WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 2770 2020-02-11 23:06:07Z rexy $
+#  $Id: alcasar.sh 2771 2020-02-22 09:50:24Z rexy $
 # alcasar.sh
 # ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 # This script is distributed under the Gnu General Public License (GPL)
 #  team@alcasar.net
 			$DIR_SCRIPTS/alcasar-conf.sh --create
 			mode="update"
 		fi
 	fi
 # Test free space on /var
+	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
-	if [ ! -d /var/log/netflow/porttracker ]
+	if [ $free_space -lt 10 ]
 		then
-		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
-		if [ $free_space -lt 10 ]
-			then
-			if [ $Lang == "fr" ]
+		if [ $Lang == "fr" ]
-				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
+			then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
-				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
+			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
-			fi
-		exit 0
 		fi
+	exit 0
 	fi
 # Detect external/internal interfaces
 	if [ -z "$EXTIF" ]; then
 		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
 		if [ -z "$EXTIF" ]; then
 			if [ "$Lang" == 'fr' ]
-				then echo -n "Aucune passerelle par défaut configurée"
+				then echo "Aucune passerelle par défaut configurée"
-				else echo -n "No default gateway configured"
+				else echo "No default gateway configured"
 			fi
 			exit 1
 		fi
 	fi
 	if [ "$Lang" == 'fr' ]
+#
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2 of the License, or
 #  (at your option) any later version.
+# This unit launches coova-chilli a captive portal
 [Unit]
 Description=chilli is a captive portal daemon
 After=network.target
 [Service]
 	chmod 640 /var/log/firewall/*
 }  # End of ulogd()
 ##########################################################
 ##                    Function "nfsen"                  ##
-## - install the nfsen grapher                          ##
+## - configure NetFlow collector (nfcapd)               ##
-## - install the two plugins porttracker & surfmap      ##
+## - configure NetFlow grapher (nfsen-ng)               ##
 ##########################################################
 nfsen()
+{
-	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
-# Add PortTracker plugin
+    groupadd -f nfcapd
-	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
-	do
-		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
-	done
-	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
-# use of our conf file and init unit
-	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
-# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
-	DirTmp=$(pwd)
-	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
-	/usr/bin/perl install.pl /tmp/nfsen-*/etc/nfsen.conf
+	useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
-	/usr/bin/perl install.pl /tmp/nfsen-*/etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
-# Create RRD DB for porttracker (only in it still doesn't exist)
-	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
-	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
-	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
-	chmod -R 770 /var/log/netflow/porttracker
-# nfsen unit for systemd
+# nfcapd unit for systemd
-	cat << EOF > /lib/systemd/system/nfsen.service
+	cat << EOF > /lib/systemd/system/nfcapd.service
 #  This file is part of systemd.
+#
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU General Public License as published by
 #  the Free Software Foundation; either version 2 of the License, or
 #  (at your option) any later version.
-# This unit launches nfsen (a Netflow grapher).
+# This unit launches nfcapd (a Netflow collector).
 [Unit]
-Description= NfSen init script
+Description=Netflow Capture Daemon
-After=network.target iptables.service
+After=network-online.target iptables.service
 [Service]
-Type=oneshot
+Type=exec
-RemainAfterExit=yes
-PIDFile=/var/run/nfsen/nfsen.pid
+PIDFile=/run/nfcapd/nfcapd.pid
-ExecStartPre=/bin/mkdir -p /var/run/nfsen
-ExecStartPre=/bin/chown apache:apache /var/run/nfsen
+ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /var/run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
-ExecStart=/usr/bin/nfsen start
-ExecStop=/usr/bin/nfsen stop
-ExecReload=/usr/bin/nfsen restart
+ExecReload=/bin/kill -HUP $MAINPID
-TimeoutSec=0
 [Install]
 WantedBy=multi-user.target
 EOF
-# Add the listen port to collect netflow packet (nfcapd)
-	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
+    [ -e /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow
-# expire delay for the profile "live"
-	/usr/bin/systemctl start nfsen
-	/bin/nfsen -m live -e 62d 2>/dev/null
-# add SURFmap plugin (waiting for new technical solution)
+    [ -e /var/run/nfcapd ] || mkdir -p /var/run/nfcapd
-# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
-#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
-#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
-#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
-#	cd /tmp/
-#	/usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
+    chown -R nfcapd:nfcapd /var/log/nfsen/profile-data/live/alcasar_netflow /var/run/nfcapd
-# clear the installation
-#	rm -rf /tmp/SURFmap*
-	rm -rf /tmp/nfsen-*
-	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
-	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
+#    chown -R apache:apache /var/www/html/acc/manager/nfsen-ng
 } # End of nfsen()
 ###########################################################
 ##                     Function "vnstat"                 ##
 ## - Initialization of Vnstat and vnstat phpFrontEnd     ##
 EOF
 	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
 # Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
 @daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
 EOF
+	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
+# Remove netflow files older than one year
+@daily root /usr/bin/nfexpire -e /var/log/nfsen/profile-data/live/alcasar_netflow -t 365d
+EOF
 # removing the users crons
 	rm -f /var/spool/cron/*
 } # End of cron()
 ######################################################################
 [Install]
 WantedBy=multi-user.target
 EOF
 	/usr/bin/systemctl daemon-reload
 # processes launched at boot time (Systemctl)
-	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
+	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
 	do
 		/usr/bin/systemctl -q enable $i.service
 	done
 # disable processes at boot time (Systemctl)

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 3039 – Rev 2770 → 2771