| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 1219 2013-09-20 13:41:29Z crox53 $
|
2 |
# $Id: alcasar.sh 1221 2013-09-22 20:39:20Z richard $
|
| 3 |
|
3 |
|
| 4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
| 5 |
|
5 |
|
| 6 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
6 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
| 7 |
# Ce programme est un logiciel libre ; This software is free and open source
|
7 |
# Ce programme est un logiciel libre ; This software is free and open source
|
| Line 18... |
Line 18... |
| 18 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
18 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
| 19 |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
|
19 |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
|
| 20 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
20 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
| 21 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
|
21 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
|
| 22 |
#
|
22 |
#
|
| 23 |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav
|
23 |
# Coovachilli, freeradius, mariaDB, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
|
| 24 |
|
24 |
|
| 25 |
# Options :
|
25 |
# Options :
|
| 26 |
# -i or --install
|
26 |
# -i or --install
|
| 27 |
# -u or --uninstall
|
27 |
# -u or --uninstall
|
| 28 |
|
28 |
|
| 29 |
# Functions :
|
29 |
# Functions :
|
| 30 |
# testing : Tests de connectivité et de téléchargement avant installation
|
30 |
# testing : connectivity tests and downloading before intall
|
| 31 |
# init : Installation des RPM et des scripts
|
31 |
# init : Installation of RPM and scripts
|
| 32 |
# network : Paramètrage du réseau
|
32 |
# network : Network parameters
|
| 33 |
# gestion : Installation de l'interface de gestion
|
33 |
# ACC : ALCASAR Control Center installation
|
| 34 |
# AC : Initialisation de l'autorité de certification. Création des certificats
|
34 |
# CA : Certification Authority initialization
|
| 35 |
# init_db : Création de la base 'radius' sur le serveur MySql
|
35 |
# init_db : Initilization of radius database managed with MariaDB
|
| 36 |
# param_radius : Configuration du serveur d'authentification FreeRadius
|
36 |
# param_radius : FreeRadius initialisation
|
| 37 |
# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
|
37 |
# param_web_radius : copy ans modifiy original "freeradius web" in ACC
|
| 38 |
# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
|
38 |
# param_chilli : coovachilli initialisation (+authentication page)
|
| 39 |
# param_squid : Configuration du proxy squid en mode 'cache'
|
39 |
# param_squid : Squid cache proxy configuration
|
| 40 |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
|
40 |
# param_dansguardian : DansGuardian filtering HTTP proxy configuration
|
| 41 |
# antivirus : Installation havp + libclamav
|
41 |
# antivirus : HAVP + libclamav configuration
|
| 42 |
# param_nfsen : Configuration du grapheur nfsen pour apache
|
42 |
# param_nfsen : Configuration du grapheur nfsen pour apache
|
| 43 |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
|
43 |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
|
| 44 |
# BL : Configuration de la BlackList
|
44 |
# BL : Configuration de la BlackList
|
| 45 |
# cron : Mise en place des exports de logs (+ chiffrement)
|
45 |
# cron : Mise en place des exports de logs (+ chiffrement)
|
| 46 |
# fail2ban : Installation et configuration de Fail2Ban
|
46 |
# fail2ban : Installation et configuration de Fail2Ban
|
| 47 |
# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
|
47 |
# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
|
| 48 |
|
48 |
|
| 49 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
49 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
| 50 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
50 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
| 51 |
Lang=`echo $LANG|cut -c 1-2`
|
51 |
Lang=`echo $LANG|cut -c 1-2`
|
| 52 |
# ******* Files parameters - paramètres fichiers *********
|
52 |
# ******* Files parameters - paramètres fichiers *********
|
| Line 100... |
Line 100... |
| 100 |
|
100 |
|
| 101 |
#Launch network service (useful only when Mageia is running in SafeFail mode)
|
101 |
#Launch network service (useful only when Mageia is running in SafeFail mode)
|
| 102 |
service network start
|
102 |
service network start
|
| 103 |
|
103 |
|
| 104 |
##################################################################
|
104 |
##################################################################
|
| 105 |
## Function TESTING ##
|
105 |
## Function "testing" ##
|
| 106 |
## - Test of Internet access ##
|
106 |
## - Test of Internet access ##
|
| 107 |
##################################################################
|
107 |
##################################################################
|
| 108 |
testing ()
|
108 |
testing ()
|
| 109 |
{
|
109 |
{
|
| 110 |
if [ $Lang == "fr" ]
|
110 |
if [ $Lang == "fr" ]
|
| Line 238... |
Line 238... |
| 238 |
rm -rf /tmp/con_ok.html
|
238 |
rm -rf /tmp/con_ok.html
|
| 239 |
echo ". : ok"
|
239 |
echo ". : ok"
|
| 240 |
} # end of testing
|
240 |
} # end of testing
|
| 241 |
|
241 |
|
| 242 |
##################################################################
|
242 |
##################################################################
|
| 243 |
## Fonction INIT ##
|
243 |
## Function "init" ##
|
| 244 |
## - Création du fichier "/root/ALCASAR_parametres.txt" ##
|
244 |
## - Création du fichier "/root/ALCASAR_parametres.txt" ##
|
| 245 |
## - Installation et modification des scripts du portail ##
|
245 |
## - Installation et modification des scripts du portail ##
|
| 246 |
##################################################################
|
246 |
##################################################################
|
| 247 |
init ()
|
247 |
init ()
|
| 248 |
{
|
248 |
{
|
| Line 312... |
Line 312... |
| 312 |
EOF
|
312 |
EOF
|
| 313 |
chmod o-rwx $CONF_FILE
|
313 |
chmod o-rwx $CONF_FILE
|
| 314 |
} # End of init ()
|
314 |
} # End of init ()
|
| 315 |
|
315 |
|
| 316 |
##################################################################
|
316 |
##################################################################
|
| 317 |
## Fonction network ##
|
317 |
## Function "network" ##
|
| 318 |
## - Définition du plan d'adressage du réseau de consultation ##
|
318 |
## - Définition du plan d'adressage du réseau de consultation ##
|
| 319 |
## - Nommage DNS du système ##
|
319 |
## - Nommage DNS du système ##
|
| 320 |
## - Configuration de l'interface eth1 (réseau de consultation) ##
|
320 |
## - Configuration de l'interface eth1 (réseau de consultation) ##
|
| 321 |
## - Modification du fichier /etc/hosts ##
|
321 |
## - Modification du fichier /etc/hosts ##
|
| 322 |
## - Configuration du serveur de temps (NTP) ##
|
322 |
## - Configuration du serveur de temps (NTP) ##
|
| Line 506... |
Line 506... |
| 506 |
#
|
506 |
#
|
| 507 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
507 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
| 508 |
} # End of network ()
|
508 |
} # End of network ()
|
| 509 |
|
509 |
|
| 510 |
##################################################################
|
510 |
##################################################################
|
| 511 |
## Fonction gestion ##
|
511 |
## Function "ACC" ##
|
| 512 |
## - installation du centre de gestion ##
|
512 |
## - installation du centre de gestion (ALCASAR Control Center) ##
|
| 513 |
## - configuration du serveur web (Apache) ##
|
513 |
## - configuration du serveur web (Apache) ##
|
| 514 |
## - définition du 1er comptes de gestion ##
|
514 |
## - définition du 1er comptes de gestion ##
|
| 515 |
## - sécurisation des accès ##
|
515 |
## - sécurisation des accès ##
|
| 516 |
##################################################################
|
516 |
##################################################################
|
| 517 |
gestion()
|
517 |
ACC ()
|
| 518 |
{
|
518 |
{
|
| 519 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
519 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
| 520 |
mkdir $DIR_WEB
|
520 |
mkdir $DIR_WEB
|
| 521 |
# Copie et configuration des fichiers du centre de gestion
|
521 |
# Copie et configuration des fichiers du centre de gestion
|
| 522 |
cp -rf $DIR_INSTALL/web/* $DIR_WEB/
|
522 |
cp -rf $DIR_INSTALL/web/* $DIR_WEB/
|
| Line 703... |
Line 703... |
| 703 |
AuthName $HOSTNAME
|
703 |
AuthName $HOSTNAME
|
| 704 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
704 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
| 705 |
ErrorDocument 404 https://$HOSTNAME/
|
705 |
ErrorDocument 404 https://$HOSTNAME/
|
| 706 |
</Directory>
|
706 |
</Directory>
|
| 707 |
EOF
|
707 |
EOF
|
| 708 |
} # End of gestion ()
|
708 |
} # End of ACC()
|
| 709 |
|
709 |
|
| 710 |
##########################################################################################
|
710 |
##########################################################################################
|
| 711 |
## Fonction AC() ##
|
711 |
## Fonction "CA" ##
|
| 712 |
## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
|
712 |
## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
|
| 713 |
##########################################################################################
|
713 |
##########################################################################################
|
| 714 |
AC ()
|
714 |
CA ()
|
| 715 |
{
|
715 |
{
|
| 716 |
$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
|
716 |
$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
|
| 717 |
$DIR_DEST_BIN/alcasar-CA.sh
|
717 |
$DIR_DEST_BIN/alcasar-CA.sh
|
| 718 |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
|
718 |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
|
| 719 |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
|
719 |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
|
| 720 |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
|
720 |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
|
| 721 |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
|
721 |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
|
| 722 |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
|
722 |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
|
| 723 |
chown -R root:apache /etc/pki
|
723 |
chown -R root:apache /etc/pki
|
| 724 |
chmod -R 750 /etc/pki
|
724 |
chmod -R 750 /etc/pki
|
| 725 |
} # End AC ()
|
725 |
} # End CA ()
|
| 726 |
|
726 |
|
| 727 |
##########################################################################################
|
727 |
##########################################################################################
|
| 728 |
## Fonction init_db() ##
|
728 |
## Fonction "init_db" ##
|
| 729 |
## - Initialisation de la base Mysql ##
|
729 |
## - Initialisation de la base Mysql ##
|
| 730 |
## - Affectation du mot de passe de l'administrateur (root) ##
|
730 |
## - Affectation du mot de passe de l'administrateur (root) ##
|
| 731 |
## - Suppression des bases et des utilisateurs superflus ##
|
731 |
## - Suppression des bases et des utilisateurs superflus ##
|
| 732 |
## - Création de la base 'radius' ##
|
732 |
## - Création de la base 'radius' ##
|
| 733 |
## - Installation du schéma de cette base ##
|
733 |
## - Installation du schéma de cette base ##
|
| Line 756... |
Line 756... |
| 756 |
$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
|
756 |
$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
|
| 757 |
$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
|
757 |
$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
|
| 758 |
} # End init_db ()
|
758 |
} # End init_db ()
|
| 759 |
|
759 |
|
| 760 |
##########################################################################
|
760 |
##########################################################################
|
| 761 |
## Fonction param_radius ##
|
761 |
## Fonction "param_radius" ##
|
| 762 |
## - Paramètrage des fichiers de configuration FreeRadius ##
|
762 |
## - Paramètrage des fichiers de configuration FreeRadius ##
|
| 763 |
## - Affectation du secret partagé entre coova-chilli et freeradius ##
|
763 |
## - Affectation du secret partagé entre coova-chilli et freeradius ##
|
| 764 |
## - Modification de fichier de conf pour l'accès à Mysql ##
|
764 |
## - Modification de fichier de conf pour l'accès à Mysql ##
|
| 765 |
##########################################################################
|
765 |
##########################################################################
|
| 766 |
param_radius ()
|
766 |
param_radius ()
|
| Line 813... |
Line 813... |
| 813 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
813 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
| 814 |
|
814 |
|
| 815 |
} # End param_radius ()
|
815 |
} # End param_radius ()
|
| 816 |
|
816 |
|
| 817 |
##########################################################################
|
817 |
##########################################################################
|
| 818 |
## Fonction param_web_radius ##
|
818 |
## Function "param_web_radius" ##
|
| 819 |
## - Import, modification et paramètrage de l'interface "dialupadmin" ##
|
819 |
## - Import, modification et paramètrage de l'interface "dialupadmin" ##
|
| 820 |
## - Création du lien vers la page de changement de mot de passe ##
|
820 |
## - Création du lien vers la page de changement de mot de passe ##
|
| 821 |
##########################################################################
|
821 |
##########################################################################
|
| 822 |
param_web_radius ()
|
822 |
param_web_radius ()
|
| 823 |
{
|
823 |
{
|
| Line 872... |
Line 872... |
| 872 |
</Directory>
|
872 |
</Directory>
|
| 873 |
EOF
|
873 |
EOF
|
| 874 |
} # End of param_web_radius ()
|
874 |
} # End of param_web_radius ()
|
| 875 |
|
875 |
|
| 876 |
##################################################################################
|
876 |
##################################################################################
|
| 877 |
## Fonction param_chilli ##
|
877 |
## Fonction "param_chilli" ##
|
| 878 |
## - Création du fichier d'initialisation et de configuration de coova-chilli ##
|
878 |
## - Création du fichier d'initialisation et de configuration de coova-chilli ##
|
| 879 |
## - Paramètrage de la page d'authentification (intercept.php) ##
|
879 |
## - Paramètrage de la page d'authentification (intercept.php) ##
|
| 880 |
##################################################################################
|
880 |
##################################################################################
|
| 881 |
param_chilli ()
|
881 |
param_chilli ()
|
| 882 |
{
|
882 |
{
|
| Line 1019... |
Line 1019... |
| 1019 |
groupadd -f chilli
|
1019 |
groupadd -f chilli
|
| 1020 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
1020 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
| 1021 |
} # End of param_chilli ()
|
1021 |
} # End of param_chilli ()
|
| 1022 |
|
1022 |
|
| 1023 |
##########################################################
|
1023 |
##########################################################
|
| 1024 |
## Fonction param_squid ##
|
1024 |
## Fonction "param_squid" ##
|
| 1025 |
## - Paramètrage du proxy 'squid' en mode 'cache' ##
|
1025 |
## - Paramètrage du proxy 'squid' en mode 'cache' ##
|
| 1026 |
## - Initialisation de la base de données ##
|
1026 |
## - Initialisation de la base de données ##
|
| 1027 |
##########################################################
|
1027 |
##########################################################
|
| 1028 |
param_squid ()
|
1028 |
param_squid ()
|
| 1029 |
{
|
1029 |
{
|
| Line 1058... |
Line 1058... |
| 1058 |
# Squid cache init
|
1058 |
# Squid cache init
|
| 1059 |
/usr/sbin/squid -z
|
1059 |
/usr/sbin/squid -z
|
| 1060 |
} # End of param_squid ()
|
1060 |
} # End of param_squid ()
|
| 1061 |
|
1061 |
|
| 1062 |
##################################################################
|
1062 |
##################################################################
|
| 1063 |
## Fonction param_dansguardian ##
|
1063 |
## Fonction "param_dansguardian" ##
|
| 1064 |
## - Paramètrage du gestionnaire de contenu Dansguardian ##
|
1064 |
## - Paramètrage du gestionnaire de contenu Dansguardian ##
|
| 1065 |
##################################################################
|
1065 |
##################################################################
|
| 1066 |
param_dansguardian ()
|
1066 |
param_dansguardian ()
|
| 1067 |
{
|
1067 |
{
|
| 1068 |
mkdir /var/dansguardian
|
1068 |
mkdir /var/dansguardian
|
| Line 1106... |
Line 1106... |
| 1106 |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
|
1106 |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
|
| 1107 |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
|
1107 |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
|
| 1108 |
} # End of param_dansguardian ()
|
1108 |
} # End of param_dansguardian ()
|
| 1109 |
|
1109 |
|
| 1110 |
##################################################################
|
1110 |
##################################################################
|
| 1111 |
## Fonction antivirus ##
|
1111 |
## Fonction "antivirus" ##
|
| 1112 |
## - configuration havp + libclamav ##
|
1112 |
## - configuration havp + libclamav ##
|
| 1113 |
##################################################################
|
1113 |
##################################################################
|
| 1114 |
antivirus ()
|
1114 |
antivirus ()
|
| 1115 |
{
|
1115 |
{
|
| 1116 |
# création de l'usager 'havp'
|
1116 |
# création de l'usager 'havp'
|
| Line 1154... |
Line 1154... |
| 1154 |
cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
|
1154 |
cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
|
| 1155 |
/usr/bin/freshclam
|
1155 |
/usr/bin/freshclam
|
| 1156 |
}
|
1156 |
}
|
| 1157 |
|
1157 |
|
| 1158 |
##################################################################################
|
1158 |
##################################################################################
|
| 1159 |
## param_ulogd function ##
|
1159 |
## function "param_ulogd" ##
|
| 1160 |
## - Ulog config for multi-log files ##
|
1160 |
## - Ulog config for multi-log files ##
|
| 1161 |
##################################################################################
|
1161 |
##################################################################################
|
| 1162 |
param_ulogd ()
|
1162 |
param_ulogd ()
|
| 1163 |
{
|
1163 |
{
|
| 1164 |
# Three instances of ulogd (three different logfiles)
|
1164 |
# Three instances of ulogd (three different logfiles)
|
| 1165 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1165 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
| 1166 |
nl=1
|
1166 |
nl=1
|
| 1167 |
for log_type in tracability ssh ext-access
|
1167 |
for log_type in int-access ssh ext-access
|
| 1168 |
do
|
1168 |
do
|
| 1169 |
[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
|
1169 |
[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
|
| 1170 |
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
|
1170 |
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
|
| 1171 |
$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
|
1171 |
$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
|
| 1172 |
$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
|
1172 |
$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
|
| Line 1184... |
Line 1184... |
| 1184 |
cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
|
1184 |
cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
|
| 1185 |
} # End of param_ulogd ()
|
1185 |
} # End of param_ulogd ()
|
| 1186 |
|
1186 |
|
| 1187 |
|
1187 |
|
| 1188 |
##########################################################
|
1188 |
##########################################################
|
| 1189 |
## Fonction param_nfsen ##
|
1189 |
## Function "param_nfsen" ##
|
| 1190 |
##########################################################
|
1190 |
##########################################################
|
| 1191 |
param_nfsen()
|
1191 |
param_nfsen()
|
| 1192 |
{
|
1192 |
{
|
| 1193 |
#Decompression tarball
|
1193 |
#Decompression tarball
|
| 1194 |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
|
1194 |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
|
| 1195 |
#Création groupe et utilisteur
|
1195 |
#Création groupe et utilisteur
|
| 1196 |
if grep "^www-data:" /etc/group > /dev/null; then
|
1196 |
if grep "^www-data:" /etc/group > /dev/null; then
|
| 1197 |
echo "Group already exists !"
|
1197 |
echo "Group already exists !"
|
| 1198 |
else
|
1198 |
else
|
| 1199 |
groupadd www-data
|
1199 |
groupadd www-data
|
| 1200 |
echo "Group 'www-data' created !"
|
1200 |
echo "Group 'www-data' created !"
|
| 1201 |
fi
|
1201 |
fi
|
| 1202 |
if grep "^nfsen:" /etc/passwd > /dev/null; then
|
1202 |
if grep "^nfsen:" /etc/passwd > /dev/null; then
|
| 1203 |
echo "User already exists !"
|
1203 |
echo "User already exists !"
|
| 1204 |
else
|
1204 |
else
|
| 1205 |
useradd -m nfsen
|
1205 |
useradd -m nfsen
|
| 1206 |
echo "User 'nfsen' created !"
|
1206 |
echo "User 'nfsen' created !"
|
| 1207 |
fi
|
1207 |
fi
|
| 1208 |
usermod -G www-data nfsen
|
1208 |
usermod -G www-data nfsen
|
| 1209 |
#Ajout du plugin nfsen : PortTracker
|
1209 |
#Ajout du plugin nfsen : PortTracker
|
| 1210 |
mkdir -p /var/www/nfsen/plugins
|
1210 |
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
|
| 1211 |
chown -R nfsen:www-data /var/www/nfsen
|
1211 |
chown -R nfsen:www-data /var/www/nfsen
|
| 1212 |
#Ajout du plugin PortTracker
|
- |
|
| 1213 |
mkdir -p /var/log/netflow/porttracker
|
- |
|
| 1214 |
mkdir -p /usr/share/nfsen/plugins
|
- |
|
| 1215 |
chown -R apache:apache /usr/share/nfsen
|
1212 |
chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
|
| 1216 |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
|
1213 |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
|
| 1217 |
chown apache /var/log/netflow/porttracker
|
- |
|
| 1218 |
#Copie du fichier de conf modifié de nfsen
|
1214 |
#Copie du fichier de conf modifié de nfsen
|
| 1219 |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
|
1215 |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
|
| 1220 |
#Copie du script d'initialisation de nfsen
|
1216 |
#Copie du script d'initialisation de nfsen
|
| 1221 |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
|
1217 |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
|
| 1222 |
systemctl enable nfsen.service
|
- |
|
| 1223 |
#Installation de nfsen via le scrip Perl
|
1218 |
#Installation de nfsen via le scrip Perl
|
| 1224 |
DirTmp=$(pwd)
|
1219 |
DirTmp=$(pwd)
|
| 1225 |
cd /tmp/nfsen-1.3.6p1/
|
1220 |
cd /tmp/nfsen-1.3.6p1/
|
| 1226 |
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
|
1221 |
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
|
| 1227 |
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
|
1222 |
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
|
| 1228 |
#Création de la DB pour rrdtool
|
1223 |
#Création de la DB pour rrdtool
|
| 1229 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
|
1224 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
|
| 1230 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
|
1225 |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
|
| 1231 |
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
|
1226 |
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
|
| 1232 |
chown -R apache:www-data /var/log/netflow/porttracker/
|
1227 |
chown -R apache:www-data /var/log/netflow/porttracker/
|
| 1233 |
chmod -R 775 /var/log/netflow/porttracker
|
1228 |
chmod -R 775 /var/log/netflow/porttracker
|
| 1234 |
#Configuration du fichier de conf d'apache
|
1229 |
#Configuration du fichier de conf d'apache
|
| 1235 |
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
|
1230 |
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
|
| 1236 |
rm -f /etc/httpd/conf.d/nfsen.conf
|
1231 |
rm -f /etc/httpd/conf.d/nfsen.conf
|
| 1237 |
fi
|
1232 |
fi
|
| 1238 |
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
|
1233 |
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
|
| 1239 |
Alias /nfsen /var/www/nfsen
|
1234 |
Alias /nfsen /var/www/nfsen
|
| 1240 |
<Directory /var/www/nfsen/>
|
1235 |
<Directory /var/www/nfsen/>
|
| 1241 |
DirectoryIndex nfsen.php
|
1236 |
DirectoryIndex nfsen.php
|
| 1242 |
Options -Indexes
|
1237 |
Options -Indexes
|
| 1243 |
AllowOverride all
|
1238 |
AllowOverride all
|
| Line 1247... |
Line 1242... |
| 1247 |
php_flag magic_quotes_gpc on
|
1242 |
php_flag magic_quotes_gpc on
|
| 1248 |
php_flag track_vars on
|
1243 |
php_flag track_vars on
|
| 1249 |
</Directory>
|
1244 |
</Directory>
|
| 1250 |
EOF
|
1245 |
EOF
|
| 1251 |
#Configuration du délais d'expiration des captures du profile "live"
|
1246 |
#Configuration du délais d'expiration des captures du profile "live"
|
| 1252 |
nfsen -m live -e 62d
|
1247 |
nfsen -m live -e 62d
|
| 1253 |
#Suppression des sources de nfsen
|
1248 |
#Suppression des sources de nfsen
|
| 1254 |
cd $DirTmp
|
1249 |
cd $DirTmp
|
| 1255 |
rm -rf /tmp/nfsen-1.3.6p1/
|
1250 |
rm -rf /tmp/nfsen-1.3.6p1/
|
| 1256 |
} # End of param_nfsen
|
1251 |
} # End of param_nfsen
|
| 1257 |
|
1252 |
|
| 1258 |
##########################################################
|
1253 |
##########################################################
|
| 1259 |
## Fonction param_dnsmasq ##
|
1254 |
## Function "param_dnsmasq" ##
|
| 1260 |
##########################################################
|
1255 |
##########################################################
|
| 1261 |
param_dnsmasq ()
|
1256 |
param_dnsmasq ()
|
| 1262 |
{
|
1257 |
{
|
| 1263 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1258 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
| 1264 |
$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
|
1259 |
$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
|
| Line 1306... |
Line 1301... |
| 1306 |
server=$DNS1
|
1301 |
server=$DNS1
|
| 1307 |
server=$DNS2
|
1302 |
server=$DNS2
|
| 1308 |
EOF
|
1303 |
EOF
|
| 1309 |
|
1304 |
|
| 1310 |
# Init file modification
|
1305 |
# Init file modification
|
| 1311 |
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
|
1306 |
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
|
| 1312 |
# Start and stop a 2nd process for the "DNS blackhole"
|
1307 |
# Start and stop a 2nd process for the "DNS blackhole"
|
| 1313 |
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
|
1308 |
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
|
| 1314 |
# Start after chilli (65) which create tun0
|
1309 |
# Start after chilli (65) which create tun0
|
| 1315 |
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
|
1310 |
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
|
| 1316 |
# Optionnellement on pré-active les logs DNS des clients
|
1311 |
# Optionnellement on pré-active les logs DNS des clients
|
| 1317 |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
|
1312 |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
|
| 1318 |
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
|
1313 |
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
|
| 1319 |
# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
|
1314 |
# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
|
| 1320 |
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
|
1315 |
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
|
| 1321 |
# Optionnellement, exemple de configuration avec un A.D.
|
1316 |
# Optionnellement, exemple de configuration avec un A.D.
|
| 1322 |
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
|
1317 |
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
|
| 1323 |
} # End dnsmasq
|
1318 |
} # End dnsmasq
|
| 1324 |
|
1319 |
|
| 1325 |
##########################################################
|
1320 |
##########################################################
|
| 1326 |
## Fonction BL (BlackList) ##
|
1321 |
## Fonction "BL" ##
|
| 1327 |
##########################################################
|
1322 |
##########################################################
|
| 1328 |
BL ()
|
1323 |
BL ()
|
| 1329 |
{
|
1324 |
{
|
| 1330 |
# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
|
1325 |
# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
|
| 1331 |
rm -rf $DIR_DG/lists/blacklists
|
1326 |
rm -rf $DIR_DG/lists/blacklists
|
| Line 1370... |
Line 1365... |
| 1370 |
$DIR_DEST_SBIN/alcasar-bl.sh --adapt
|
1365 |
$DIR_DEST_SBIN/alcasar-bl.sh --adapt
|
| 1371 |
fi
|
1366 |
fi
|
| 1372 |
}
|
1367 |
}
|
| 1373 |
|
1368 |
|
| 1374 |
##########################################################
|
1369 |
##########################################################
|
| 1375 |
## Fonction cron ##
|
1370 |
## Fonction "cron" ##
|
| 1376 |
## - Mise en place des différents fichiers de cron ##
|
1371 |
## - Mise en place des différents fichiers de cron ##
|
| 1377 |
##########################################################
|
1372 |
##########################################################
|
| 1378 |
cron ()
|
1373 |
cron ()
|
| 1379 |
{
|
1374 |
{
|
| 1380 |
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
|
1375 |
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
|
| Line 1457... |
Line 1452... |
| 1457 |
# suppression des crons usagers
|
1452 |
# suppression des crons usagers
|
| 1458 |
rm -f /var/spool/cron/*
|
1453 |
rm -f /var/spool/cron/*
|
| 1459 |
} # End cron
|
1454 |
} # End cron
|
| 1460 |
|
1455 |
|
| 1461 |
##################################################################
|
1456 |
##################################################################
|
| 1462 |
## Fonction Fail2Ban ##
|
1457 |
## Fonction "Fail2Ban" ##
|
| 1463 |
##- Modification de la configuration de fail2ban ##
|
1458 |
##- Modification de la configuration de fail2ban ##
|
| 1464 |
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
|
1459 |
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
|
| 1465 |
##################################################################
|
1460 |
##################################################################
|
| 1466 |
fail2ban()
|
1461 |
fail2ban()
|
| 1467 |
{
|
1462 |
{
|
| Line 1472... |
Line 1467... |
| 1472 |
chmod 644 /var/log/fail2ban.log
|
1467 |
chmod 644 /var/log/fail2ban.log
|
| 1473 |
chmod 644 /var/Save/logs/security/watchdog.log
|
1468 |
chmod 644 /var/Save/logs/security/watchdog.log
|
| 1474 |
} #Fin de fail2ban_install()
|
1469 |
} #Fin de fail2ban_install()
|
| 1475 |
|
1470 |
|
| 1476 |
##################################################################
|
1471 |
##################################################################
|
| 1477 |
## Fonction post_install ##
|
1472 |
## Fonction "post_install" ##
|
| 1478 |
## - Modification des bannières (locales et ssh) et des prompts ##
|
1473 |
## - Modification des bannières (locales et ssh) et des prompts ##
|
| 1479 |
## - Installation de la structure de chiffrement pour root ##
|
1474 |
## - Installation de la structure de chiffrement pour root ##
|
| 1480 |
## - Mise en place du sudoers et de la sécurité sur les fichiers##
|
1475 |
## - Mise en place du sudoers et de la sécurité sur les fichiers##
|
| 1481 |
## - Mise en place du la rotation des logs ##
|
1476 |
## - Mise en place du la rotation des logs ##
|
| 1482 |
## - Configuration dans le cas d'une mise à jour ##
|
1477 |
## - Configuration dans le cas d'une mise à jour ##
|
| Line 1534... |
Line 1529... |
| 1534 |
do
|
1529 |
do
|
| 1535 |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
|
1530 |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
|
| 1536 |
done
|
1531 |
done
|
| 1537 |
# export des logs en 'retard' dans /var/Save/logs
|
1532 |
# export des logs en 'retard' dans /var/Save/logs
|
| 1538 |
/usr/local/bin/alcasar-log.sh --export
|
1533 |
/usr/local/bin/alcasar-log.sh --export
|
| 1539 |
# processus lancés par défaut au démarrage
|
1534 |
# create the alcasar-load_balancing unit
|
| 1540 |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen
|
- |
|
| 1541 |
do
|
- |
|
| 1542 |
/sbin/chkconfig --add $i
|
- |
|
| 1543 |
done
|
- |
|
| 1544 |
|
- |
|
| 1545 |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
|
1535 |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
|
| 1546 |
# This file is part of systemd.
|
1536 |
# This file is part of systemd.
|
| 1547 |
#
|
1537 |
#
|
| 1548 |
# systemd is free software; you can redistribute it and/or modify it
|
1538 |
# systemd is free software; you can redistribute it and/or modify it
|
| 1549 |
# under the terms of the GNU General Public License as published by
|
1539 |
# under the terms of the GNU General Public License as published by
|
| 1550 |
# the Free Software Foundation; either version 2 of the License, or
|
1540 |
# the Free Software Foundation; either version 2 of the License, or
|
| Line 1564... |
Line 1554... |
| 1564 |
SysVStartPriority=99
|
1554 |
SysVStartPriority=99
|
| 1565 |
|
1555 |
|
| 1566 |
[Install]
|
1556 |
[Install]
|
| 1567 |
WantedBy=multi-user.target
|
1557 |
WantedBy=multi-user.target
|
| 1568 |
EOF
|
1558 |
EOF
|
| - |
|
1559 |
# processes launched at boot time (SYSV)
|
| - |
|
1560 |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
|
| - |
|
1561 |
do
|
| - |
|
1562 |
/sbin/chkconfig --add $i
|
| - |
|
1563 |
done
|
| - |
|
1564 |
# processes launched at boot time (Systemctl)
|
| 1569 |
systemctl enable alcasar-load_balancing.service
|
1565 |
for i in alcasar-load_balancing.service nfsen.service
|
| 1570 |
|
1566 |
|
| - |
|
1567 |
do
|
| 1571 |
# On applique les préconisations ANSSI
|
1568 |
systemctl enable $i
|
| - |
|
1569 |
done
|
| 1572 |
# Apply French Security Agency rules
|
1570 |
# Apply French Security Agency (ANSSI) rules
|
| 1573 |
# ignorer les broadcast ICMP. (attaque smurf)
|
1571 |
# ignorer les broadcast ICMP. (attaque smurf)
|
| 1574 |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
|
1572 |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
|
| 1575 |
# ignorer les erreurs ICMP bogus
|
1573 |
# ignorer les erreurs ICMP bogus
|
| 1576 |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
|
1574 |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
|
| 1577 |
# désactiver l'envoi et la réponse aux ICMP redirects
|
1575 |
# désactiver l'envoi et la réponse aux ICMP redirects
|
| 1578 |
sysctl -w net.ipv4.conf.all.accept_redirects=0
|
1576 |
sysctl -w net.ipv4.conf.all.accept_redirects=0
|
| 1579 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
|
1577 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
|
| 1580 |
if [ "$accept_redirect" == "0" ]
|
1578 |
if [ "$accept_redirect" == "0" ]
|
| 1581 |
then
|
1579 |
then
|
| 1582 |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
|
1580 |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
|
| 1583 |
else
|
1581 |
else
|
| 1584 |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
|
1582 |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
|
| 1585 |
fi
|
1583 |
fi
|
| 1586 |
sysctl -w net.ipv4.conf.all.send_redirects=0
|
1584 |
sysctl -w net.ipv4.conf.all.send_redirects=0
|
| 1587 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
|
1585 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
|
| 1588 |
if [ "$send_redirect" == "0" ]
|
1586 |
if [ "$send_redirect" == "0" ]
|
| 1589 |
then
|
1587 |
then
|
| 1590 |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
|
1588 |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
|
| 1591 |
else
|
1589 |
else
|
| 1592 |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
|
1590 |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
|
| 1593 |
fi
|
1591 |
fi
|
| 1594 |
# activer les SYN Cookies (attaque syn flood)
|
1592 |
# activer les SYN Cookies (attaque syn flood)
|
| 1595 |
sysctl -w net.ipv4.tcp_syncookies=1
|
1593 |
sysctl -w net.ipv4.tcp_syncookies=1
|
| 1596 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
|
1594 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
|
| 1597 |
if [ "$tcp_syncookies" == "0" ]
|
1595 |
if [ "$tcp_syncookies" == "0" ]
|
| 1598 |
then
|
1596 |
then
|
| 1599 |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
|
1597 |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
|
| 1600 |
else
|
1598 |
else
|
| 1601 |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
|
1599 |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
|
| 1602 |
fi
|
1600 |
fi
|
| 1603 |
# activer l'antispoofing niveau Noyau
|
1601 |
# activer l'antispoofing niveau Noyau
|
| 1604 |
sysctl -w net.ipv4.conf.all.rp_filter=1
|
1602 |
sysctl -w net.ipv4.conf.all.rp_filter=1
|
| 1605 |
# ignorer le source routing
|
1603 |
# ignorer le source routing
|
| 1606 |
sysctl -w net.ipv4.conf.all.accept_source_route=0
|
1604 |
sysctl -w net.ipv4.conf.all.accept_source_route=0
|
| 1607 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
|
1605 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
|
| 1608 |
if [ "$accept_source_route" == "0" ]
|
1606 |
if [ "$accept_source_route" == "0" ]
|
| 1609 |
then
|
1607 |
then
|
| 1610 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
|
1608 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
|
| 1611 |
else
|
1609 |
else
|
| 1612 |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
|
1610 |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
|
| 1613 |
fi
|
1611 |
fi
|
| 1614 |
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
|
1612 |
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
|
| 1615 |
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
|
1613 |
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
|
| 1616 |
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
|
1614 |
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
|
| 1617 |
if [ "$timeout_established" == "0" ]
|
1615 |
if [ "$timeout_established" == "0" ]
|
| 1618 |
then
|
1616 |
then
|
| 1619 |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
|
1617 |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
|
| 1620 |
else
|
1618 |
else
|
| 1621 |
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
|
1619 |
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
|
| 1622 |
fi
|
1620 |
fi
|
| 1623 |
# disable log_martians (ALCASAR is often installed between two private network addresses)
|
1621 |
# disable log_martians (ALCASAR is often installed between two private network addresses)
|
| 1624 |
sysctl -w net.ipv4.conf.all.log_martians=0
|
1622 |
sysctl -w net.ipv4.conf.all.log_martians=0
|
| 1625 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
|
1623 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
|
| 1626 |
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
|
1624 |
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
|
| 1627 |
# modification /etc/inittab
|
1625 |
# modification /etc/inittab
|
| 1628 |
[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
|
1626 |
[ -e /etc/inittab.default ] || cp /etc/inittab /etc/inittab.default
|
| 1629 |
# We keep only 3 TTYs
|
1627 |
# We keep only 3 TTYs
|
| 1630 |
$SED "s?^4.*?#&?g" /etc/inittab
|
1628 |
$SED "s?^4.*?#&?g" /etc/inittab
|
| 1631 |
$SED "s?^5.*?#&?g" /etc/inittab
|
1629 |
$SED "s?^5.*?#&?g" /etc/inittab
|
| 1632 |
$SED "s?^6.*?#&?g" /etc/inittab
|
1630 |
$SED "s?^6.*?#&?g" /etc/inittab
|
| 1633 |
# switch to multi-users runlevel (instead of x11)
|
1631 |
# switch to multi-users runlevel (instead of x11)
|
| 1634 |
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
1632 |
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
|
| 1635 |
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
|
1633 |
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
|
| 1636 |
# GRUB modifications
|
1634 |
# GRUB modifications
|
| 1637 |
# limit wait time to 3s
|
1635 |
# limit wait time to 3s
|
| 1638 |
# create an alcasar entry instead of linux-nonfb
|
1636 |
# create an alcasar entry instead of linux-nonfb
|
| 1639 |
# change display to 1024*768 (vga791)
|
1637 |
# change display to 1024*768 (vga791)
|
| 1640 |
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
|
1638 |
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
|
| 1641 |
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
|
1639 |
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
|
| 1642 |
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
|
1640 |
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
|
| 1643 |
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
|
1641 |
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
|
| 1644 |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
|
1642 |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
|
| 1645 |
$SED "/^gfxmenu/d" /boot/grub/menu.lst
|
1643 |
$SED "/^gfxmenu/d" /boot/grub/menu.lst
|
| 1646 |
|
- |
|
| 1647 |
# Remove unused services and users
|
1644 |
# Remove unused services and users
|
| 1648 |
for old_svc in alsa sound dm
|
1645 |
for old_svc in alsa sound dm
|
| 1649 |
do
|
1646 |
do
|
| 1650 |
/sbin/chkconfig --del $old_svc
|
1647 |
/sbin/chkconfig --del $old_svc
|
| 1651 |
done
|
1648 |
done
|
| 1652 |
for svc in snmpd.service sshd.service
|
1649 |
for svc in snmpd.service sshd.service
|
| 1653 |
do
|
1650 |
do
|
| 1654 |
/bin/systemctl disable $svc
|
1651 |
/bin/systemctl disable $svc
|
| 1655 |
done
|
1652 |
done
|
| 1656 |
for rm_users in avahi-autoipd avahi icapd
|
1653 |
for rm_users in avahi-autoipd avahi icapd
|
| 1657 |
do
|
1654 |
do
|
| 1658 |
user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
|
1655 |
user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
|
| 1659 |
if [ "$user" == "$rm_users" ]
|
1656 |
if [ "$user" == "$rm_users" ]
|
| 1660 |
then
|
1657 |
then
|
| 1661 |
/usr/sbin/userdel -f $rm_users
|
1658 |
/usr/sbin/userdel -f $rm_users
|
| 1662 |
fi
|
1659 |
fi
|
| 1663 |
done
|
1660 |
done
|
| 1664 |
# Load and apply the previous conf file
|
1661 |
# Load and apply the previous conf file
|
| 1665 |
if [ "$mode" = "update" ]
|
1662 |
if [ "$mode" = "update" ]
|
| 1666 |
then
|
1663 |
then
|
| 1667 |
$DIR_DEST_BIN/alcasar-conf.sh --load
|
1664 |
$DIR_DEST_BIN/alcasar-conf.sh --load
|
| 1668 |
PARENT_SCRIPT=`basename $0`
|
1665 |
PARENT_SCRIPT=`basename $0`
|
| 1669 |
export PARENT_SCRIPT # to avoid stop&start process during the installation process
|
1666 |
export PARENT_SCRIPT # to avoid stop&start process during the installation process
|
| 1670 |
$DIR_DEST_BIN/alcasar-conf.sh --apply
|
1667 |
$DIR_DEST_BIN/alcasar-conf.sh --apply
|
| 1671 |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
|
1668 |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
|
| 1672 |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
|
1669 |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
|
| 1673 |
fi
|
1670 |
fi
|
| 1674 |
rm -f /tmp/alcasar-conf*
|
1671 |
rm -f /tmp/alcasar-conf*
|
| 1675 |
chown -R root:apache $DIR_DEST_ETC/*
|
1672 |
chown -R root:apache $DIR_DEST_ETC/*
|
| 1676 |
chmod -R 660 $DIR_DEST_ETC/*
|
1673 |
chmod -R 660 $DIR_DEST_ETC/*
|
| 1677 |
chmod ug+x $DIR_DEST_ETC/digest
|
1674 |
chmod ug+x $DIR_DEST_ETC/digest
|
| 1678 |
|
- |
|
| 1679 |
# Apply and save the firewall rules
|
1675 |
# Apply and save the firewall rules
|
| 1680 |
sh $DIR_DEST_BIN/alcasar-iptables.sh
|
1676 |
sh $DIR_DEST_BIN/alcasar-iptables.sh
|
| 1681 |
sleep 2
|
1677 |
sleep 2
|
| 1682 |
cd $DIR_INSTALL
|
1678 |
cd $DIR_INSTALL
|
| 1683 |
echo ""
|
1679 |
echo ""
|
| Line 1830... |
Line 1826... |
| 1830 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
|
1826 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
|
| 1831 |
mode="update"
|
1827 |
mode="update"
|
| 1832 |
else
|
1828 |
else
|
| 1833 |
mode="install"
|
1829 |
mode="install"
|
| 1834 |
fi
|
1830 |
fi
|
| 1835 |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
|
1831 |
for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
|
| 1836 |
do
|
1832 |
do
|
| 1837 |
$func
|
1833 |
$func
|
| 1838 |
echo "*** 'debug' : end of function $func ***"; read a
|
1834 |
# echo "*** 'debug' : end of function $func ***"; read a
|
| 1839 |
done
|
1835 |
done
|
| 1840 |
;;
|
1836 |
;;
|
| 1841 |
-u | --uninstall)
|
1837 |
-u | --uninstall)
|
| 1842 |
if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
|
1838 |
if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
|
| 1843 |
then
|
1839 |
then
|