulouse university whitelist domains
1613
pid-file=/var/run/dnsmasq-whitelist.pid
1586
pid-file=/var/run/dnsmasq-whitelist.pid
1614
listen-address=127.0.0.1
1587
listen-address=127.0.0.1
1615
port=55
1588
port=55
1616
no-dhcp-interface=lo
1589
no-dhcp-interface=lo
1617
bind-interfaces
1590
bind-interfaces
1618
cache-size=1024
1591
cache-size=1024
1619
domain-needed
1592
domain-needed
1620
expand-hosts
1593
expand-hosts
1621
bogus-priv
1594
bogus-priv
1622
filterwin2k
1595
filterwin2k
1623
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1596
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1624
server=$DNS1
1597
server=$DNS1
1625
server=$DNS2
1598
server=$DNS2
1626
EOF
1599
EOF
1627
	# Create dnsmasq-whitelist unit
1600
	# Create dnsmasq-whitelist unit
1628
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1601
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1629
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1602
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1630
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1603
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1631
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1604
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1632
} # End of dnsmasq()
1605
} # End of dnsmasq()
1633
 
1606
 
1634
#########################################################
1607
#########################################################
1635
##              Function "unbound"                     ##
1608
##              Function "unbound"                     ##
1636
## - create the conf files for 4 unbound services      ##
1609
## - create the conf files for 4 unbound services      ##
1637
## - create the systemd files for 4 unbound services   ##
1610
## - create the systemd files for 4 unbound services   ##
1638
#########################################################
1611
#########################################################
1639
unbound ()
1612
unbound ()
1640
{
1613
{
1641
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1614
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1642
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1615
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1643
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1616
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1644
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1617
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1645
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1618
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1646
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1619
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1647
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1620
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1648
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1621
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1649
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1622
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1650
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1623
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1651
	# Local static DNS configuration
1624
	# Local static DNS configuration
1652
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1625
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1653
 
1626
 
1654
# Forward zone configuration file for all unbound dns servers
1627
# Forward zone configuration file for all unbound dns servers
1655
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1628
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1656
forward-zone:
1629
forward-zone:
1657
	name: "."
1630
	name: "."
1658
	forward-addr: $DNS1
1631
	forward-addr: $DNS1
1659
	forward-addr: $DNS2
1632
	forward-addr: $DNS2
1660
EOF
1633
EOF
1661
 
1634
 
1662
# Custom configuration file for manual DNS configuration
1635
# Custom configuration file for manual DNS configuration
1663
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1636
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1664
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1637
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1665
## Add one block for each domain name managed by an other DNS server
1638
## Add one block for each domain name managed by an other DNS server
1666
##
1639
##
1667
## Example:
1640
## Example:
1668
##
1641
##
1669
## server:
1642
## server:
1670
##     local-zone: "<your_domain>." transparent
1643
##     local-zone: "<your_domain>." transparent
1671
## forward-zone:
1644
## forward-zone:
1672
##     name: "<your_domain>."
1645
##     name: "<your_domain>."
1673
##     forward-addr: <@IP_domain_server>
1646
##     forward-addr: <@IP_domain_server>
1674
##
1647
##
1675
## INFO : local hostnames are resolved in /etc/hosts file
1648
## INFO : local hostnames are resolved in /etc/hosts file
1676
EOF
1649
EOF
1677
 
1650
 
1678
# Configuration file of ALCASAR main domains for $INTIF
1651
# Configuration file of ALCASAR main domains for $INTIF
1679
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1652
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1680
server:
1653
server:
1681
	local-zone: "$HOSTNAME.$DOMAIN" static
1654
	local-zone: "$HOSTNAME.$DOMAIN" static
1682
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1655
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1683
	local-zone: "$HOSTNAME" static
1656
	local-zone: "$HOSTNAME" static
1684
	local-data: "$HOSTNAME A $PRIVATE_IP"
1657
	local-data: "$HOSTNAME A $PRIVATE_IP"
1685
	local-zone: "$DOMAIN." static
1658
	local-zone: "$DOMAIN." static
1686
	local-data: "$DOMAIN. A"
1659
	local-data: "$DOMAIN. A"
1687
EOF
1660
EOF
1688
 
1661
 
1689
# Configuration file for lo of forward unbound
1662
# Configuration file for lo of forward unbound
1690
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1663
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1691
server:
1664
server:
1692
	interface: 127.0.0.1@53
1665
	interface: 127.0.0.1@53
1693
	access-control-view: 127.0.0.1/8 lo
1666
	access-control-view: 127.0.0.1/8 lo
1694
 
1667
 
1695
view:
1668
view:
1696
	name: "lo"
1669
	name: "lo"
1697
	local-zone: "$HOSTNAME.$DOMAIN" static
1670
	local-zone: "$HOSTNAME.$DOMAIN" static
1698
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1671
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1699
	local-zone: "$HOSTNAME" static
1672
	local-zone: "$HOSTNAME" static
1700
	local-data: "$HOSTNAME A 127.0.0.1"
1673
	local-data: "$HOSTNAME A 127.0.0.1"
1701
	view-first: yes
1674
	view-first: yes
1702
EOF
1675
EOF
1703
 
1676
 
1704
# Configuration file for $INTIF of forward unbound
1677
# Configuration file for $INTIF of forward unbound
1705
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1678
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1706
server:
1679
server:
1707
	interface: ${PRIVATE_IP}@53
1680
	interface: ${PRIVATE_IP}@53
1708
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1681
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1709
 
1682
 
1710
view:
1683
view:
1711
	name: "$INTIF"
1684
	name: "$INTIF"
1712
	local-zone: "$HOSTNAME.$DOMAIN" static
1685
	local-zone: "$HOSTNAME.$DOMAIN" static
1713
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1686
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1714
	local-zone: "$HOSTNAME" static
1687
	local-zone: "$HOSTNAME" static
1715
	local-data: "$HOSTNAME A $PRIVATE_IP"
1688
	local-data: "$HOSTNAME A $PRIVATE_IP"
1716
	view-first: yes
1689
	view-first: yes
1717
EOF
1690
EOF
1718
 
1691
 
1719
# Configuration file for forward unbound
1692
# Configuration file for forward unbound
1720
	cat << EOF > /etc/unbound/unbound.conf
1693
	cat << EOF > /etc/unbound/unbound.conf
1721
server:
1694
server:
1722
	verbosity: 1
1695
	verbosity: 1
1723
	hide-version: yes
1696
	hide-version: yes
1724
	hide-identity: yes
1697
	hide-identity: yes
1725
	do-ip6: no
1698
	do-ip6: no
1726
	include: /etc/unbound/conf.d/common/forward-zone.conf
1699
	include: /etc/unbound/conf.d/common/forward-zone.conf
1727
	include: /etc/unbound/conf.d/common/local-forward/*
1700
	include: /etc/unbound/conf.d/common/local-forward/*
1728
	include: /etc/unbound/conf.d/common/local-dns/*
1701
	include: /etc/unbound/conf.d/common/local-dns/*
1729
	include: /etc/unbound/conf.d/forward/*
1702
	include: /etc/unbound/conf.d/forward/*
1730
EOF
1703
EOF
1731
 
1704
 
1732
# Configuration file for $INTIF of blacklist unbound
1705
# Configuration file for $INTIF of blacklist unbound
1733
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1706
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1734
server:
1707
server:
1735
	interface: ${PRIVATE_IP}@54
1708
	interface: ${PRIVATE_IP}@54
1736
	access-control: $PRIVATE_IP_MASK allow
1709
	access-control: $PRIVATE_IP_MASK allow
1737
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1710
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1738
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1711
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1739
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1712
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1740
EOF
1713
EOF
1741
 
1714
 
1742
# Configuration file for blacklist unbound
1715
# Configuration file for blacklist unbound
1743
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1716
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1744
server:
1717
server:
1745
	verbosity: 1
1718
	verbosity: 1
1746
	hide-version: yes
1719
	hide-version: yes
1747
	hide-identity: yes
1720
	hide-identity: yes
1748
	do-ip6: no
1721
	do-ip6: no
1749
	logfile: "/var/log/unbound/unbound-blacklist.log"
1722
	logfile: "/var/log/unbound/unbound-blacklist.log"
1750
	chroot: ""
1723
	chroot: ""
1751
	define-tag: "blacklist"
1724
	define-tag: "blacklist"
1752
	log-local-actions: yes
1725
	log-local-actions: yes
1753
	include: /etc/unbound/conf.d/common/forward-zone.conf
1726
	include: /etc/unbound/conf.d/common/forward-zone.conf
1754
	include: /etc/unbound/conf.d/common/local-forward/*
1727
	include: /etc/unbound/conf.d/common/local-forward/*
1755
	include: /etc/unbound/conf.d/common/local-dns/*
1728
	include: /etc/unbound/conf.d/common/local-dns/*
1756
	include: /etc/unbound/conf.d/blacklist/*
1729
	include: /etc/unbound/conf.d/blacklist/*
1757
	include: /usr/local/share/unbound-bl-enabled/*
1730
	include: /usr/local/share/unbound-bl-enabled/*
1758
EOF
1731
EOF
1759
 
1732
 
1760
# Configuration file for $INTIF of whitelist unbound
1733
# Configuration file for $INTIF of whitelist unbound
1761
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1734
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1762
server:
1735
server:
1763
	interface: ${PRIVATE_IP}@55
1736
	interface: ${PRIVATE_IP}@55
1764
	access-control: $PRIVATE_IP_MASK allow
1737
	access-control: $PRIVATE_IP_MASK allow
1765
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1738
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1766
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1739
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1767
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1740
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1768
EOF
1741
EOF
1769
 
1742
 
1770
# Configuration file for whitelist unbound
1743
# Configuration file for whitelist unbound
1771
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1744
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1772
server:
1745
server:
1773
	verbosity: 1
1746
	verbosity: 1
1774
	hide-version: yes
1747
	hide-version: yes
1775
	hide-identity: yes
1748
	hide-identity: yes
1776
	do-ip6: no
1749
	do-ip6: no
1777
	do-not-query-localhost: no
1750
	do-not-query-localhost: no
1778
	define-tag: "whitelist"
1751
	define-tag: "whitelist"
1779
	local-zone: "." transparent
1752
	local-zone: "." transparent
1780
	local-zone-tag: "." "whitelist"
1753
	local-zone-tag: "." "whitelist"
1781
	include: /usr/local/share/unbound-wl-enabled/*
1754
	include: /usr/local/share/unbound-wl-enabled/*
1782
	include: /etc/unbound/conf.d/whitelist/*
1755
	include: /etc/unbound/conf.d/whitelist/*
1783
	include: /etc/unbound/conf.d/common/local-dns/*
1756
	include: /etc/unbound/conf.d/common/local-dns/*
1784
	include: /etc/unbound/conf.d/common/local-forward/*
1757
	include: /etc/unbound/conf.d/common/local-forward/*
1785
forward-zone:
1758
forward-zone:
1786
	name: "."
1759
	name: "."
1787
	forward-addr: 127.0.0.1@55
1760
	forward-addr: 127.0.0.1@55
1788
EOF
1761
EOF
1789
 
1762
 
1790
# Configuration file for $INTIF of blackhole unbound
1763
# Configuration file for $INTIF of blackhole unbound
1791
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1764
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1792
server:
1765
server:
1793
	interface: ${PRIVATE_IP}@56
1766
	interface: ${PRIVATE_IP}@56
1794
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1767
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1795
 
1768
 
1796
view:
1769
view:
1797
	name: "$INTIF"
1770
	name: "$INTIF"
1798
	local-zone: "." redirect
1771
	local-zone: "." redirect
1799
	local-data: ". A $PRIVATE_IP"
1772
	local-data: ". A $PRIVATE_IP"
1800
EOF
1773
EOF
1801
 
1774
 
1802
# Configuration file for blackhole unbound
1775
# Configuration file for blackhole unbound
1803
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1776
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1804
server:
1777
server:
1805
	verbosity: 1
1778
	verbosity: 1
1806
	hide-version: yes
1779
	hide-version: yes
1807
	hide-identity: yes
1780
	hide-identity: yes
1808
	do-ip6: no
1781
	do-ip6: no
1809
	include: /etc/unbound/conf.d/blackhole/*
1782
	include: /etc/unbound/conf.d/blackhole/*
1810
	include: /etc/unbound/conf.d/common/local-dns/*
1783
	include: /etc/unbound/conf.d/common/local-dns/*
1811
	include: /etc/unbound/conf.d/common/local-forward/*
1784
	include: /etc/unbound/conf.d/common/local-forward/*
1812
EOF
1785
EOF
1813
 
1786
 
1814
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1787
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1815
	then
1788
	then
1816
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1789
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1817
	fi
1790
	fi
1818
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1791
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1819
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1792
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1820
	for list in blacklist blackhole whitelist
1793
	for list in blacklist blackhole whitelist
1821
	do
1794
	do
1822
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1795
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1823
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1796
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1824
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1797
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1825
	done
1798
	done
1826
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1799
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1827
} # End of unbound()
1800
} # End of unbound()
1828
 
1801
 
1829
##################################################
1802
##################################################
1830
##              Function "dhcpd"                ##
1803
##              Function "dhcpd"                ##
1831
##################################################
1804
##################################################
1832
dhcpd()
1805
dhcpd()
1833
{
1806
{
1834
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1807
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1835
	cat <<EOF > /etc/dhcpd.conf
1808
	cat <<EOF > /etc/dhcpd.conf
1836
ddns-update-style none;
1809
ddns-update-style none;
1837
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1810
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1838
	option routers $PRIVATE_IP;
1811
	option routers $PRIVATE_IP;
1839
	option subnet-mask $PRIVATE_NETMASK;
1812
	option subnet-mask $PRIVATE_NETMASK;
1840
	option domain-name-servers $PRIVATE_IP;
1813
	option domain-name-servers $PRIVATE_IP;
1841
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1814
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1842
	default-lease-time 21600;
1815
	default-lease-time 21600;
1843
	max-lease-time 43200;
1816
	max-lease-time 43200;
1844
}
1817
}
1845
EOF
1818
EOF
1846
} # End of dhcpd()
1819
} # End of dhcpd()
1847
 
1820
 
1848
##########################################################
1821
##########################################################
1849
##                      Function "BL"                   ##
1822
##                      Function "BL"                   ##
1850
## - copy Toulouse BL                                   ##
1823
## - copy Toulouse BL                                   ##
1851
## - adapt this BL to ALCASAR architecture              ##
1824
## - adapt this BL to ALCASAR architecture              ##
1852
##     - domain names for unbound-bl & unbound-wl       ##
1825
##     - domain names for unbound-bl & unbound-wl       ##
1853
##     - URLs for E²guardian                            ##
1826
##     - URLs for E²guardian                            ##
1854
##     - IPs for NetFilter                              ##
1827
##     - IPs for NetFilter                              ##
1855
##########################################################
1828
##########################################################
1856
BL()
1829
BL()
1857
{
1830
{
1858
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1831
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1859
	rm -rf $DIR_DG/lists/blacklists
1832
	rm -rf $DIR_DG/lists/blacklists
1860
	mkdir -p /tmp/blacklists
1833
	mkdir -p /tmp/blacklists
1861
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1834
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1862
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1835
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1863
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1836
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1864
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1837
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1865
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1838
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1866
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1839
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1867
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1840
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1868
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1841
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1869
# add custom ALCASAR BL files
1842
# add custom ALCASAR BL files
1870
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1843
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1871
	do
1844
	do
1872
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1845
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1873
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1846
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1874
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1847
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1875
	done
1848
	done
1876
	chown -R e2guardian:apache $DIR_DG
1849
	chown -R e2guardian:apache $DIR_DG
1877
	chown -R root:apache $DIR_DEST_SHARE
1850
	chown -R root:apache $DIR_DEST_SHARE
1878
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1851
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1879
# adapt the Toulouse BL to ALCASAR architecture
1852
# adapt the Toulouse BL to ALCASAR architecture
1880
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1853
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1881
# enable the default categories
1854
# enable the default categories
1882
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1855
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1883
	rm -rf /tmp/blacklists
1856
	rm -rf /tmp/blacklists
1884
} # End of BL()
1857
} # End of BL()
1885
 
1858
 
1886
#######################################################
1859
#######################################################
1887
##                  Function "cron"                  ##
1860
##                  Function "cron"                  ##
1888
## - write all cron & anacron files                  ##
1861
## - write all cron & anacron files                  ##
1889
#######################################################
1862
#######################################################
1890
cron()
1863
cron()
1891
{
1864
{
1892
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1865
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1893
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1866
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1894
	cat <<EOF > /etc/crontab
1867
	cat <<EOF > /etc/crontab
1895
SHELL=/usr/bin/bash
1868
SHELL=/usr/bin/bash
1896
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1869
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1897
MAILTO=root
1870
MAILTO=root
1898
HOME=/
1871
HOME=/
1899
 
1872
 
1900
# run-parts
1873
# run-parts
1901
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1874
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1902
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1875
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1903
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1876
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1904
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1877
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1905
EOF
1878
EOF
1906
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1879
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1907
	cat <<EOF >> /etc/anacrontab
1880
	cat <<EOF >> /etc/anacrontab
1908
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1881
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1909
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1882
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1910
EOF
1883
EOF
1911
	cat <<EOF > /etc/cron.d/alcasar-mysql
1884
	cat <<EOF > /etc/cron.d/alcasar-mysql
1912
# Verify, repair and export users database (every monday at 4:45 am)
1885
# Verify, repair and export users database (every monday at 4:45 am)
1913
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1886
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1914
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1887
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1915
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1888
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1916
EOF
1889
EOF
1917
	cat <<EOF > /etc/cron.d/alcasar-archive
1890
	cat <<EOF > /etc/cron.d/alcasar-archive
1918
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1891
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1919
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1892
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1920
EOF
1893
EOF
1921
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1894
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1922
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1895
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1923
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1896
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1924
EOF
1897
EOF
1925
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1898
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1926
# Update the system (everyday at 3:30 am)
1899
# Update the system (everyday at 3:30 am)
1927
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1900
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1928
EOF
1901
EOF
1929
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1902
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1930
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1903
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1931
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1904
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1932
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1905
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1933
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1906
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1934
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1907
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1935
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1908
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1936
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1909
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1937
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1910
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1938
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1911
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1939
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1912
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1940
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1913
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1941
EOF
1914
EOF
1942
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1915
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1943
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1916
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1944
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1917
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1945
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1918
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1946
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1919
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1947
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1920
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1948
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1921
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1949
EOF
1922
EOF
1950
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1923
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1951
# start dead daemons (after boot process and every 18')
1924
# start dead daemons (after boot process and every 18')
1952
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1925
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1953
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1926
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1954
EOF
1927
EOF
1955
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1928
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1956
# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1929
# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1957
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1930
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1958
EOF
1931
EOF
1959
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1932
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1960
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1933
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1961
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1934
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1962
EOF
1935
EOF
1963
 
1936
 
1964
# removing the users crons
1937
# removing the users crons
1965
	rm -f /var/spool/cron/*
1938
	rm -f /var/spool/cron/*
1966
} # End of cron()
1939
} # End of cron()
1967
 
1940
 
1968
######################################################################
1941
######################################################################
1969
##                      Fonction "Fail2Ban"                         ##
1942
##                      Fonction "Fail2Ban"                         ##
1970
##- Adapt conf file to ALCASAR                                      ##
1943
##- Adapt conf file to ALCASAR                                      ##
1971
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1944
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1972
######################################################################
1945
######################################################################
1973
fail2ban()
1946
fail2ban()
1974
{
1947
{
1975
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1948
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1976
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
1949
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
1977
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1950
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1978
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1951
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1979
	chmod 644 /var/log/fail2ban.log
1952
	chmod 644 /var/log/fail2ban.log
1980
	chmod 644 /var/Save/security/watchdog.log
1953
	chmod 644 /var/Save/security/watchdog.log
1981
	/usr/bin/touch /var/log/auth.log
1954
	/usr/bin/touch /var/log/auth.log
1982
# fail2ban unit
1955
# fail2ban unit
1983
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1956
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1984
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1957
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1985
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1958
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1986
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1959
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1987
} # End of fail2ban()
1960
} # End of fail2ban()
1988
 
1961
 
1989
#########################################################
1962
#########################################################
1990
##                   Fonction "gammu_smsd"             ##
1963
##                   Fonction "gammu_smsd"             ##
1991
## - Creating of SMS management database               ##
1964
## - Creating of SMS management database               ##
1992
## - Write the gammu a gammu_smsd conf files           ##
1965
## - Write the gammu a gammu_smsd conf files           ##
1993
#########################################################
1966
#########################################################
1994
gammu_smsd()
1967
gammu_smsd()
1995
{
1968
{
1996
# Create 'gammu' system user
1969
# Create 'gammu' system user
1997
	groupadd -f gammu_smsd
1970
	groupadd -f gammu_smsd
1998
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1971
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1999
	usermod -a -G dialout gammu_smsd
1972
	usermod -a -G dialout gammu_smsd
2000
 
1973
 
2001
# Create 'gammu' database
1974
# Create 'gammu' database
2002
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1975
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
2003
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1976
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
2004
# Add a gammu database structure
1977
# Add a gammu database structure
2005
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1978
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
2006
 
1979
 
2007
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1980
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
2008
	cat << EOF > /etc/gammurc
1981
	cat << EOF > /etc/gammurc
2009
[gammu]
1982
[gammu]
2010
device = /dev/ttyUSB0
1983
device = /dev/ttyUSB0
2011
connection = at115200
1984
connection = at115200
2012
EOF
1985
EOF
2013
 
1986
 
2014
	cat << EOF > /etc/gammu_smsd_conf
1987
	cat << EOF > /etc/gammu_smsd_conf
2015
[gammu]
1988
[gammu]
2016
port = /dev/ttyUSB0
1989
port = /dev/ttyUSB0
2017
connection = at115200
1990
connection = at115200
2018
 
1991
 
2019
[smsd]
1992
[smsd]
2020
PIN = 1234
1993
PIN = 1234
2021
logfile = /var/log/gammu-smsd/gammu-smsd.log
1994
logfile = /var/log/gammu-smsd/gammu-smsd.log
2022
logformat = textall
1995
logformat = textall
2023
debuglevel = 0
1996
debuglevel = 0
2024
 
1997
 
2025
service = sql
1998
service = sql
2026
driver = native_mysql
1999
driver = native_mysql
2027
user = $DB_USER
2000
user = $DB_USER
2028
password = $radiuspwd
2001
password = $radiuspwd
2029
pc = localhost
2002
pc = localhost
2030
database = $DB_GAMMU
2003
database = $DB_GAMMU
2031
 
2004
 
2032
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
2005
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
2033
 
2006
 
2034
StatusFrequency = 30
2007
StatusFrequency = 30
2035
;LoopSleep = 2
2008
;LoopSleep = 2
2036
 
2009
 
2037
;ResetFrequency = 300
2010
;ResetFrequency = 300
2038
;HardResetFrequency = 120
2011
;HardResetFrequency = 120
2039
 
2012
 
2040
CheckSecurity = 1
2013
CheckSecurity = 1
2041
CheckSignal = 1
2014
CheckSignal = 1
2042
CheckBattery = 0
2015
CheckBattery = 0
2043
EOF
2016
EOF
2044
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2017
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2045
 
2018
 
2046
# Create the systemd unit
2019
# Create the systemd unit
2047
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2020
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2048
[Unit]
2021
[Unit]
2049
Description=SMS daemon for Gammu
2022
Description=SMS daemon for Gammu
2050
Documentation=man:gammu-smsd(1)
2023
Documentation=man:gammu-smsd(1)
2051
After=network.target mysql.service
2024
After=network.target mysql.service
2052
 
2025
 
2053
[Service]
2026
[Service]
2054
Type=forking
2027
Type=forking
2055
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
2028
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
2056
ExecReload=/bin/kill -HUP $MAINPID
2029
ExecReload=/bin/kill -HUP $MAINPID
2057
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
2030
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
2058
PIDFile=/var/run/gammu-smsd.pid
2031
PIDFile=/var/run/gammu-smsd.pid
2059
 
2032
 
2060
[Install]
2033
[Install]
2061
WantedBy=multi-user.target
2034
WantedBy=multi-user.target
2062
EOF
2035
EOF
2063
 
2036
 
2064
# Log folder for gammu-smsd
2037
# Log folder for gammu-smsd
2065
	[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2038
	[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2066
	chmod 755 /var/log/gammu-smsd
2039
	chmod 755 /var/log/gammu-smsd
2067
 
2040
 
2068
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2041
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2069
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2042
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2070
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2043
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2071
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2044
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2072
#EOF
2045
#EOF
2073
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2046
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2074
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2047
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2075
 
2048
 
2076
} # End of gammu_smsd()
2049
} # End of gammu_smsd()
2077
 
2050
 
2078
############################################################
2051
############################################################
2079
##                 Fonction "msec"                        ##
2052
##                 Fonction "msec"                        ##
2080
## - Apply the "fileserver" security level                ##
2053
## - Apply the "fileserver" security level                ##
2081
## - remove the "system request" for rebboting            ##
2054
## - remove the "system request" for rebboting            ##
2082
## - Fix several file permissions                         ##
2055
## - Fix several file permissions                         ##
2083
############################################################
2056
############################################################
2084
msec()
2057
msec()
2085
{
2058
{
2086
 
2059
 
2087
# Apply fileserver security level
2060
# Apply fileserver security level
2088
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2061
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2089
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2062
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2090
 
2063
 
2091
# Set permissions monitoring and enforcement
2064
# Set permissions monitoring and enforcement
2092
cat <<EOF > /etc/security/msec/perm.local
2065
cat <<EOF > /etc/security/msec/perm.local
2093
/var/log/firefwall/                     root.apache     750
2066
/var/log/firefwall/                     root.apache     750
2094
/var/log/firewall/*                     root.apache     640
2067
/var/log/firewall/*                     root.apache     640
2095
/etc/security/msec/perm.local           root.root       640
2068
/etc/security/msec/perm.local           root.root       640
2096
/etc/security/msec/level.local          root.root       640
2069
/etc/security/msec/level.local          root.root       640
2097
/etc/freeradius-web                     root.apache     750
2070
/etc/freeradius-web                     root.apache     750
2098
/etc/freeradius-web/admin.conf          root.apache     640
2071
/etc/freeradius-web/admin.conf          root.apache     640
2099
/etc/raddb/client.conf                  radius.radius   640
2072
/etc/raddb/client.conf                  radius.radius   640
2100
/etc/raddb/radius.conf                  radius.radius   640
2073
/etc/raddb/radius.conf                  radius.radius   640
2101
/etc/raddb/mods-available/ldap          radius.apache   660
2074
/etc/raddb/mods-available/ldap          radius.apache   660
2102
/etc/raddb/sites-available/alcasar      radius.apache   660
2075
/etc/raddb/sites-available/alcasar      radius.apache   660
2103
/etc/pki/*                              root.apache     750
2076
/etc/pki/*                              root.apache     750
2104
/var/log/netflow/porttracker            root.apache     770
2077
/var/log/netflow/porttracker            root.apache     770
2105
/var/log/netflow/porttracker/*          root.apache     660
2078
/var/log/netflow/porttracker/*          root.apache     660
2106
EOF
2079
EOF
2107
# apply now hourly & daily checks
2080
# apply now hourly & daily checks
2108
/usr/sbin/msec
2081
/usr/sbin/msec
2109
/etc/cron.weekly/msec
2082
/etc/cron.weekly/msec
2110
 
2083
 
2111
} # End of msec()
2084
} # End of msec()
2112
 
2085
 
2113
##################################################################
2086
##################################################################
2114
##                   Fonction "letsencrypt"                     ##
2087
##                   Fonction "letsencrypt"                     ##
2115
## - Install Let's Encrypt client                               ##
2088
## - Install Let's Encrypt client                               ##
2116
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2089
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2117
##################################################################
2090
##################################################################
2118
letsencrypt()
2091
letsencrypt()
2119
{
2092
{
2120
	echo "Installing Let's Encrypt client..."
2093
	echo "Installing Let's Encrypt client..."
2121
 
2094
 
2122
	# Remove potential old installers
2095
	# Remove potential old installers
2123
	rm -rf /tmp/acme.sh-*
2096
	rm -rf /tmp/acme.sh-*
2124
 
2097
 
2125
	# Extract acme.sh
2098
	# Extract acme.sh
2126
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2099
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2127
 
2100
 
2128
	pwdInstall=$(pwd)
2101
	pwdInstall=$(pwd)
2129
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2102
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2130
 
2103
 
2131
	acmesh_installDir="/opt/acme.sh"
2104
	acmesh_installDir="/opt/acme.sh"
2132
	acmesh_confDir="/usr/local/etc/letsencrypt"
2105
	acmesh_confDir="/usr/local/etc/letsencrypt"
2133
	acmesh_userAgent="ALCASAR"
2106
	acmesh_userAgent="ALCASAR"
2134
 
2107
 
2135
	# Install acme.sh
2108
	# Install acme.sh
2136
	./acme.sh --install \
2109
	./acme.sh --install \
2137
		--home $acmesh_installDir \
2110
		--home $acmesh_installDir \
2138
		--config-home $acmesh_confDir/data \
2111
		--config-home $acmesh_confDir/data \
2139
		--certhome $acmesh_confDir/certs \
2112
		--certhome $acmesh_confDir/certs \
2140
		--accountkey $acmesh_confDir/ca/account.key \
2113
		--accountkey $acmesh_confDir/ca/account.key \
2141
		--accountconf $acmesh_confDir/data/account.conf \
2114
		--accountconf $acmesh_confDir/data/account.conf \
2142
		--useragent $acmesh_userAgent \
2115
		--useragent $acmesh_userAgent \
2143
		--nocron \
2116
		--nocron \
2144
		> /dev/null
2117
		> /dev/null
2145
 
2118
 
2146
	if [ $? -ne 0 ]; then
2119
	if [ $? -ne 0 ]; then
2147
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2120
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2148
	fi
2121
	fi
2149
 
2122
 
2150
	# Create configuration file
2123
	# Create configuration file
2151
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2124
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2152
email=
2125
email=
2153
dateIssueRequest=
2126
dateIssueRequest=
2154
domainRequest=
2127
domainRequest=
2155
challenge=
2128
challenge=
2156
dateIssued=
2129
dateIssued=
2157
dnsapi=
2130
dnsapi=
2158
dateNextRenewal=
2131
dateNextRenewal=
2159
EOF
2132
EOF
2160
 
2133
 
2161
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2134
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2162
	rm -rf /tmp/acme.sh-*
2135
	rm -rf /tmp/acme.sh-*
2163
 
2136
 
2164
} # End of letsencrypt()
2137
} # End of letsencrypt()
2165
 
2138
 
2166
##################################################################
2139
##################################################################
2167
##                    Fonction "post_install"                   ##
2140
##                    Fonction "post_install"                   ##
2168
## - Modifying banners (locals et ssh) & prompts                ##
2141
## - Modifying banners (locals et ssh) & prompts                ##
2169
## - SSH config                                                 ##
2142
## - SSH config                                                 ##
2170
## - sudoers config & files security                            ##
2143
## - sudoers config & files security                            ##
2171
## - log rotate & ANSSI security parameters                     ##
2144
## - log rotate & ANSSI security parameters                     ##
2172
## - Apply former conf in case of an update                     ##
2145
## - Apply former conf in case of an update                     ##
2173
##################################################################
2146
##################################################################
2174
post_install()
2147
post_install()
2175
{
2148
{
2176
# change the SSH banner
2149
# change the SSH banner
2177
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2150
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2178
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2151
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2179
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2152
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2180
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2153
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2181
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2154
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2182
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2155
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2183
# postfix banner anonymisation
2156
# postfix banner anonymisation
2184
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2157
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2185
	chown -R postfix:postfix /var/lib/postfix
2158
	chown -R postfix:postfix /var/lib/postfix
2186
# sshd liste on EXTIF & INTIF
2159
# sshd liste on EXTIF & INTIF
2187
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2160
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2188
# sshd authorized certificate for root login
2161
# sshd authorized certificate for root login
2189
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2162
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2190
# ALCASAR conf file
2163
# ALCASAR conf file
2191
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2164
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2192
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2165
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2193
	echo "SSH=on" >> $CONF_FILE
2166
	echo "SSH=on" >> $CONF_FILE
2194
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2167
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2195
	echo "LDAP=off" >> $CONF_FILE
2168
	echo "LDAP=off" >> $CONF_FILE
2196
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2169
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2197
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2170
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2198
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2171
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2199
	echo "LDAP_FILTER=" >> $CONF_FILE
2172
	echo "LDAP_FILTER=" >> $CONF_FILE
2200
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2173
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2201
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2174
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2202
	echo "LDAP_SSL=on" >> $CONF_FILE
2175
	echo "LDAP_SSL=on" >> $CONF_FILE
2203
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2176
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2204
	echo "SMS=off" >> $CONF_FILE
2177
	echo "SMS=off" >> $CONF_FILE
2205
	echo "SMS_NUM=" >> $CONF_FILE
2178
	echo "SMS_NUM=" >> $CONF_FILE
2206
	echo "MULTIWAN=off" >> $CONF_FILE
2179
	echo "MULTIWAN=off" >> $CONF_FILE
2207
	echo "FAILOVER=30" >> $CONF_FILE
2180
	echo "FAILOVER=30" >> $CONF_FILE
2208
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2181
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2209
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2182
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2210
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2183
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2211
	echo "BL_PUREIP=on" >> $CONF_FILE
2184
	echo "BL_PUREIP=on" >> $CONF_FILE
2212
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2185
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2213
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2186
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2214
# Prompt customisation (colors)
2187
# Prompt customisation (colors)
2215
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2188
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2216
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2189
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2217
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2190
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2218
# sudoers configuration for "apache" & "sysadmin"
2191
# sudoers configuration for "apache" & "sysadmin"
2219
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2192
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2220
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2193
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2221
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2194
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2222
# Modify some logrotate files (gammu, ulogd)
2195
# Modify some logrotate files (gammu, ulogd)
2223
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2196
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2224
	chmod 644 /etc/logrotate.d/*
2197
	chmod 644 /etc/logrotate.d/*
2225
# Log compression
2198
# Log compression
2226
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2199
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2227
# actualisation des fichiers logs compressés
2200
# actualisation des fichiers logs compressés
2228
	for dir in firewall e2guardian lighttpd
2201
	for dir in firewall e2guardian lighttpd
2229
	do
2202
	do
2230
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2203
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2231
	done
2204
	done
2232
# create the alcasar-load_balancing unit
2205
# create the alcasar-load_balancing unit
2233
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2206
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2234
#  This file is part of systemd.
2207
#  This file is part of systemd.
2235
#
2208
#
2236
#  systemd is free software; you can redistribute it and/or modify it
2209
#  systemd is free software; you can redistribute it and/or modify it
2237
#  under the terms of the GNU General Public License as published by
2210
#  under the terms of the GNU General Public License as published by
2238
#  the Free Software Foundation; either version 2 of the License, or
2211
#  the Free Software Foundation; either version 2 of the License, or
2239
#  (at your option) any later version.
2212
#  (at your option) any later version.
2240
 
2213
 
2241
# This unit lauches alcasar-load-balancing.sh script.
2214
# This unit lauches alcasar-load-balancing.sh script.
2242
[Unit]
2215
[Unit]
2243
Description=alcasar-load_balancing.sh execution
2216
Description=alcasar-load_balancing.sh execution
2244
After=network.target iptables.service
2217
After=network.target iptables.service
2245
 
2218
 
2246
[Service]
2219
[Service]
2247
Type=oneshot
2220
Type=oneshot
2248
RemainAfterExit=yes
2221
RemainAfterExit=yes
2249
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2222
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2250
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2223
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2251
TimeoutSec=0
2224
TimeoutSec=0
2252
SysVStartPriority=99
2225
SysVStartPriority=99
2253
 
2226
 
2254
[Install]
2227
[Install]
2255
WantedBy=multi-user.target
2228
WantedBy=multi-user.target
2256
EOF
2229
EOF
2257
	/usr/bin/systemctl daemon-reload
2230
	/usr/bin/systemctl daemon-reload
2258
# processes launched at boot time (Systemctl)
2231
# processes launched at boot time (Systemctl)
2259
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2232
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2260
	do
2233
	do
2261
		/usr/bin/systemctl -q enable $i.service
2234
		/usr/bin/systemctl -q enable $i.service
2262
	done
2235
	done
2263
 
2236
 
2264
# disable processes at boot time (Systemctl)
2237
# disable processes at boot time (Systemctl)
2265
	for i in ulogd gpm dhcpd
2238
	for i in ulogd gpm dhcpd
2266
	do
2239
	do
2267
		/usr/bin/systemctl -q disable $i.service
2240
		/usr/bin/systemctl -q disable $i.service
2268
	done
2241
	done
2269
 
2242
 
2270
# Apply French Security Agency (ANSSI) rules
2243
# Apply French Security Agency (ANSSI) rules
2271
# ignore ICMP broadcast (smurf attack)
2244
# ignore ICMP broadcast (smurf attack)
2272
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2245
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2273
# ignore ICMP errors bogus
2246
# ignore ICMP errors bogus
2274
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2247
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2275
# remove ICMP redirects responces
2248
# remove ICMP redirects responces
2276
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2249
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2277
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2250
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2278
# enable SYN Cookies (Syn flood attacks)
2251
# enable SYN Cookies (Syn flood attacks)
2279
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2252
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2280
# enable kernel antispoofing
2253
# enable kernel antispoofing
2281
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2254
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2282
# ignore source routing
2255
# ignore source routing
2283
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2256
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2284
# set conntrack timer to 1h (3600s) instead of 5 weeks
2257
# set conntrack timer to 1h (3600s) instead of 5 weeks
2285
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2258
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2286
# disable log_martians (ALCASAR is often installed between two private network addresses)
2259
# disable log_martians (ALCASAR is often installed between two private network addresses)
2287
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2260
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2288
# disable iptables_helpers
2261
# disable iptables_helpers
2289
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2262
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2290
# Switch to the router mode
2263
# Switch to the router mode
2291
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2264
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2292
# Remove unused service ipv6
2265
# Remove unused service ipv6
2293
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2266
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2294
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2267
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2295
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2268
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2296
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2269
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2297
# switch to multi-users runlevel (instead of x11)
2270
# switch to multi-users runlevel (instead of x11)
2298
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2271
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2299
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2272
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2300
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2273
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2301
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2274
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2302
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2275
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2303
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2276
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2304
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2277
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2305
	if [ $vm_vga == 0 ] # is not a VM
2278
	if [ $vm_vga == 0 ] # is not a VM
2306
	then
2279
	then
2307
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2280
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2308
		echo >> /etc/mageia-release
2281
		echo >> /etc/mageia-release
2309
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2282
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2310
	fi
2283
	fi
2311
	if [ $Lang == "fr" ]
2284
	if [ $Lang == "fr" ]
2312
	then
2285
	then
2313
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2286
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2314
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2287
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2315
	else
2288
	else
2316
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2289
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2317
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2290
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2318
	fi
2291
	fi
2319
	/usr/bin/update-grub2
2292
	/usr/bin/update-grub2
2320
# Load and apply the previous conf file
2293
# Load and apply the previous conf file
2321
	if [ "$mode" = "update" ]
2294
	if [ "$mode" = "update" ]
2322
	then
2295
	then
2323
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2296
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2324
		$DIR_DEST_BIN/alcasar-conf.sh --load
2297
		$DIR_DEST_BIN/alcasar-conf.sh --load
2325
		PARENT_SCRIPT=`basename $0`
2298
		PARENT_SCRIPT=`basename $0`
2326
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2299
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2327
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2300
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2328
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2301
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2329
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2302
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2330
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2303
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2331
	fi
2304
	fi
2332
	rm -f /var/tmp/alcasar-conf*
2305
	rm -f /var/tmp/alcasar-conf*
2333
	chown -R root:apache $DIR_DEST_ETC/*
2306
	chown -R root:apache $DIR_DEST_ETC/*
2334
	chmod -R 660 $DIR_DEST_ETC/*
2307
	chmod -R 660 $DIR_DEST_ETC/*
2335
	chmod ug+x $DIR_DEST_ETC/digest
2308
	chmod ug+x $DIR_DEST_ETC/digest
2336
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2309
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2337
	echo ""
2310
	echo ""
2338
	echo "#############################################################################"
2311
	echo "#############################################################################"
2339
	if [ $Lang == "fr" ]
2312
	if [ $Lang == "fr" ]
2340
		then
2313
		then
2341
		echo "#                        Fin d'installation d'ALCASAR                       #"
2314
		echo "#                        Fin d'installation d'ALCASAR                       #"
2342
		echo "#                                                                           #"
2315
		echo "#                                                                           #"
2343
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2316
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2344
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2317
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2345
		echo "#                                                                           #"
2318
		echo "#                                                                           #"
2346
		echo "#############################################################################"
2319
		echo "#############################################################################"
2347
		echo
2320
		echo
2348
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2321
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2349
		echo
2322
		echo
2350
		echo "- Lisez attentivement la documentation d'exploitation"
2323
		echo "- Lisez attentivement la documentation d'exploitation"
2351
		echo
2324
		echo
2352
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2325
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2353
		echo
2326
		echo
2354
		echo "                   Appuyez sur 'Entrée' pour continuer"
2327
		echo "                   Appuyez sur 'Entrée' pour continuer"
2355
	else
2328
	else
2356
		echo "#                        End of ALCASAR install process                     #"
2329
		echo "#                        End of ALCASAR install process                     #"
2357
		echo "#                                                                           #"
2330
		echo "#                                                                           #"
2358
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2331
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2359
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2332
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2360
		echo "#                                                                           #"
2333
		echo "#                                                                           #"
2361
		echo "#############################################################################"
2334
		echo "#############################################################################"
2362
		echo
2335
		echo
2363
		echo "- The system will be rebooted in order to operate ALCASAR"
2336
		echo "- The system will be rebooted in order to operate ALCASAR"
2364
		echo
2337
		echo
2365
		echo "- Read the exploitation documentation"
2338
		echo "- Read the exploitation documentation"
2366
		echo
2339
		echo
2367
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2340
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2368
		echo
2341
		echo
2369
		echo "                   Hit 'Enter' to continue"
2342
		echo "                   Hit 'Enter' to continue"
2370
	fi
2343
	fi
2371
	sleep 2
2344
	sleep 2
2372
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2345
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2373
	then
2346
	then
2374
		read
2347
		read
2375
	fi
2348
	fi
2376
	clear
2349
	clear
2377
	reboot
2350
	reboot
2378
} # End of post_install()
2351
} # End of post_install()
2379
 
2352
 
2380
#####################################################################################
2353
#####################################################################################
2381
#                                   Main Install loop                               #
2354
#                                   Main Install loop                               #
2382
#####################################################################################
2355
#####################################################################################
2383
dir_exec=`dirname "$0"`
2356
dir_exec=`dirname "$0"`
2384
if [ $dir_exec != "." ]
2357
if [ $dir_exec != "." ]
2385
then
2358
then
2386
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2359
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2387
	echo "Launch this program from the ALCASAR archive directory"
2360
	echo "Launch this program from the ALCASAR archive directory"
2388
	exit 0
2361
	exit 0
2389
fi
2362
fi
2390
if [ $EUID -gt 0 ]
2363
if [ $EUID -gt 0 ]
2391
then
2364
then
2392
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2365
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2393
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2366
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2394
	exit 0
2367
	exit 0
2395
fi
2368
fi
2396
VERSION=`cat $DIR_INSTALL/VERSION`
2369
VERSION=`cat $DIR_INSTALL/VERSION`
2397
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2370
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2398
nb_args=$#
2371
nb_args=$#
2399
args=$1
2372
args=$1
2400
if [ $nb_args -eq 0 ]
2373
if [ $nb_args -eq 0 ]
2401
then
2374
then
2402
	nb_args=1
2375
	nb_args=1
2403
	args="-h"
2376
	args="-h"
2404
fi
2377
fi
2405
chmod -R u+x $DIR_SCRIPTS/*
2378
chmod -R u+x $DIR_SCRIPTS/*
2406
case $args in
2379
case $args in
2407
	-\? | -h* | --h*)
2380
	-\? | -h* | --h*)
2408
		echo "$usage"
2381
		echo "$usage"
2409
		exit 0
2382
		exit 0
2410
		;;
2383
		;;
2411
	-i | --install)
2384
	-i | --install)
2412
		for func in license testing
2385
		for func in license testing
2413
		do
2386
		do
2414
			header_install
2387
			header_install
2415
			$func
2388
			$func
2416
			if [ $DEBUG_ALCASAR == "on" ]
2389
			if [ $DEBUG_ALCASAR == "on" ]
2417
			then
2390
			then
2418
				echo "*** 'debug' : end of install '$func' ***"
2391
				echo "*** 'debug' : end of install '$func' ***"
2419
				read
2392
				read
2420
			fi
2393
			fi
2421
		done
2394
		done
2422
# RPMs install
2395
# RPMs install
2423
		$DIR_SCRIPTS/alcasar-urpmi.sh
2396
		$DIR_SCRIPTS/alcasar-urpmi.sh
2424
		if [ "$?" != "0" ]
2397
		if [ "$?" != "0" ]
2425
		then
2398
		then
2426
			exit 0
2399
			exit 0
2427
		fi
2400
		fi
2428
		if [ -e $CONF_FILE ]
2401
		if [ -e $CONF_FILE ]
2429
		then
2402
		then
2430
# Uninstall or update the running version
2403
# Uninstall or update the running version
2431
			if [ "$mode" == "update" ]
2404
			if [ "$mode" == "update" ]
2432
			then
2405
			then
2433
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2406
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2434
			else
2407
			else
2435
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2408
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2436
			fi
2409
			fi
2437
		fi
2410
		fi
2438
	if [ $DEBUG_ALCASAR == "on" ]
2411
	if [ $DEBUG_ALCASAR == "on" ]
2439
	then
2412
	then
2440
		echo "*** 'debug' : end of cleaning ***"
2413
		echo "*** 'debug' : end of cleaning ***"
2441
		read
2414
		read
2442
	fi
2415
	fi
2443
# Test if manual update
2416
# Test if manual update
2444
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2417
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2445
		then
2418
		then
2446
			header_install
2419
			header_install
2447
			if [ $Lang == "fr" ]
2420
			if [ $Lang == "fr" ]
2448
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2421
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2449
				else echo "The configuration file of an old version has been found";
2422
				else echo "The configuration file of an old version has been found";
2450
			fi
2423
			fi
2451
			response=0
2424
			response=0
2452
			PTN='^[oOnNyY]?$'
2425
			PTN='^[oOnNyY]?$'
2453
			until [[ "$response" =~ $PTN ]]
2426
			until [[ "$response" =~ $PTN ]]
2454
			do
2427
			do
2455
				if [ $Lang == "fr" ]
2428
				if [ $Lang == "fr" ]
2456
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2429
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2457
					else echo -n "Do you want to use it (Y/n)?";
2430
					else echo -n "Do you want to use it (Y/n)?";
2458
				 fi
2431
				 fi
2459
				read response
2432
				read response
2460
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2433
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2461
				then rm -f /var/tmp/alcasar-conf*
2434
				then rm -f /var/tmp/alcasar-conf*
2462
				fi
2435
				fi
2463
			done
2436
			done
2464
		fi
2437
		fi
2465
# Test if update
2438
# Test if update
2466
		if [ -e /var/tmp/alcasar-conf* ]
2439
		if [ -e /var/tmp/alcasar-conf* ]
2467
		then
2440
		then
2468
			if [ $Lang == "fr" ]
2441
			if [ $Lang == "fr" ]
2469
				then echo "#### Installation avec mise à jour ####";
2442
				then echo "#### Installation avec mise à jour ####";
2470
				else echo "#### Installation with update     ####";
2443
				else echo "#### Installation with update     ####";
2471
			fi
2444
			fi
2472
# Extract some info from the previous configuration file
2445
# Extract some info from the previous configuration file
2473
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2446
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2474
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2447
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2475
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2448
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2476
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2449
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2477
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2450
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2478
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2451
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2479
			mode="update"
2452
			mode="update"
2480
		fi
2453
		fi
2481
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2454
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2482
		do
2455
		do
2483
			$func
2456
			$func
2484
			if [ $DEBUG_ALCASAR == "on" ]
2457
			if [ $DEBUG_ALCASAR == "on" ]
2485
			then
2458
			then
2486
				echo "*** 'debug' : end of install '$func' ***"
2459
				echo "*** 'debug' : end of install '$func' ***"
2487
				read
2460
				read
2488
			fi
2461
			fi
2489
		done
2462
		done
2490
		;;
2463
		;;
2491
	-u | --uninstall)
2464
	-u | --uninstall)
2492
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2465
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2493
		then
2466
		then
2494
			if [ $Lang == "fr" ]
2467
			if [ $Lang == "fr" ]
2495
				then echo "ALCASAR n'est pas installé!";
2468
				then echo "ALCASAR n'est pas installé!";
2496
				else echo "ALCASAR isn't installed!";
2469
				else echo "ALCASAR isn't installed!";
2497
			fi
2470
			fi
2498
			exit 0
2471
			exit 0
2499
		fi
2472
		fi
2500
		response=0
2473
		response=0
2501
		PTN='^[oOyYnN]?$'
2474
		PTN='^[oOyYnN]?$'
2502
		until [[ "$response" =~ $PTN ]]
2475
		until [[ "$response" =~ $PTN ]]
2503
		do
2476
		do
2504
			if [ $Lang == "fr" ]
2477
			if [ $Lang == "fr" ]
2505
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2478
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2506
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2479
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2507
			fi
2480
			fi
2508
			read response
2481
			read response
2509
		done
2482
		done
2510
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2483
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2511
		then
2484
		then
2512
			$DIR_SCRIPTS/alcasar-conf.sh --create
2485
			$DIR_SCRIPTS/alcasar-conf.sh --create
2513
		else
2486
		else
2514
			rm -f /var/tmp/alcasar-conf*
2487
			rm -f /var/tmp/alcasar-conf*
2515
		fi
2488
		fi
2516
# Uninstall the running version
2489
# Uninstall the running version
2517
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2490
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2518
		;;
2491
		;;
2519
	*)
2492
	*)
2520
		echo "Argument inconnu :$1";
2493
		echo "Argument inconnu :$1";
2521
		echo "Unknown argument :$1";
2494
		echo "Unknown argument :$1";
2522
		echo "$usage"
2495
		echo "$usage"
2523
		exit 1
2496
		exit 1
2524
		;;
2497
		;;
2525
esac
2498
esac
2526
# end of script
2499
# end of script
2527
 
2500
 
2528
 
2501
 
2529

Generated by GNU Enscript 1.6.6.
2502

Generated by GNU Enscript 1.6.6.
2530
 
2503
 
2531
 
2504
 
2532
 
2505