Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 2981 2021-07-23 14:37:14Z rexy $
|
2 |
# $Id: alcasar.sh 2990 2022-02-21 23:20:55Z rexy $
|
3 |
|
3 |
|
4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
6 |
# contact : info@alcasar.net
|
6 |
# contact : info@alcasar.net
|
7 |
|
7 |
|
Line 10... |
Line 10... |
10 |
|
10 |
|
11 |
# Options :
|
11 |
# Options :
|
12 |
# -i or --install
|
12 |
# -i or --install
|
13 |
# -u or --uninstall
|
13 |
# -u or --uninstall
|
14 |
# Functions :
|
14 |
# Functions :
|
15 |
# testing : connectivity tests, free space test and mageia version test
|
15 |
# system_testing : Free space test and mageia version test
|
- |
|
16 |
# network_testing : Internet connectivity tests
|
16 |
# init : Installation of RPM and scripts
|
17 |
# init : Installation of RPM and scripts
|
17 |
# network : Network parameters
|
18 |
# network : Network parameters
|
18 |
# ACC : ALCASAR Control Center installation
|
19 |
# ACC : ALCASAR Control Center installation
|
19 |
# CA : Certification Authority initialization
|
20 |
# CA : Certification Authority initialization
|
20 |
# time_server : NTPd configuration
|
21 |
# time_server : NTPd configuration
|
21 |
# init_db : Initilization of radius database managed with MariaDB
|
22 |
# init_db : Initilization of radius database managed with MariaDB
|
22 |
# freeradius : FreeRadius initialisation
|
23 |
# freeradius : FreeRadius initialisation
|
23 |
# chilli : coovachilli initialisation (+authentication page)
|
24 |
# chilli : Coovachilli initialisation (+authentication page)
|
24 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
25 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
25 |
# antivirus : clamav & freshclam configuration
|
26 |
# antivirus : Clamav & freshclam configuration
|
26 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
27 |
# ulogd : Log system in userland (match NFLOG target of iptables)
|
27 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
28 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
28 |
# unbound : Name server configuration
|
29 |
# unbound : Name server configuration
|
29 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
30 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
30 |
# vnstat : little network stat daemon
|
31 |
# vnstat : Little network stat daemon
|
31 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
32 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
32 |
# cron : Logs export + watchdog + connexion statistics
|
33 |
# cron : Logs export + watchdog + connexion statistics
|
33 |
# fail2ban : Fail2ban IDS installation and configuration
|
34 |
# fail2ban : Fail2ban IDS installation and configuration
|
34 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
|
35 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
|
35 |
# msec : Mageia security package configuration
|
36 |
# msec : Mageia security package configuration
|
36 |
# letsencrypt : Let's Encrypt client
|
37 |
# letsencrypt : Let's Encrypt client
|
- |
|
38 |
# mail_service : Mail service for email authentification method
|
37 |
# post_install : Security, log rotation, etc.
|
39 |
# post_install : Security, log rotation, etc.
|
38 |
|
40 |
|
39 |
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
|
41 |
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
|
40 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
42 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
41 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
43 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
Line 102... |
Line 104... |
102 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
104 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
103 |
echo "-----------------------------------------------------------------------------"
|
105 |
echo "-----------------------------------------------------------------------------"
|
104 |
} # End of header_install()
|
106 |
} # End of header_install()
|
105 |
|
107 |
|
106 |
########################################################
|
108 |
########################################################
|
107 |
## Function "testing_system" ##
|
109 |
## "system_testing" ##
|
108 |
## - Test Mageia version ##
|
110 |
## - Test Mageia version ##
|
109 |
## - Test ALCASAR version (if already installed) ##
|
111 |
## - Test ALCASAR version (if already installed) ##
|
110 |
## - Test free space on /var (>10G) ##
|
112 |
## - Test free space on /var (>10G) ##
|
111 |
## - Test Internet access ##
|
113 |
## - Test Internet access ##
|
112 |
########################################################
|
114 |
########################################################
|
113 |
testing_system()
|
115 |
system_testing()
|
114 |
{
|
116 |
{
|
115 |
# Test of Mageia version
|
117 |
# Test of Mageia version
|
116 |
# extract the current Mageia version and hardware architecture (i586 ou X64)
|
118 |
# extract the current Mageia version and hardware architecture (i586 ou X64)
|
117 |
fic=`cat /etc/product.id`
|
119 |
fic=`cat /etc/product.id`
|
118 |
unknown_os=0
|
120 |
unknown_os=0
|
Line 220... |
Line 222... |
220 |
then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
|
222 |
then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
|
221 |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
|
223 |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
|
222 |
fi
|
224 |
fi
|
223 |
exit 0
|
225 |
exit 0
|
224 |
fi
|
226 |
fi
|
225 |
} # End of testing_system
|
227 |
} # End of system_testing
|
226 |
|
228 |
|
227 |
########################################################
|
229 |
########################################################
|
228 |
## Function "testing_network" ##
|
230 |
## "network_testing" ##
|
229 |
## - Test Internet access ##
|
231 |
## - Internet access test ##
|
230 |
########################################################
|
232 |
########################################################
|
231 |
testing_network()
|
233 |
network_testing()
|
232 |
{
|
234 |
{
|
233 |
# Detect external/internal interfaces
|
235 |
# Detect external/internal interfaces
|
234 |
if [ -z "$EXTIF" ]; then
|
236 |
if [ -z "$EXTIF" ]; then
|
235 |
EXTIF=$(/usr/sbin/ip route list | awk '/ via / {print $5}' | uniq)
|
237 |
EXTIF=$(/usr/sbin/ip route list | awk '/ via / {print $5}' | uniq)
|
236 |
if [ -z "$EXTIF" ]; then
|
238 |
if [ -z "$EXTIF" ]; then
|
Line 391... |
Line 393... |
391 |
echo "Verify the DNS IP addresses"
|
393 |
echo "Verify the DNS IP addresses"
|
392 |
fi
|
394 |
fi
|
393 |
exit 1
|
395 |
exit 1
|
394 |
fi
|
396 |
fi
|
395 |
echo ". : ok"
|
397 |
echo ". : ok"
|
396 |
} # End of testing_network()
|
398 |
} # End of network_testing()
|
397 |
|
399 |
|
398 |
#######################################################################
|
400 |
#######################################################################
|
399 |
## Function "init" ##
|
401 |
## "init" ##
|
400 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
402 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
401 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
403 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
402 |
#######################################################################
|
404 |
#######################################################################
|
403 |
init()
|
405 |
init()
|
404 |
{
|
406 |
{
|
Line 470... |
Line 472... |
470 |
EOF
|
472 |
EOF
|
471 |
chmod o-rwx $CONF_FILE
|
473 |
chmod o-rwx $CONF_FILE
|
472 |
} # End of init()
|
474 |
} # End of init()
|
473 |
|
475 |
|
474 |
#########################################################
|
476 |
#########################################################
|
475 |
## Function "network" ##
|
477 |
## "network" ##
|
476 |
## - Define the several network address ##
|
478 |
## - Define the several network address ##
|
477 |
## - Define the DNS naming ##
|
479 |
## - Define the DNS naming ##
|
478 |
## - INTIF parameters (consultation network) ##
|
480 |
## - INTIF parameters (consultation network) ##
|
479 |
## - Write "/etc/hosts" file ##
|
481 |
## - Write "/etc/hosts" file ##
|
480 |
## - write "hosts.allow" & "hosts.deny" files ##
|
482 |
## - write "hosts.allow" & "hosts.deny" files ##
|
Line 751... |
Line 753... |
751 |
|
753 |
|
752 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
|
754 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
|
753 |
} # End of network()
|
755 |
} # End of network()
|
754 |
|
756 |
|
755 |
##################################################################
|
757 |
##################################################################
|
756 |
## Fonction "CA" ##
|
758 |
## "CA" ##
|
757 |
## - Creating the CA and the server certificate (lighttpd) ##
|
759 |
## - Creating the CA and the server certificate (lighttpd) ##
|
758 |
##################################################################
|
760 |
##################################################################
|
759 |
CA()
|
761 |
CA()
|
760 |
{
|
762 |
{
|
761 |
$DIR_DEST_BIN/alcasar-CA.sh
|
763 |
$DIR_DEST_BIN/alcasar-CA.sh
|
Line 767... |
Line 769... |
767 |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
|
769 |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
|
768 |
chmod 640 /etc/pki/tls/private/*
|
770 |
chmod 640 /etc/pki/tls/private/*
|
769 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
|
771 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
|
770 |
} # End of CA()
|
772 |
} # End of CA()
|
771 |
|
773 |
|
772 |
###################################################
|
774 |
######################################################
|
773 |
## Function "ACC" ##
|
775 |
## "ACC" ##
|
774 |
## - copy ALCASAR Control Center (ACC) files ##
|
776 |
## - copy ALCASAR Control Center (ACC) files ##
|
775 |
## - configuration of the web server (Lighttpd) ##
|
777 |
## - configuration of the web server (Lighttpd) ##
|
776 |
## - creation of the first ACC admin account ##
|
778 |
## - creation of the first ACC admin account ##
|
777 |
## - secure the ACC access ##
|
779 |
## - secure the ACC access ##
|
778 |
###################################################
|
780 |
######################################################
|
779 |
ACC()
|
781 |
ACC()
|
780 |
{
|
782 |
{
|
781 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
783 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
782 |
mkdir $DIR_WEB
|
784 |
mkdir $DIR_WEB
|
783 |
# Copy & adapt ACC files
|
785 |
# Copy & adapt ACC files
|
Line 889... |
Line 891... |
889 |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
|
891 |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
|
890 |
cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
|
892 |
cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
|
891 |
} # End of ACC()
|
893 |
} # End of ACC()
|
892 |
|
894 |
|
893 |
#############################################################
|
895 |
#############################################################
|
894 |
## Function "time_server" ##
|
896 |
## "time_server" ##
|
895 |
## - Configuring NTP server ##
|
897 |
## - Configuring NTP server ##
|
896 |
#############################################################
|
898 |
#############################################################
|
897 |
time_server()
|
899 |
time_server()
|
898 |
{
|
900 |
{
|
899 |
# Set the Internet time server
|
901 |
# Set the Internet time server
|
Line 920... |
Line 922... |
920 |
# Synchronize now
|
922 |
# Synchronize now
|
921 |
ntpd -4 -q -g &
|
923 |
ntpd -4 -q -g &
|
922 |
} # End of time_server()
|
924 |
} # End of time_server()
|
923 |
|
925 |
|
924 |
#####################################################################
|
926 |
#####################################################################
|
925 |
## Function "init_db" ##
|
927 |
## "init_db" ##
|
926 |
## - Mysql initialization ##
|
928 |
## - Mysql initialization ##
|
927 |
## - Set admin (root) password ##
|
929 |
## - Set admin (root) password ##
|
928 |
## - Remove unused users & databases ##
|
930 |
## - Remove unused users & databases ##
|
929 |
## - Radius database creation ##
|
931 |
## - Radius database creation ##
|
930 |
## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
|
932 |
## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
|
Line 973... |
Line 975... |
973 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
975 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
974 |
/usr/bin/systemctl daemon-reload
|
976 |
/usr/bin/systemctl daemon-reload
|
975 |
} # End of init_db()
|
977 |
} # End of init_db()
|
976 |
|
978 |
|
977 |
###################################################################
|
979 |
###################################################################
|
978 |
## Function "freeradius" ##
|
980 |
## "freeradius" ##
|
979 |
## - Set the configuration files ##
|
981 |
## - Set the configuration files ##
|
980 |
## - Set the shared secret between coova-chilli and freeradius ##
|
982 |
## - Set the shared secret between coova-chilli and freeradius ##
|
981 |
## - Adapt the Mysql conf file and counters ##
|
983 |
## - Adapt the Mysql conf file and counters ##
|
982 |
###################################################################
|
984 |
###################################################################
|
983 |
freeradius()
|
985 |
freeradius()
|
Line 1059... |
Line 1061... |
1059 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1061 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1060 |
chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1062 |
chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1061 |
} # End of freeradius()
|
1063 |
} # End of freeradius()
|
1062 |
|
1064 |
|
1063 |
#############################################################################
|
1065 |
#############################################################################
|
1064 |
## Function "chilli" ##
|
1066 |
## "chilli" ##
|
1065 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1067 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1066 |
## - Adapt the authentication web page (intercept.php) ##
|
1068 |
## - Adapt the authentication web page (intercept.php) ##
|
1067 |
#############################################################################
|
1069 |
#############################################################################
|
1068 |
chilli()
|
1070 |
chilli()
|
1069 |
{
|
1071 |
{
|
Line 1260... |
Line 1262... |
1260 |
groupadd -f chilli
|
1262 |
groupadd -f chilli
|
1261 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
1263 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
1262 |
} # End of chilli()
|
1264 |
} # End of chilli()
|
1263 |
|
1265 |
|
1264 |
################################################################
|
1266 |
################################################################
|
1265 |
## Function "e2guardian" ##
|
1267 |
## "e2guardian" ##
|
1266 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1268 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1267 |
################################################################
|
1269 |
################################################################
|
1268 |
e2guardian()
|
1270 |
e2guardian()
|
1269 |
{
|
1271 |
{
|
1270 |
# Adapt systemd unit
|
1272 |
# Adapt systemd unit
|
Line 1371... |
Line 1373... |
1371 |
mkdir -p /var/log/e2guardian
|
1373 |
mkdir -p /var/log/e2guardian
|
1372 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1374 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1373 |
} # End of e2guardian()
|
1375 |
} # End of e2guardian()
|
1374 |
|
1376 |
|
1375 |
##################################################################
|
1377 |
##################################################################
|
1376 |
## Function "antivirus" ##
|
1378 |
## "antivirus" ##
|
1377 |
## - Set the parameters of clamav and freshclam ##
|
1379 |
## - Set the parameters of clamav and freshclam ##
|
1378 |
##################################################################
|
1380 |
##################################################################
|
1379 |
antivirus()
|
1381 |
antivirus()
|
1380 |
{
|
1382 |
{
|
1381 |
# Clamd unit adaptation to e2guardian
|
1383 |
# Clamd unit adaptation to e2guardian
|
Line 1406... |
Line 1408... |
1406 |
# update now
|
1408 |
# update now
|
1407 |
/usr/bin/freshclam --no-warnings --quiet
|
1409 |
/usr/bin/freshclam --no-warnings --quiet
|
1408 |
} # End of antivirus()
|
1410 |
} # End of antivirus()
|
1409 |
|
1411 |
|
1410 |
##############################################################
|
1412 |
##############################################################
|
1411 |
## function "ulogd" ##
|
1413 |
## "ulogd" ##
|
1412 |
## - Ulog config for multi-log files ##
|
1414 |
## - Ulog config for multi-log files ##
|
1413 |
##############################################################
|
1415 |
##############################################################
|
1414 |
ulogd()
|
1416 |
ulogd()
|
1415 |
{
|
1417 |
{
|
1416 |
# Three instances of ulogd (three different logfiles)
|
1418 |
# Three instances of ulogd (three different logfiles)
|
Line 1434... |
Line 1436... |
1434 |
chmod 750 /var/log/firewall
|
1436 |
chmod 750 /var/log/firewall
|
1435 |
chmod 640 /var/log/firewall/*
|
1437 |
chmod 640 /var/log/firewall/*
|
1436 |
} # End of ulogd()
|
1438 |
} # End of ulogd()
|
1437 |
|
1439 |
|
1438 |
##########################################################
|
1440 |
##########################################################
|
1439 |
## Function "nfsen" ##
|
1441 |
## "nfsen" ##
|
1440 |
## - configure NetFlow collector (nfcapd) ##
|
1442 |
## - configure NetFlow collector (nfcapd) ##
|
1441 |
## - configure NetFlow grapher (nfsen-ng) ##
|
1443 |
## - configure NetFlow grapher (nfsen-ng) ##
|
1442 |
##########################################################
|
1444 |
##########################################################
|
1443 |
nfsen()
|
1445 |
nfsen()
|
1444 |
{
|
1446 |
{
|
Line 1473... |
Line 1475... |
1473 |
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd
|
1475 |
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd
|
1474 |
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
|
1476 |
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
|
1475 |
} # End of nfsen()
|
1477 |
} # End of nfsen()
|
1476 |
|
1478 |
|
1477 |
###########################################################
|
1479 |
###########################################################
|
1478 |
## Function "vnstat" ##
|
1480 |
## "vnstat" ##
|
1479 |
## - Initialization of vnstat and vnstat-dashboard ##
|
1481 |
## - Initialization of vnstat and vnstat-dashboard ##
|
1480 |
###########################################################
|
1482 |
###########################################################
|
1481 |
vnstat()
|
1483 |
vnstat()
|
1482 |
{
|
1484 |
{
|
1483 |
# vnstat
|
1485 |
# vnstat
|
Line 1490... |
Line 1492... |
1490 |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
|
1492 |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
|
1491 |
$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
|
1493 |
$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
|
1492 |
} # End of vnstat()
|
1494 |
} # End of vnstat()
|
1493 |
|
1495 |
|
1494 |
###################################################################
|
1496 |
###################################################################
|
1495 |
## Function "dnsmasq" ##
|
1497 |
## "dnsmasq" ##
|
1496 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
1498 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
1497 |
###################################################################
|
1499 |
###################################################################
|
1498 |
dnsmasq()
|
1500 |
dnsmasq()
|
1499 |
{
|
1501 |
{
|
1500 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1502 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
Line 1515... |
Line 1517... |
1515 |
filterwin2k
|
1517 |
filterwin2k
|
1516 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1518 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1517 |
server=$DNS1
|
1519 |
server=$DNS1
|
1518 |
server=$DNS2
|
1520 |
server=$DNS2
|
1519 |
EOF
|
1521 |
EOF
|
- |
|
1522 |
|
1520 |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
|
1523 |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
|
1521 |
systemctl disable dnsmasq.service
|
1524 |
systemctl disable dnsmasq.service
|
1522 |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
|
1525 |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
|
1523 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1526 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1524 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1527 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1525 |
} # End of dnsmasq()
|
1528 |
} # End of dnsmasq()
|
1526 |
|
1529 |
|
1527 |
#########################################################
|
1530 |
#########################################################
|
1528 |
## Function "unbound" ##
|
1531 |
## "unbound" ##
|
1529 |
## - create the conf files for 4 unbound services ##
|
1532 |
## - create the conf files for 4 unbound services ##
|
1530 |
## - create the systemd files for 4 unbound services ##
|
1533 |
## - create the systemd files for 4 unbound services ##
|
1531 |
#########################################################
|
1534 |
#########################################################
|
1532 |
unbound ()
|
1535 |
unbound ()
|
1533 |
{
|
1536 |
{
|
Line 1687... |
Line 1690... |
1687 |
do-ip6: no
|
1690 |
do-ip6: no
|
1688 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1691 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1689 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1692 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1690 |
include: /etc/unbound/conf.d/blackhole/*
|
1693 |
include: /etc/unbound/conf.d/blackhole/*
|
1691 |
EOF
|
1694 |
EOF
|
1692 |
|
- |
|
1693 |
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
|
1695 |
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
|
1694 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
|
1696 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
|
1695 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
|
1697 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
|
1696 |
for list in blacklist blackhole whitelist
|
1698 |
for list in blacklist blackhole whitelist
|
1697 |
do
|
1699 |
do
|
Line 1701... |
Line 1703... |
1701 |
done
|
1703 |
done
|
1702 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
|
1704 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
|
1703 |
} # End of unbound()
|
1705 |
} # End of unbound()
|
1704 |
|
1706 |
|
1705 |
##################################################
|
1707 |
##################################################
|
1706 |
## Function "dhcpd" ##
|
1708 |
## "dhcpd" ##
|
1707 |
##################################################
|
1709 |
##################################################
|
1708 |
dhcpd()
|
1710 |
dhcpd()
|
1709 |
{
|
1711 |
{
|
1710 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
1712 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
1711 |
cat <<EOF > /etc/dhcpd.conf
|
1713 |
cat <<EOF > /etc/dhcpd.conf
|
Line 1720... |
Line 1722... |
1720 |
}
|
1722 |
}
|
1721 |
EOF
|
1723 |
EOF
|
1722 |
} # End of dhcpd()
|
1724 |
} # End of dhcpd()
|
1723 |
|
1725 |
|
1724 |
##########################################################
|
1726 |
##########################################################
|
1725 |
## Function "BL" ##
|
1727 |
## "BL" ##
|
1726 |
## - copy & adapt Toulouse BL to ALCASAR architecture ##
|
1728 |
## - copy & adapt Toulouse BL to ALCASAR architecture ##
|
1727 |
## - domain names for unbound-bl & unbound-wl ##
|
1729 |
## - domain names for unbound-bl & unbound-wl ##
|
1728 |
## - URLs for E²guardian ##
|
1730 |
## - URLs for E²guardian ##
|
1729 |
## - IPs for NetFilter ##
|
1731 |
## - IPs for NetFilter ##
|
1730 |
## - copy additional BLs (TOR + Ultrasurf + C&C) ##
|
1732 |
## - copy additional BLs (TOR + Ultrasurf + C&C) ##
|
Line 1758... |
Line 1760... |
1758 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
1760 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
1759 |
rm -rf /tmp/blacklists
|
1761 |
rm -rf /tmp/blacklists
|
1760 |
} # End of BL()
|
1762 |
} # End of BL()
|
1761 |
|
1763 |
|
1762 |
#######################################################
|
1764 |
#######################################################
|
1763 |
## Function "cron" ##
|
1765 |
## "cron" ##
|
1764 |
## - write all cron & anacron files ##
|
1766 |
## - write all cron & anacron files ##
|
1765 |
#######################################################
|
1767 |
#######################################################
|
1766 |
cron()
|
1768 |
cron()
|
1767 |
{
|
1769 |
{
|
1768 |
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
|
1770 |
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
|
Line 1849... |
Line 1851... |
1849 |
# removing the users crons
|
1851 |
# removing the users crons
|
1850 |
rm -f /var/spool/cron/*
|
1852 |
rm -f /var/spool/cron/*
|
1851 |
} # End of cron()
|
1853 |
} # End of cron()
|
1852 |
|
1854 |
|
1853 |
########################################################################
|
1855 |
########################################################################
|
1854 |
## Fonction "Fail2Ban" ##
|
1856 |
## "Fail2Ban" ##
|
1855 |
##- Adapt conf file to ALCASAR ##
|
1857 |
##- Adapt conf file to ALCASAR ##
|
1856 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
|
1858 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
|
1857 |
########################################################################
|
1859 |
########################################################################
|
1858 |
fail2ban()
|
1860 |
fail2ban()
|
1859 |
{
|
1861 |
{
|
Line 1950... |
Line 1952... |
1950 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
|
1952 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
|
1951 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
|
1953 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
|
1952 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
|
1954 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
|
1953 |
} # End of fail2ban()
|
1955 |
} # End of fail2ban()
|
1954 |
|
1956 |
|
1955 |
#########################################################
|
1957 |
########################################################
|
1956 |
## Fonction "gammu_smsd" ##
|
1958 |
## "gammu_smsd" ##
|
1957 |
## - Creating of SMS management database ##
|
1959 |
## - Creating of SMS management database ##
|
1958 |
## - Write the gammu a gammu_smsd conf files ##
|
1960 |
## - Write the gammu a gammu_smsd conf files ##
|
1959 |
#########################################################
|
1961 |
########################################################
|
1960 |
gammu_smsd()
|
1962 |
gammu_smsd()
|
1961 |
{
|
1963 |
{
|
1962 |
# Create 'gammu' system user
|
1964 |
# Create 'gammu' system user
|
1963 |
groupadd -f gammu_smsd
|
1965 |
groupadd -f gammu_smsd
|
1964 |
useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
|
1966 |
useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
|
Line 2039... |
Line 2041... |
2039 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
2041 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
2040 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
2042 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
2041 |
|
2043 |
|
2042 |
} # End of gammu_smsd()
|
2044 |
} # End of gammu_smsd()
|
2043 |
|
2045 |
|
2044 |
############################################################
|
2046 |
########################################################
|
2045 |
## Fonction "msec" ##
|
2047 |
## "msec" ##
|
2046 |
## - Apply the "fileserver" security level ##
|
2048 |
## - Apply the "fileserver" security level ##
|
2047 |
## - remove the "system request" for rebooting ##
|
2049 |
## - remove the "system request" for rebooting ##
|
2048 |
## - Fix several file permissions ##
|
2050 |
## - Fix several file permissions ##
|
2049 |
############################################################
|
2051 |
########################################################
|
2050 |
msec()
|
2052 |
msec()
|
2051 |
{
|
2053 |
{
|
2052 |
|
2054 |
|
2053 |
# Apply fileserver security level
|
2055 |
# Apply fileserver security level
|
2054 |
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
|
2056 |
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
|
Line 2125... |
Line 2127... |
2125 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
2127 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
2126 |
rm -rf /tmp/acme.sh-*
|
2128 |
rm -rf /tmp/acme.sh-*
|
2127 |
} # End of letsencrypt()
|
2129 |
} # End of letsencrypt()
|
2128 |
|
2130 |
|
2129 |
##################################################################
|
2131 |
##################################################################
|
- |
|
2132 |
## "mail_service" ##
|
- |
|
2133 |
## - Install mail service for email registration method ##
|
- |
|
2134 |
##################################################################
|
- |
|
2135 |
mail_service()
|
- |
|
2136 |
{
|
- |
|
2137 |
[ -e /etc/postfix/main.cf.default ] || cp /etc/postfix/main.cf /etc/postfix/main.cf.default
|
- |
|
2138 |
cat << EOT >> /etc/postfix/main.cf
|
- |
|
2139 |
myhostname = $HOSTNAME.$DOMAIN
|
- |
|
2140 |
# Enable SASL authentication
|
- |
|
2141 |
smtp_sasl_auth_enable = yes
|
- |
|
2142 |
# Disallow methods that allow anonymous authentication
|
- |
|
2143 |
smtp_sasl_security_options = noanonymous
|
- |
|
2144 |
# Location of sasl_passwd
|
- |
|
2145 |
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
|
- |
|
2146 |
EOT
|
- |
|
2147 |
# postfix banner anonymisation
|
- |
|
2148 |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
|
- |
|
2149 |
chown -R postfix:postfix /var/lib/postfix
|
- |
|
2150 |
} # end of mail_service
|
- |
|
2151 |
|
- |
|
2152 |
##################################################################
|
2130 |
## Fonction "post_install" ##
|
2153 |
## Fonction "post_install" ##
|
2131 |
## - Modifying banners (locals et ssh) & prompts ##
|
2154 |
## - Modifying banners (locals et ssh) & prompts ##
|
2132 |
## - SSH config ##
|
2155 |
## - SSH config ##
|
2133 |
## - sudoers config & files security ##
|
2156 |
## - sudoers config & files security ##
|
2134 |
## - log rotate & ANSSI security parameters ##
|
2157 |
## - log rotate & ANSSI security parameters ##
|
Line 2146... |
Line 2169... |
2146 |
# sshd listens on EXTIF & INTIF
|
2169 |
# sshd listens on EXTIF & INTIF
|
2147 |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
|
2170 |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
|
2148 |
# sshd authorized certificate for root login
|
2171 |
# sshd authorized certificate for root login
|
2149 |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
|
2172 |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
|
2150 |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
|
2173 |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
|
2151 |
|
- |
|
2152 |
# postfix banner anonymisation
|
- |
|
2153 |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
|
- |
|
2154 |
chown -R postfix:postfix /var/lib/postfix
|
- |
|
2155 |
# ALCASAR conf file
|
2174 |
# ALCASAR conf file
|
2156 |
echo "HTTPS_LOGIN=off" >> $CONF_FILE
|
2175 |
echo "HTTPS_LOGIN=off" >> $CONF_FILE
|
2157 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
2176 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
2158 |
echo "SSH=on" >> $CONF_FILE
|
2177 |
echo "SSH=on" >> $CONF_FILE
|
2159 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
2178 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
Line 2351... |
Line 2370... |
2351 |
-\? | -h* | --h*)
|
2370 |
-\? | -h* | --h*)
|
2352 |
echo "$usage"
|
2371 |
echo "$usage"
|
2353 |
exit 0
|
2372 |
exit 0
|
2354 |
;;
|
2373 |
;;
|
2355 |
-i | --install)
|
2374 |
-i | --install)
|
2356 |
for func in license testing_system testing_network
|
2375 |
for func in license system_testing network_testing
|
2357 |
do
|
2376 |
do
|
2358 |
header_install
|
2377 |
header_install
|
2359 |
$func
|
2378 |
$func
|
2360 |
if [ $DEBUG_ALCASAR == "on" ]
|
2379 |
if [ $DEBUG_ALCASAR == "on" ]
|
2361 |
then
|
2380 |
then
|
Line 2438... |
Line 2457... |
2438 |
then echo "#### Installation avec mise à jour ####";
|
2457 |
then echo "#### Installation avec mise à jour ####";
|
2439 |
else echo "#### Installation with update ####";
|
2458 |
else echo "#### Installation with update ####";
|
2440 |
fi
|
2459 |
fi
|
2441 |
mode="update"
|
2460 |
mode="update"
|
2442 |
fi
|
2461 |
fi
|
2443 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
|
2462 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
|
2444 |
do
|
2463 |
do
|
2445 |
$func
|
2464 |
$func
|
2446 |
if [ $DEBUG_ALCASAR == "on" ]
|
2465 |
if [ $DEBUG_ALCASAR == "on" ]
|
2447 |
then
|
2466 |
then
|
2448 |
echo "*** 'debug' : end of function '$func' ***"
|
2467 |
echo "*** 'debug' : end of function '$func' ***"
|