Subversion Repositories ALCASAR

Rev

Rev 1512 | Rev 1514 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1512 Rev 1513
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 1512 2014-12-01 23:07:12Z richard $ 
2
#  $Id: alcasar.sh 1513 2014-12-02 10:33:11Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
22
#
22
#
23
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
23
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
24
 
24
 
25
# Options :
25
# Options :
26
#       -i or --install
26
#       -i or --install
27
#       -u or --uninstall
27
#       -u or --uninstall
28
 
28
 
29
# Functions :
29
# Functions :
30
#	testing			: connectivity tests, free space test and mageia version test
30
#	testing			: connectivity tests, free space test and mageia version test
31
#	init			: Installation of RPM and scripts
31
#	init			: Installation of RPM and scripts
32
#	network			: Network parameters
32
#	network			: Network parameters
33
#	ACC			: ALCASAR Control Center installation
33
#	ACC			: ALCASAR Control Center installation
34
#	CA			: Certification Authority initialization
34
#	CA			: Certification Authority initialization
35
#	init_db			: Initilization of radius database managed with MariaDB
35
#	init_db			: Initilization of radius database managed with MariaDB
36
#	radius			: FreeRadius initialisation
36
#	radius			: FreeRadius initialisation
37
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
37
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
38
#	chilli			: coovachilli initialisation (+authentication page)
38
#	chilli			: coovachilli initialisation (+authentication page)
39
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
40
#	antivirus		: HAVP + libclamav configuration
40
#	antivirus		: HAVP + libclamav configuration
41
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
42
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	ulogd			: log system in userland (match NFLOG target of iptables)
43
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
43
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
44
#	dnsmasq			: Name server configuration
44
#	dnsmasq			: Name server configuration
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	post_install		: Security, log rotation, etc.
49
#	post_install		: Security, log rotation, etc.
50
 
50
 
51
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
53
Lang=`echo $LANG|cut -c 1-2`
53
Lang=`echo $LANG|cut -c 1-2`
54
mode="install"
54
mode="install"
55
# ******* Files parameters - paramètres fichiers *********
55
# ******* Files parameters - paramètres fichiers *********
56
DIR_INSTALL=`pwd`				# current directory 
56
DIR_INSTALL=`pwd`				# current directory 
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SAVE="/var/Save"				# backup directory (system_backup, user_db_backup, logs)
59
DIR_SAVE="/var/Save"				# backup directory (system_backup, user_db_backup, logs)
60
DIR_WEB="/var/www/html"				# directory of APACHE
60
DIR_WEB="/var/www/html"				# directory of APACHE
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
64
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
64
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
# ******* DBMS parameters - paramètres SGBD ********
69
# ******* DBMS parameters - paramètres SGBD ********
70
DB_RADIUS="radius"				# database name used by FreeRadius server
70
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_USER="radius"				# user name allows to request the users database
71
DB_USER="radius"				# user name allows to request the users database
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
# ******* Network parameters - paramètres réseau *******
73
# ******* Network parameters - paramètres réseau *******
74
HOSTNAME="alcasar"				# default hostname
74
HOSTNAME="alcasar"				# default hostname
75
DOMAIN="localdomain"				# default local domain
75
DOMAIN="localdomain"				# default local domain
76
EXTIF=`/sbin/ip route|grep default|cut -d" " -f5`						# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
76
EXTIF=`/sbin/ip route|grep default|cut -d" " -f5`						# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
77
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
MTU="1500"
78
MTU="1500"
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
# ****** Paths - chemin des commandes *******
80
# ****** Paths - chemin des commandes *******
81
SED="/bin/sed -i"
81
SED="/bin/sed -i"
82
# ****************** End of global parameters *********************
82
# ****************** End of global parameters *********************
83
 
83
 
84
license ()
84
license ()
85
{
85
{
86
	if [ $Lang == "fr" ]
86
	if [ $Lang == "fr" ]
87
	then cat $DIR_INSTALL/gpl-3.0.fr.txt | more
87
	then cat $DIR_INSTALL/gpl-3.0.fr.txt | more
88
	else cat $DIR_INSTALL/gpl-3.0.txt | more
88
	else cat $DIR_INSTALL/gpl-3.0.txt | more
89
	fi
89
	fi
90
	echo "Taper sur Entrée pour continuer !"
90
	echo "Taper sur Entrée pour continuer !"
91
	echo "Enter to continue."
91
	echo "Enter to continue."
92
	read a
92
	read a
93
}
93
}
94
 
94
 
95
header_install ()
95
header_install ()
96
{
96
{
97
	clear
97
	clear
98
	echo "-----------------------------------------------------------------------------"
98
	echo "-----------------------------------------------------------------------------"
99
	echo "                     ALCASAR V$VERSION Installation"
99
	echo "                     ALCASAR V$VERSION Installation"
100
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
100
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
101
	echo "-----------------------------------------------------------------------------"
101
	echo "-----------------------------------------------------------------------------"
102
}
102
}
103
 
103
 
104
##################################################################
104
##################################################################
105
##			Function "testing"			##
105
##			Function "testing"			##
106
## - Test of Mageia version					##
106
## - Test of Mageia version					##
107
## - Test of free space on /var  (>10G)				##
107
## - Test of free space on /var  (>10G)				##
108
## - Test of Internet access					##
108
## - Test of Internet access					##
109
##################################################################
109
##################################################################
110
testing ()
110
testing ()
111
{
111
{
112
# Test if ALCASAR is already installed
112
# Test if ALCASAR is already installed
113
	if [ -e $CONF_FILE ]
113
	if [ -e $CONF_FILE ]
114
	then
114
	then
115
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
115
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
116
		if [ $Lang == "fr" ]
116
		if [ $Lang == "fr" ]
117
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
117
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
118
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
118
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
119
		fi
119
		fi
120
		response=0
120
		response=0
121
		PTN='^[oOnNyY]$'
121
		PTN='^[oOnNyY]$'
122
		until [[ $(expr $response : $PTN) -gt 0 ]]
122
		until [[ $(expr $response : $PTN) -gt 0 ]]
123
		do
123
		do
124
			if [ $Lang == "fr" ]
124
			if [ $Lang == "fr" ]
125
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
125
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
126
				else echo -n "Do you want to update (Y/n)?";
126
				else echo -n "Do you want to update (Y/n)?";
127
			 fi
127
			 fi
128
			read response
128
			read response
129
		done
129
		done
130
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
130
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
131
		then
131
		then
132
			rm -f /tmp/alcasar-conf*
132
			rm -f /tmp/alcasar-conf*
133
		else
133
		else
134
# Create a backup of running importants files
134
# Create a backup of running importants files
135
			$DIR_SCRIPTS/alcasar-conf.sh --create
135
			$DIR_SCRIPTS/alcasar-conf.sh --create
136
			mode="update"
136
			mode="update"
137
		fi
137
		fi
138
	else
138
	else
139
		if [ ! -d /var/log/netflow/porttracker ]
139
		if [ ! -d /var/log/netflow/porttracker ]
140
			then
140
			then
141
# Test of free space on /var
141
# Test of free space on /var
142
			free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
142
			free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
143
			if [ $free_space -lt 10 ]
143
			if [ $free_space -lt 10 ]
144
				then
144
				then
145
				if [ $Lang == "fr" ]
145
				if [ $Lang == "fr" ]
146
					then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
146
					then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
147
					else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
147
					else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
148
				fi
148
				fi
149
			exit 0
149
			exit 0
150
			fi
150
			fi
151
		fi
151
		fi
152
# Test of Mageia version
152
# Test of Mageia version
153
# extract the current Mageia version and hardware architecture (i586 ou X64)
153
# extract the current Mageia version and hardware architecture (i586 ou X64)
154
		fic=`cat /etc/product.id`
154
		fic=`cat /etc/product.id`
155
		unknown_os=0
155
		unknown_os=0
156
		old="$IFS"
156
		old="$IFS"
157
		IFS=","
157
		IFS=","
158
		set $fic
158
		set $fic
159
		for i in $*
159
		for i in $*
160
		do
160
		do
161
			if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
161
			if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
162
				then 
162
				then 
163
				DISTRIBUTION=`echo $i|cut -d"=" -f2`
163
				DISTRIBUTION=`echo $i|cut -d"=" -f2`
164
				unknown_os=`expr $unknown_os + 1`
164
				unknown_os=`expr $unknown_os + 1`
165
			fi
165
			fi
166
			if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
166
			if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
167
				then 
167
				then 
168
				CURRENT_VERSION=`echo $i|cut -d"=" -f2`
168
				CURRENT_VERSION=`echo $i|cut -d"=" -f2`
169
				unknown_os=`expr $unknown_os + 1`
169
				unknown_os=`expr $unknown_os + 1`
170
			fi
170
			fi
171
			if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
171
			if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
172
				then 
172
				then 
173
				ARCH=`echo $i|cut -d"=" -f2`
173
				ARCH=`echo $i|cut -d"=" -f2`
174
				unknown_os=`expr $unknown_os + 1`
174
				unknown_os=`expr $unknown_os + 1`
175
			fi
175
			fi
176
		done
176
		done
177
		IFS="$old"
177
		IFS="$old"
178
		if [[ ( $unknown_os != 3 || "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
178
		if [[ ( $unknown_os != 3 || "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
179
			then
179
			then
180
			if [ $Lang == "fr" ]
180
			if [ $Lang == "fr" ]
181
				then	
181
				then	
182
				echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
182
				echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
183
				echo "Le système d'exploitation doit être remplacé (Mageia4)"
183
				echo "Le système d'exploitation doit être remplacé (Mageia4)"
184
			else
184
			else
185
				echo "The automatic update of ALCASAR can't be performed."
185
				echo "The automatic update of ALCASAR can't be performed."
186
				echo "The OS must be replaced (Mageia4)"
186
				echo "The OS must be replaced (Mageia4)"
187
			fi
187
			fi
188
			if [ -e /tmp/alcasar-conf.tar.gz ]
188
			if [ -e /tmp/alcasar-conf.tar.gz ]
189
				then
189
				then
190
				echo
190
				echo
191
				if [ $Lang == "fr" ]
191
				if [ $Lang == "fr" ]
192
					then	
192
					then	
193
					echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
193
					echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
194
					echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
194
					echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
195
					echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
195
					echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
196
				else
196
				else
197
					echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
197
					echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
198
					echo "2 - Install Linux-Mageia4 (cf. installation doc)"
198
					echo "2 - Install Linux-Mageia4 (cf. installation doc)"
199
					echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
199
					echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
200
				fi
200
				fi
201
			fi
201
			fi
202
			exit 0
202
			exit 0
203
		fi
203
		fi
204
	fi
204
	fi
205
	if [ $Lang == "fr" ]
205
	if [ $Lang == "fr" ]
206
		then echo -n "Tests des paramètres réseau : "
206
		then echo -n "Tests des paramètres réseau : "
207
		else echo -n "Network parameters tests : "
207
		else echo -n "Network parameters tests : "
208
	fi
208
	fi
209
 
209
 
210
# Test of Ethernet links state
210
# Test of Ethernet links state
211
	DOWN_IF=`/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
211
	DOWN_IF=`/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
212
	for i in $DOWN_IF
212
	for i in $DOWN_IF
213
	do
213
	do
214
		if [ $Lang == "fr" ]
214
		if [ $Lang == "fr" ]
215
		then 
215
		then 
216
			echo "Échec"
216
			echo "Échec"
217
			echo "Le lien réseau de la carte $i n'est pas actif."
217
			echo "Le lien réseau de la carte $i n'est pas actif."
218
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
218
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
219
		else
219
		else
220
			echo "Failed"
220
			echo "Failed"
221
			echo "The link state of $i interface is down."
221
			echo "The link state of $i interface is down."
222
			echo "Make sure that this network card is connected to a switch or an A.P."
222
			echo "Make sure that this network card is connected to a switch or an A.P."
223
		fi
223
		fi
224
		exit 0
224
		exit 0
225
	done
225
	done
226
	echo -n "."
226
	echo -n "."
227
 
227
 
228
# Test EXTIF config files
228
# Test EXTIF config files
229
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
229
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
230
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
230
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
231
	PUBLIC_GATEWAY=`ip route list|grep ^default|cut -d" " -f3`
231
	PUBLIC_GATEWAY=`ip route list|grep ^default|cut -d" " -f3`
232
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
232
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
233
	then
233
	then
234
		if [ $Lang == "fr" ]
234
		if [ $Lang == "fr" ]
235
		then 
235
		then 
236
			echo "Échec"
236
			echo "Échec"
237
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
237
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
238
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
238
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
239
			echo "Appliquez les changements : 'systemctl restart network'"
239
			echo "Appliquez les changements : 'systemctl restart network'"
240
		else
240
		else
241
			echo "Failed"
241
			echo "Failed"
242
			echo "The Internet connected network card ($EXTIF) isn't well configured."
242
			echo "The Internet connected network card ($EXTIF) isn't well configured."
243
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
243
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
244
			echo "Apply the new configuration 'systemctl restart network'"
244
			echo "Apply the new configuration 'systemctl restart network'"
245
		fi
245
		fi
246
		echo "DEVICE=$EXTIF"
246
		echo "DEVICE=$EXTIF"
247
		echo "IPADDR="
247
		echo "IPADDR="
248
		echo "NETMASK="
248
		echo "NETMASK="
249
		echo "GATEWAY="
249
		echo "GATEWAY="
250
		echo "DNS1="
250
		echo "DNS1="
251
		echo "DNS2="
251
		echo "DNS2="
252
		echo "ONBOOT=yes"
252
		echo "ONBOOT=yes"
253
		exit 0
253
		exit 0
254
	fi
254
	fi
255
	echo -n "."
255
	echo -n "."
256
 
256
 
257
# Test if router is alive (Box FAI)
257
# Test if router is alive (Box FAI)
258
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
258
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
259
		if [ $Lang == "fr" ]
259
		if [ $Lang == "fr" ]
260
		then 
260
		then 
261
			echo "Échec"
261
			echo "Échec"
262
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
262
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
263
			echo "Réglez ce problème puis relancez ce script."
263
			echo "Réglez ce problème puis relancez ce script."
264
		else
264
		else
265
			echo "Failed"
265
			echo "Failed"
266
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
266
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
267
			echo "Resolv this problem, then restart this script."
267
			echo "Resolv this problem, then restart this script."
268
		fi
268
		fi
269
		exit 0
269
		exit 0
270
	fi
270
	fi
271
	echo -n "."
271
	echo -n "."
272
# On teste le lien vers le routeur par defaut
272
# On teste le lien vers le routeur par defaut
273
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
273
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
274
	if [ $(expr $arp_reply) -eq 0 ]
274
	if [ $(expr $arp_reply) -eq 0 ]
275
	       	then
275
	       	then
276
		if [ $Lang == "fr" ]
276
		if [ $Lang == "fr" ]
277
		then 
277
		then 
278
			echo "Échec"
278
			echo "Échec"
279
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
279
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
280
			echo "Réglez ce problème puis relancez ce script."
280
			echo "Réglez ce problème puis relancez ce script."
281
		else
281
		else
282
			echo "Failed"
282
			echo "Failed"
283
			echo "The Internet gateway doesn't answered"
283
			echo "The Internet gateway doesn't answered"
284
			echo "Resolv this problem, then restart this script."
284
			echo "Resolv this problem, then restart this script."
285
		fi
285
		fi
286
		exit 0
286
		exit 0
287
	fi
287
	fi
288
	echo -n "."
288
	echo -n "."
289
# On teste la connectivité Internet
289
# On teste la connectivité Internet
290
	rm -rf /tmp/con_ok.html
290
	rm -rf /tmp/con_ok.html
291
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
291
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
292
	if [ ! -e /tmp/con_ok.html ]
292
	if [ ! -e /tmp/con_ok.html ]
293
	then
293
	then
294
		if [ $Lang == "fr" ]
294
		if [ $Lang == "fr" ]
295
		then 
295
		then 
296
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
296
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
297
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
297
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
298
			echo "Vérifiez la validité des adresses IP des DNS."
298
			echo "Vérifiez la validité des adresses IP des DNS."
299
		else
299
		else
300
			echo "The Internet connection try failed (google.fr)."
300
			echo "The Internet connection try failed (google.fr)."
301
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
301
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
302
			echo "Verify the DNS IP addresses"
302
			echo "Verify the DNS IP addresses"
303
		fi
303
		fi
304
		exit 0
304
		exit 0
305
	fi
305
	fi
306
	rm -rf /tmp/con_ok.html
306
	rm -rf /tmp/con_ok.html
307
	echo ". : ok"
307
	echo ". : ok"
308
} # end of testing ()
308
} # end of testing ()
309
 
309
 
310
##################################################################
310
##################################################################
311
##			Function "init"				##
311
##			Function "init"				##
312
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
312
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
313
## - Installation et modification des scripts du portail	##
313
## - Installation et modification des scripts du portail	##
314
##################################################################
314
##################################################################
315
init ()
315
init ()
316
{
316
{
317
	if [ "$mode" != "update" ]
317
	if [ "$mode" != "update" ]
318
	then
318
	then
319
# On affecte le nom d'organisme
319
# On affecte le nom d'organisme
320
		header_install
320
		header_install
321
		ORGANISME=!
321
		ORGANISME=!
322
		PTN='^[a-zA-Z0-9-]*$'
322
		PTN='^[a-zA-Z0-9-]*$'
323
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
323
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
324
                do
324
                do
325
			if [ $Lang == "fr" ]
325
			if [ $Lang == "fr" ]
326
			       	then echo -n "Entrez le nom de votre organisme : "
326
			       	then echo -n "Entrez le nom de votre organisme : "
327
				else echo -n "Enter the name of your organism : "
327
				else echo -n "Enter the name of your organism : "
328
			fi
328
			fi
329
			read ORGANISME
329
			read ORGANISME
330
			if [ "$ORGANISME" == "" ]
330
			if [ "$ORGANISME" == "" ]
331
				then
331
				then
332
				ORGANISME=!
332
				ORGANISME=!
333
			fi
333
			fi
334
		done
334
		done
335
	fi
335
	fi
336
# On crée aléatoirement les mots de passe et les secrets partagés
336
# On crée aléatoirement les mots de passe et les secrets partagés
337
	rm -f $PASSWD_FILE
337
	rm -f $PASSWD_FILE
338
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
338
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
339
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
339
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
340
	echo "$grubpwd" >> $PASSWD_FILE
340
	echo "$grubpwd" >> $PASSWD_FILE
341
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
341
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
342
	$SED "/^password.*/d" /boot/grub/menu.lst
342
	$SED "/^password.*/d" /boot/grub/menu.lst
343
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
343
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
344
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
344
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
345
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
345
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
346
	echo "root / $mysqlpwd" >> $PASSWD_FILE
346
	echo "root / $mysqlpwd" >> $PASSWD_FILE
347
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
347
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
348
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
348
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
349
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
349
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
350
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
350
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
351
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
351
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
352
	echo "$secretuam" >> $PASSWD_FILE
352
	echo "$secretuam" >> $PASSWD_FILE
353
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
353
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
354
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
354
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
355
	echo "$secretradius" >> $PASSWD_FILE
355
	echo "$secretradius" >> $PASSWD_FILE
356
	chmod 640 $PASSWD_FILE
356
	chmod 640 $PASSWD_FILE
357
# Scripts and conf files copy 
357
# Scripts and conf files copy 
358
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
358
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
359
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
359
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
360
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
360
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
361
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
361
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
362
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
362
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
363
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
363
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
364
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
364
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
365
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
365
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
366
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
366
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
367
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
367
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
368
# generate central conf file
368
# generate central conf file
369
	cat <<EOF > $CONF_FILE
369
	cat <<EOF > $CONF_FILE
370
##########################################
370
##########################################
371
##                                      ##
371
##                                      ##
372
##          ALCASAR Parameters          ##
372
##          ALCASAR Parameters          ##
373
##                                      ##
373
##                                      ##
374
##########################################
374
##########################################
375
 
375
 
376
INSTALL_DATE=$DATE
376
INSTALL_DATE=$DATE
377
VERSION=$VERSION
377
VERSION=$VERSION
378
ORGANISM=$ORGANISME
378
ORGANISM=$ORGANISME
379
DOMAIN=$DOMAIN
379
DOMAIN=$DOMAIN
380
EOF
380
EOF
381
	chmod o-rwx $CONF_FILE
381
	chmod o-rwx $CONF_FILE
382
} # End of init ()
382
} # End of init ()
383
 
383
 
384
##################################################################
384
##################################################################
385
##			Function "network"			##
385
##			Function "network"			##
386
## - Définition du plan d'adressage du réseau de consultation	##
386
## - Définition du plan d'adressage du réseau de consultation	##
387
## - Nommage DNS du système 					##
387
## - Nommage DNS du système 					##
388
## - Configuration de l'interface INTIF (réseau de consultation)##
388
## - Configuration de l'interface INTIF (réseau de consultation)##
389
## - Modification du fichier /etc/hosts				##
389
## - Modification du fichier /etc/hosts				##
390
## - Configuration du serveur de temps (NTP)			##
390
## - Configuration du serveur de temps (NTP)			##
391
## - Renseignement des fichiers hosts.allow et hosts.deny	##
391
## - Renseignement des fichiers hosts.allow et hosts.deny	##
392
##################################################################
392
##################################################################
393
network ()
393
network ()
394
{
394
{
395
	header_install
395
	header_install
396
	if [ "$mode" != "update" ]
396
	if [ "$mode" != "update" ]
397
		then
397
		then
398
		if [ $Lang == "fr" ]
398
		if [ $Lang == "fr" ]
399
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
399
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
400
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
400
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
401
		fi
401
		fi
402
		response=0
402
		response=0
403
		PTN='^[oOyYnN]$'
403
		PTN='^[oOyYnN]$'
404
		until [[ $(expr $response : $PTN) -gt 0 ]]
404
		until [[ $(expr $response : $PTN) -gt 0 ]]
405
		do
405
		do
406
			if [ $Lang == "fr" ]
406
			if [ $Lang == "fr" ]
407
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
407
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
408
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
408
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
409
			fi
409
			fi
410
			read response
410
			read response
411
		done
411
		done
412
		if [ "$response" = "n" ] || [ "$response" = "N" ]
412
		if [ "$response" = "n" ] || [ "$response" = "N" ]
413
		then
413
		then
414
			PRIVATE_IP_MASK="0"
414
			PRIVATE_IP_MASK="0"
415
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
415
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
416
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
416
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
417
			do
417
			do
418
				if [ $Lang == "fr" ]
418
				if [ $Lang == "fr" ]
419
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
419
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
420
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
420
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
421
				fi
421
				fi
422
				read PRIVATE_IP_MASK
422
				read PRIVATE_IP_MASK
423
			done
423
			done
424
		else
424
		else
425
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
425
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
426
		fi
426
		fi
427
	else
427
	else
428
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
428
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
429
		rm -rf conf/etc/alcasar.conf
429
		rm -rf conf/etc/alcasar.conf
430
	fi
430
	fi
431
# Define LAN side global parameters
431
# Define LAN side global parameters
432
	hostname $HOSTNAME.$DOMAIN
432
	hostname $HOSTNAME.$DOMAIN
433
	echo $HOSTNAME.$DOMAIN > /etc/hostname
433
	echo $HOSTNAME.$DOMAIN > /etc/hostname
434
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
434
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
435
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
435
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
436
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
436
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
437
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
437
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
438
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
438
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
439
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
439
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
440
		then
440
		then
441
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
441
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
442
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
442
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
443
	fi	
443
	fi	
444
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
444
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
445
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
445
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
446
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
446
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
447
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
447
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
448
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
448
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
449
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
449
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
450
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
450
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
451
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
451
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
452
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
452
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
453
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6`				# MAC address of INTIF
453
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6`				# MAC address of INTIF
454
# Define Internet parameters
454
# Define Internet parameters
455
	DNS1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`				# 1st DNS server
455
	DNS1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`				# 1st DNS server
456
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
456
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
457
	if [ $nb_dns == 2 ]
457
	if [ $nb_dns == 2 ]
458
		then
458
		then
459
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
459
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
460
	fi
460
	fi
461
	DNS1=${DNS1:=208.67.220.220}
461
	DNS1=${DNS1:=208.67.220.220}
462
	DNS2=${DNS2:=208.67.222.222}
462
	DNS2=${DNS2:=208.67.222.222}
463
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
463
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
464
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
464
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
465
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
465
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
466
# Wrtie the conf file
466
# Wrtie the conf file
467
	echo "EXTIF=$EXTIF" >> $CONF_FILE
467
	echo "EXTIF=$EXTIF" >> $CONF_FILE
468
	echo "INTIF=$INTIF" >> $CONF_FILE
468
	echo "INTIF=$INTIF" >> $CONF_FILE
469
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
469
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
470
	if [ $IP_SETTING == "dhcp" ]
470
	if [ $IP_SETTING == "dhcp" ]
471
		then
471
		then
472
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
472
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
473
		echo "GW=dhcp" >> $CONF_FILE 
473
		echo "GW=dhcp" >> $CONF_FILE 
474
	else
474
	else
475
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
475
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
476
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
476
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
477
	fi
477
	fi
478
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
478
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
479
	echo "DNS1=$DNS1" >> $CONF_FILE
479
	echo "DNS1=$DNS1" >> $CONF_FILE
480
	echo "DNS2=$DNS2" >> $CONF_FILE
480
	echo "DNS2=$DNS2" >> $CONF_FILE
481
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
481
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
482
	echo "DHCP=on" >> $CONF_FILE
482
	echo "DHCP=on" >> $CONF_FILE
483
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
483
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
484
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
484
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
485
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
485
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
486
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
486
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
487
# network default
487
# network default
488
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
488
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
489
	cat <<EOF > /etc/sysconfig/network
489
	cat <<EOF > /etc/sysconfig/network
490
NETWORKING=yes
490
NETWORKING=yes
491
HOSTNAME="$HOSTNAME.$DOMAIN"
491
HOSTNAME="$HOSTNAME.$DOMAIN"
492
FORWARD_IPV4=true
492
FORWARD_IPV4=true
493
EOF
493
EOF
494
# /etc/hosts config
494
# /etc/hosts config
495
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
495
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
496
	cat <<EOF > /etc/hosts
496
	cat <<EOF > /etc/hosts
497
127.0.0.1	localhost
497
127.0.0.1	localhost
498
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
498
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
499
EOF
499
EOF
500
# EXTIF (Internet) config
500
# EXTIF (Internet) config
501
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
501
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
502
	if [ $IP_SETTING == "dhcp" ]
502
	if [ $IP_SETTING == "dhcp" ]
503
		then
503
		then
504
		$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
504
		$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
505
		$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
505
		$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
506
		echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
506
		echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
507
	else	
507
	else	
508
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
508
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
509
DEVICE=$EXTIF
509
DEVICE=$EXTIF
510
BOOTPROTO=static
510
BOOTPROTO=static
511
IPADDR=$PUBLIC_IP
511
IPADDR=$PUBLIC_IP
512
NETMASK=$PUBLIC_NETMASK
512
NETMASK=$PUBLIC_NETMASK
513
GATEWAY=$PUBLIC_GATEWAY
513
GATEWAY=$PUBLIC_GATEWAY
514
DNS1=127.0.0.1
514
DNS1=127.0.0.1
515
RESOLV_MODS=yes
515
RESOLV_MODS=yes
516
ONBOOT=yes
516
ONBOOT=yes
517
METRIC=10
517
METRIC=10
518
MII_NOT_SUPPORTED=yes
518
MII_NOT_SUPPORTED=yes
519
IPV6INIT=no
519
IPV6INIT=no
520
IPV6TO4INIT=no
520
IPV6TO4INIT=no
521
ACCOUNTING=no
521
ACCOUNTING=no
522
USERCTL=no
522
USERCTL=no
523
MTU=$MTU
523
MTU=$MTU
524
EOF
524
EOF
525
	fi
525
	fi
526
# Config INTIF (consultation LAN) in normal mode
526
# Config INTIF (consultation LAN) in normal mode
527
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
527
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
528
DEVICE=$INTIF
528
DEVICE=$INTIF
529
BOOTPROTO=static
529
BOOTPROTO=static
530
ONBOOT=yes
530
ONBOOT=yes
531
NOZEROCONF=yes
531
NOZEROCONF=yes
532
MII_NOT_SUPPORTED=yes
532
MII_NOT_SUPPORTED=yes
533
IPV6INIT=no
533
IPV6INIT=no
534
IPV6TO4INIT=no
534
IPV6TO4INIT=no
535
ACCOUNTING=no
535
ACCOUNTING=no
536
USERCTL=no
536
USERCTL=no
537
EOF
537
EOF
538
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
538
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
539
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
539
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
540
DEVICE=$INTIF
540
DEVICE=$INTIF
541
BOOTPROTO=static
541
BOOTPROTO=static
542
IPADDR=$PRIVATE_IP
542
IPADDR=$PRIVATE_IP
543
NETMASK=$PRIVATE_NETMASK
543
NETMASK=$PRIVATE_NETMASK
544
ONBOOT=yes
544
ONBOOT=yes
545
METRIC=10
545
METRIC=10
546
NOZEROCONF=yes
546
NOZEROCONF=yes
547
MII_NOT_SUPPORTED=yes
547
MII_NOT_SUPPORTED=yes
548
IPV6INIT=no
548
IPV6INIT=no
549
IPV6TO4INIT=no
549
IPV6TO4INIT=no
550
ACCOUNTING=no
550
ACCOUNTING=no
551
USERCTL=no
551
USERCTL=no
552
EOF
552
EOF
553
# Mise à l'heure du serveur
553
# Mise à l'heure du serveur
554
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
554
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
555
	cat <<EOF > /etc/ntp/step-tickers
555
	cat <<EOF > /etc/ntp/step-tickers
556
0.fr.pool.ntp.org	# adapt to your country
556
0.fr.pool.ntp.org	# adapt to your country
557
1.fr.pool.ntp.org
557
1.fr.pool.ntp.org
558
2.fr.pool.ntp.org
558
2.fr.pool.ntp.org
559
EOF
559
EOF
560
# Configuration du serveur de temps (sur lui même)
560
# Configuration du serveur de temps (sur lui même)
561
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
561
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
562
	cat <<EOF > /etc/ntp.conf
562
	cat <<EOF > /etc/ntp.conf
563
server 0.fr.pool.ntp.org	# adapt to your country
563
server 0.fr.pool.ntp.org	# adapt to your country
564
server 1.fr.pool.ntp.org
564
server 1.fr.pool.ntp.org
565
server 2.fr.pool.ntp.org
565
server 2.fr.pool.ntp.org
566
server 127.127.1.0   		# local clock si NTP internet indisponible ...
566
server 127.127.1.0   		# local clock si NTP internet indisponible ...
567
fudge 127.127.1.0 stratum 10
567
fudge 127.127.1.0 stratum 10
568
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
568
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
569
restrict 127.0.0.1
569
restrict 127.0.0.1
570
driftfile /var/lib/ntp/drift
570
driftfile /var/lib/ntp/drift
571
logfile /var/log/ntp.log
571
logfile /var/log/ntp.log
572
EOF
572
EOF
573
 
573
 
574
	chown -R ntp:ntp /var/lib/ntp
574
	chown -R ntp:ntp /var/lib/ntp
575
# Renseignement des fichiers hosts.allow et hosts.deny
575
# Renseignement des fichiers hosts.allow et hosts.deny
576
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
576
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
577
	cat <<EOF > /etc/hosts.allow
577
	cat <<EOF > /etc/hosts.allow
578
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
578
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
579
sshd: ALL
579
sshd: ALL
580
ntpd: $PRIVATE_NETWORK_SHORT
580
ntpd: $PRIVATE_NETWORK_SHORT
581
EOF
581
EOF
582
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
582
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
583
	cat <<EOF > /etc/hosts.deny
583
	cat <<EOF > /etc/hosts.deny
584
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
584
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
585
EOF
585
EOF
586
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
586
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
587
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
587
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
588
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
588
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
589
# load conntrack ftp module
589
# load conntrack ftp module
590
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
590
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
591
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
591
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
592
# load ipt_NETFLOW module
592
# load ipt_NETFLOW module
593
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
593
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
-
 
594
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
-
 
595
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
-
 
596
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
-
 
597
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
-
 
598
$SED "s?\[ -f \$IPTABLE_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
594
# 
599
# 
595
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
600
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
596
} # End of network ()
601
} # End of network ()
597
 
602
 
598
##################################################################
603
##################################################################
599
##			Function "ACC"				##
604
##			Function "ACC"				##
600
## - installation du centre de gestion (ALCASAR Control Center)	##
605
## - installation du centre de gestion (ALCASAR Control Center)	##
601
## - configuration du serveur web (Apache)			##
606
## - configuration du serveur web (Apache)			##
602
## - définition du 1er comptes de gestion 			##
607
## - définition du 1er comptes de gestion 			##
603
## - sécurisation des accès					##
608
## - sécurisation des accès					##
604
##################################################################
609
##################################################################
605
ACC ()
610
ACC ()
606
{
611
{
607
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
612
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
608
	mkdir $DIR_WEB
613
	mkdir $DIR_WEB
609
# Copie et configuration des fichiers du centre de gestion
614
# Copie et configuration des fichiers du centre de gestion
610
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
615
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
611
	echo "$VERSION" > $DIR_WEB/VERSION
616
	echo "$VERSION" > $DIR_WEB/VERSION
612
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
617
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
613
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
618
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
614
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
619
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
615
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
620
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
616
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
621
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
617
	chown -R apache:apache $DIR_WEB/*
622
	chown -R apache:apache $DIR_WEB/*
618
# create the backup structure :
623
# create the backup structure :
619
# - base = users database
624
# - base = users database
620
# - system_backup = alcasar conf file + users database
625
# - system_backup = alcasar conf file + users database
621
# - archive = tarball of "base + http firewall + netflow"
626
# - archive = tarball of "base + http firewall + netflow"
622
# - security = watchdog disconnection)
627
# - security = watchdog disconnection)
623
	for i in system_backup base archive security;
628
	for i in system_backup base archive security;
624
	do
629
	do
625
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
630
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
626
	done
631
	done
627
	chown -R root:apache $DIR_SAVE
632
	chown -R root:apache $DIR_SAVE
628
# Configuration et sécurisation php
633
# Configuration et sécurisation php
629
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
634
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
630
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
635
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
631
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
636
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
632
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
637
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
633
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
638
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
634
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
639
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
635
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
640
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
636
# Configuration et sécurisation Apache
641
# Configuration et sécurisation Apache
637
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
642
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
638
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
643
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
639
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
644
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
640
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
645
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
641
	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
646
	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
642
	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
647
	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
643
	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
648
	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
644
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
649
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
645
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
650
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
646
	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
651
	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
647
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
652
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
648
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
653
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
649
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
654
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
650
	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
655
	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
651
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
656
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
652
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
657
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
653
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
658
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
654
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
659
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
655
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
660
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
656
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
661
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
657
</body>
662
</body>
658
</html>
663
</html>
659
EOF
664
EOF
660
# Définition du premier compte lié au profil 'admin'
665
# Définition du premier compte lié au profil 'admin'
661
	header_install
666
	header_install
662
	if [ "$mode" = "install" ]
667
	if [ "$mode" = "install" ]
663
	then
668
	then
664
		admin_portal=!
669
		admin_portal=!
665
		PTN='^[a-zA-Z0-9-]*$'
670
		PTN='^[a-zA-Z0-9-]*$'
666
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
671
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
667
                	do
672
                	do
668
			header_install
673
			header_install
669
			if [ $Lang == "fr" ]
674
			if [ $Lang == "fr" ]
670
			then 
675
			then 
671
				echo ""
676
				echo ""
672
				echo "Définissez un premier compte d'administration du portail :"
677
				echo "Définissez un premier compte d'administration du portail :"
673
				echo
678
				echo
674
				echo -n "Nom : "
679
				echo -n "Nom : "
675
			else
680
			else
676
				echo ""
681
				echo ""
677
				echo "Define the first account allow to administrate the portal :"
682
				echo "Define the first account allow to administrate the portal :"
678
				echo
683
				echo
679
				echo -n "Account : "
684
				echo -n "Account : "
680
			fi
685
			fi
681
			read admin_portal
686
			read admin_portal
682
			if [ "$admin_portal" == "" ]
687
			if [ "$admin_portal" == "" ]
683
				then
688
				then
684
				admin_portal=!
689
				admin_portal=!
685
			fi
690
			fi
686
			done
691
			done
687
# Creation of keys file for the admin account ("admin")
692
# Creation of keys file for the admin account ("admin")
688
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
693
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
689
		mkdir -p $DIR_DEST_ETC/digest
694
		mkdir -p $DIR_DEST_ETC/digest
690
		chmod 755 $DIR_DEST_ETC/digest
695
		chmod 755 $DIR_DEST_ETC/digest
691
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
696
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
692
			do
697
			do
693
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
698
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
694
			done
699
			done
695
		$DIR_DEST_SBIN/alcasar-profil.sh --list
700
		$DIR_DEST_SBIN/alcasar-profil.sh --list
696
	fi
701
	fi
697
# synchronisation horaire
702
# synchronisation horaire
698
	ntpd -q -g &
703
	ntpd -q -g &
699
# Sécurisation du centre
704
# Sécurisation du centre
700
	rm -f /etc/httpd/conf/webapps.d/alcasar*
705
	rm -f /etc/httpd/conf/webapps.d/alcasar*
701
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
706
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
702
<Directory $DIR_ACC>
707
<Directory $DIR_ACC>
703
	SSLRequireSSL
708
	SSLRequireSSL
704
	AllowOverride None
709
	AllowOverride None
705
	Order deny,allow
710
	Order deny,allow
706
	Deny from all
711
	Deny from all
707
	Allow from 127.0.0.1
712
	Allow from 127.0.0.1
708
	Allow from $PRIVATE_NETWORK_MASK
713
	Allow from $PRIVATE_NETWORK_MASK
709
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
714
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
710
	require valid-user
715
	require valid-user
711
	AuthType digest
716
	AuthType digest
712
	AuthName $HOSTNAME.$DOMAIN
717
	AuthName $HOSTNAME.$DOMAIN
713
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
718
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
714
	AuthUserFile $DIR_DEST_ETC/digest/key_all
719
	AuthUserFile $DIR_DEST_ETC/digest/key_all
715
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
720
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
716
</Directory>
721
</Directory>
717
<Directory $DIR_ACC/admin>
722
<Directory $DIR_ACC/admin>
718
	SSLRequireSSL
723
	SSLRequireSSL
719
	AllowOverride None
724
	AllowOverride None
720
	Order deny,allow
725
	Order deny,allow
721
	Deny from all
726
	Deny from all
722
	Allow from 127.0.0.1
727
	Allow from 127.0.0.1
723
	Allow from $PRIVATE_NETWORK_MASK
728
	Allow from $PRIVATE_NETWORK_MASK
724
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
729
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
725
	require valid-user
730
	require valid-user
726
	AuthType digest
731
	AuthType digest
727
	AuthName $HOSTNAME.$DOMAIN
732
	AuthName $HOSTNAME.$DOMAIN
728
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
733
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
729
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
734
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
730
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
735
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
731
</Directory>
736
</Directory>
732
<Directory $DIR_ACC/manager>
737
<Directory $DIR_ACC/manager>
733
	SSLRequireSSL
738
	SSLRequireSSL
734
	AllowOverride None
739
	AllowOverride None
735
	Order deny,allow
740
	Order deny,allow
736
	Deny from all
741
	Deny from all
737
	Allow from 127.0.0.1
742
	Allow from 127.0.0.1
738
	Allow from $PRIVATE_NETWORK_MASK
743
	Allow from $PRIVATE_NETWORK_MASK
739
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
744
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
740
	require valid-user
745
	require valid-user
741
	AuthType digest
746
	AuthType digest
742
	AuthName $HOSTNAME.$DOMAIN
747
	AuthName $HOSTNAME.$DOMAIN
743
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
748
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
744
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
749
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
745
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
750
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
746
</Directory>
751
</Directory>
747
<Directory $DIR_ACC/backup>
752
<Directory $DIR_ACC/backup>
748
	SSLRequireSSL
753
	SSLRequireSSL
749
	AllowOverride None
754
	AllowOverride None
750
	Order deny,allow
755
	Order deny,allow
751
	Deny from all
756
	Deny from all
752
	Allow from 127.0.0.1
757
	Allow from 127.0.0.1
753
	Allow from $PRIVATE_NETWORK_MASK
758
	Allow from $PRIVATE_NETWORK_MASK
754
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
759
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
755
	require valid-user
760
	require valid-user
756
	AuthType digest
761
	AuthType digest
757
	AuthName $HOSTNAME.$DOMAIN
762
	AuthName $HOSTNAME.$DOMAIN
758
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
763
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
759
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
764
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
760
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
765
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
761
</Directory>
766
</Directory>
762
Alias /save/ "$DIR_SAVE/"
767
Alias /save/ "$DIR_SAVE/"
763
<Directory $DIR_SAVE>
768
<Directory $DIR_SAVE>
764
	SSLRequireSSL
769
	SSLRequireSSL
765
	Options Indexes
770
	Options Indexes
766
	Order deny,allow
771
	Order deny,allow
767
	Deny from all
772
	Deny from all
768
	Allow from 127.0.0.1
773
	Allow from 127.0.0.1
769
	Allow from $PRIVATE_NETWORK_MASK
774
	Allow from $PRIVATE_NETWORK_MASK
770
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
775
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
771
	require valid-user
776
	require valid-user
772
	AuthType digest
777
	AuthType digest
773
	AuthName $HOSTNAME.$DOMAIN
778
	AuthName $HOSTNAME.$DOMAIN
774
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
779
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
775
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
780
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
776
</Directory>
781
</Directory>
777
EOF
782
EOF
778
# Launch after coova
783
# Launch after coova
779
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
784
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
780
# Error page management
785
# Error page management
781
FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
786
FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
782
[ -e $FIC_ERROR_DOC ]  || cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
787
[ -e $FIC_ERROR_DOC ]  || cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
783
 
788
 
784
cat <<EOF > $FIC_ERROR_DOC
789
cat <<EOF > $FIC_ERROR_DOC
785
Alias /error/ "/var/www/html/"
790
Alias /error/ "/var/www/html/"
786
 
791
 
787
<Directory "/usr/share/httpd/error">
792
<Directory "/usr/share/httpd/error">
788
    AllowOverride None
793
    AllowOverride None
789
    Options IncludesNoExec
794
    Options IncludesNoExec
790
    AddOutputFilter Includes html
795
    AddOutputFilter Includes html
791
    AddHandler type-map var
796
    AddHandler type-map var
792
    Require all granted
797
    Require all granted
793
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
798
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
794
    ForceLanguagePriority Prefer Fallback
799
    ForceLanguagePriority Prefer Fallback
795
</Directory>
800
</Directory>
796
 
801
 
797
ErrorDocument 400 /error/error.php?error=400
802
ErrorDocument 400 /error/error.php?error=400
798
ErrorDocument 401 /error/error.php?error=401
803
ErrorDocument 401 /error/error.php?error=401
799
ErrorDocument 403 /error/error.php?error=403
804
ErrorDocument 403 /error/error.php?error=403
800
ErrorDocument 404 /error/error.php?error=404
805
ErrorDocument 404 /error/error.php?error=404
801
ErrorDocument 405 /error/error.php?error=405
806
ErrorDocument 405 /error/error.php?error=405
802
ErrorDocument 408 /error/error.php?error=408
807
ErrorDocument 408 /error/error.php?error=408
803
ErrorDocument 410 /error/error.php?error=410
808
ErrorDocument 410 /error/error.php?error=410
804
ErrorDocument 411 /error/error.php?error=411
809
ErrorDocument 411 /error/error.php?error=411
805
ErrorDocument 412 /error/error.php?error=412
810
ErrorDocument 412 /error/error.php?error=412
806
ErrorDocument 413 /error/error.php?error=413
811
ErrorDocument 413 /error/error.php?error=413
807
ErrorDocument 414 /error/error.php?error=414
812
ErrorDocument 414 /error/error.php?error=414
808
ErrorDocument 415 /error/error.php?error=415
813
ErrorDocument 415 /error/error.php?error=415
809
ErrorDocument 500 /error/error.php?error=500
814
ErrorDocument 500 /error/error.php?error=500
810
ErrorDocument 501 /error/error.php?error=501
815
ErrorDocument 501 /error/error.php?error=501
811
ErrorDocument 502 /error/error.php?error=502
816
ErrorDocument 502 /error/error.php?error=502
812
ErrorDocument 503 /error/error.php?error=503
817
ErrorDocument 503 /error/error.php?error=503
813
ErrorDocument 506 /error/error.php?error=506
818
ErrorDocument 506 /error/error.php?error=506
814
EOF
819
EOF
815
 
820
 
816
} # End of ACC ()
821
} # End of ACC ()
817
 
822
 
818
##########################################################################################
823
##########################################################################################
819
##				Fonction "CA"						##
824
##				Fonction "CA"						##
820
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
825
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
821
##########################################################################################
826
##########################################################################################
822
CA ()
827
CA ()
823
{
828
{
824
	$DIR_DEST_BIN/alcasar-CA.sh
829
	$DIR_DEST_BIN/alcasar-CA.sh
825
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
830
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
826
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
831
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
827
	
832
	
828
	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
833
	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
829
	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
834
	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
830
	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
835
	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
831
	
836
	
832
	cat <<EOF > $FIC_VIRTUAL_SSL
837
	cat <<EOF > $FIC_VIRTUAL_SSL
833
# default SSL virtual host, used for all HTTPS requests that do not
838
# default SSL virtual host, used for all HTTPS requests that do not
834
# match a ServerName or ServerAlias in any <VirtualHost> block.
839
# match a ServerName or ServerAlias in any <VirtualHost> block.
835
 
840
 
836
<VirtualHost _default_:443>
841
<VirtualHost _default_:443>
837
# general configuration
842
# general configuration
838
    ServerAdmin root@localhost
843
    ServerAdmin root@localhost
839
    ServerName localhost
844
    ServerName localhost
840
 
845
 
841
# SSL configuration
846
# SSL configuration
842
    SSLEngine on
847
    SSLEngine on
843
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
848
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
844
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
849
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
845
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
850
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
846
    CustomLog logs/ssl_request_log \
851
    CustomLog logs/ssl_request_log \
847
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
852
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
848
    ErrorLog logs/ssl_error_log
853
    ErrorLog logs/ssl_error_log
849
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
854
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
850
</VirtualHost>
855
</VirtualHost>
851
EOF
856
EOF
852
 
857
 
853
	chown -R root:apache /etc/pki
858
	chown -R root:apache /etc/pki
854
	chmod -R 750 /etc/pki
859
	chmod -R 750 /etc/pki
855
} # End of CA ()
860
} # End of CA ()
856
 
861
 
857
##########################################################################################
862
##########################################################################################
858
##			Fonction "init_db"						##
863
##			Fonction "init_db"						##
859
## - Initialisation de la base Mysql							##
864
## - Initialisation de la base Mysql							##
860
## - Affectation du mot de passe de l'administrateur (root)				##
865
## - Affectation du mot de passe de l'administrateur (root)				##
861
## - Suppression des bases et des utilisateurs superflus				##
866
## - Suppression des bases et des utilisateurs superflus				##
862
## - Création de la base 'radius'							##
867
## - Création de la base 'radius'							##
863
## - Installation du schéma de cette base						##
868
## - Installation du schéma de cette base						##
864
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
869
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
865
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
870
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
866
##########################################################################################
871
##########################################################################################
867
init_db ()
872
init_db ()
868
{
873
{
869
	rm -rf /var/lib/mysql # to be sure that there is no former installation
874
	rm -rf /var/lib/mysql # to be sure that there is no former installation
870
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
875
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
871
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
876
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
872
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
877
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
873
	systemctl start mysqld.service
878
	systemctl start mysqld.service
874
	sleep 4
879
	sleep 4
875
	mysqladmin -u root password $mysqlpwd
880
	mysqladmin -u root password $mysqlpwd
876
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
881
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
877
# Secure the server
882
# Secure the server
878
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
883
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
879
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
884
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
880
# Create 'radius' database
885
# Create 'radius' database
881
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
886
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
882
# Add an empty radius database structure
887
# Add an empty radius database structure
883
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
888
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
884
# modify the start script in order to close accounting connexion when the system is comming down or up
889
# modify the start script in order to close accounting connexion when the system is comming down or up
885
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
890
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
886
	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
891
	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
887
	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
892
	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
888
	systemctl daemon-reload
893
	systemctl daemon-reload
889
} # End of init_db ()
894
} # End of init_db ()
890
 
895
 
891
##########################################################################
896
##########################################################################
892
##			Fonction "radius"				##
897
##			Fonction "radius"				##
893
## - Paramètrage des fichiers de configuration FreeRadius		##
898
## - Paramètrage des fichiers de configuration FreeRadius		##
894
## - Affectation du secret partagé entre coova-chilli et freeradius	##
899
## - Affectation du secret partagé entre coova-chilli et freeradius	##
895
## - Modification de fichier de conf pour l'accès à Mysql		##
900
## - Modification de fichier de conf pour l'accès à Mysql		##
896
##########################################################################
901
##########################################################################
897
radius ()
902
radius ()
898
{
903
{
899
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
904
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
900
	chown -R radius:radius /etc/raddb
905
	chown -R radius:radius /etc/raddb
901
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
906
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
902
# Set radius.conf parameters
907
# Set radius.conf parameters
903
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
908
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
904
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
909
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
905
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
910
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
906
# remove the proxy function
911
# remove the proxy function
907
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
912
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
908
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
913
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
909
# remove EAP module
914
# remove EAP module
910
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
915
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
911
# listen on loopback (should be modified later if EAP enabled)
916
# listen on loopback (should be modified later if EAP enabled)
912
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
917
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
913
# enable the  SQL module (and SQL counter)
918
# enable the  SQL module (and SQL counter)
914
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
919
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
915
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
920
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
916
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
921
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
917
# only include modules for ALCASAR needs
922
# only include modules for ALCASAR needs
918
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
923
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
919
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
924
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
920
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
925
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
921
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
926
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
922
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
927
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
923
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
928
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
924
# remvove virtual server and copy our conf file
929
# remvove virtual server and copy our conf file
925
	rm -f /etc/raddb/sites-enabled/*
930
	rm -f /etc/raddb/sites-enabled/*
926
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
931
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
927
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
932
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
928
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
933
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
929
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
934
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
930
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
935
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
931
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
936
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
932
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
937
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
933
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
938
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
934
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
939
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
935
	cat << EOF > /etc/raddb/clients.conf
940
	cat << EOF > /etc/raddb/clients.conf
936
client 127.0.0.1 {
941
client 127.0.0.1 {
937
	secret = $secretradius
942
	secret = $secretradius
938
	shortname = localhost
943
	shortname = localhost
939
}
944
}
940
EOF
945
EOF
941
# sql.conf modification
946
# sql.conf modification
942
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
947
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
943
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
948
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
944
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
949
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
945
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
950
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
946
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
951
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
947
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
952
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
948
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
953
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
949
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
954
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
950
# counter.conf modification (change the Max-All-Session-Time counter)
955
# counter.conf modification (change the Max-All-Session-Time counter)
951
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
956
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
952
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
957
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
953
	chown -R radius:radius /etc/raddb/sql/mysql/*
958
	chown -R radius:radius /etc/raddb/sql/mysql/*
954
# make certain that mysql is up before radius start
959
# make certain that mysql is up before radius start
955
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
960
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
956
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
961
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
957
	systemctl daemon-reload
962
	systemctl daemon-reload
958
} # End radius ()
963
} # End radius ()
959
 
964
 
960
##########################################################################
965
##########################################################################
961
##			Function "radius_web"				##
966
##			Function "radius_web"				##
962
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
967
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
963
## - Création du lien vers la page de changement de mot de passe        ##
968
## - Création du lien vers la page de changement de mot de passe        ##
964
##########################################################################
969
##########################################################################
965
radius_web ()
970
radius_web ()
966
{
971
{
967
# copie de l'interface d'origine dans la structure Alcasar
972
# copie de l'interface d'origine dans la structure Alcasar
968
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
973
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
969
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
974
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
970
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
975
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
971
# copie des fichiers modifiés
976
# copie des fichiers modifiés
972
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
977
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
973
	chown -R apache:apache $DIR_ACC/manager/
978
	chown -R apache:apache $DIR_ACC/manager/
974
# Modification des fichiers de configuration
979
# Modification des fichiers de configuration
975
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
980
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
976
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
981
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
977
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
982
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
978
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
983
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
979
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
984
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
980
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
985
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
981
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
986
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
982
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
987
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
983
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
988
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
984
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
989
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
985
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
990
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
986
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
991
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
987
	cat <<EOF > /etc/freeradius-web/naslist.conf
992
	cat <<EOF > /etc/freeradius-web/naslist.conf
988
nas1_name: alcasar-$ORGANISME
993
nas1_name: alcasar-$ORGANISME
989
nas1_model: Portail captif
994
nas1_model: Portail captif
990
nas1_ip: $PRIVATE_IP
995
nas1_ip: $PRIVATE_IP
991
nas1_port_num: 0
996
nas1_port_num: 0
992
nas1_community: public
997
nas1_community: public
993
EOF
998
EOF
994
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
999
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
995
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1000
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
996
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
1001
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
997
# Ajout du mappage des attributs chillispot
1002
# Ajout du mappage des attributs chillispot
998
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1003
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
999
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1004
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1000
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1005
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1001
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1006
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1002
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
1007
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
1003
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
1008
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
1004
	chown -R apache:apache /etc/freeradius-web
1009
	chown -R apache:apache /etc/freeradius-web
1005
# Ajout de l'alias vers la page de "changement de mot de passe usager"
1010
# Ajout de l'alias vers la page de "changement de mot de passe usager"
1006
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1011
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1007
<Directory $DIR_WEB/pass>
1012
<Directory $DIR_WEB/pass>
1008
	SSLRequireSSL
1013
	SSLRequireSSL
1009
	AllowOverride None
1014
	AllowOverride None
1010
	Order deny,allow
1015
	Order deny,allow
1011
	Deny from all
1016
	Deny from all
1012
	Allow from 127.0.0.1
1017
	Allow from 127.0.0.1
1013
	Allow from $PRIVATE_NETWORK_MASK
1018
	Allow from $PRIVATE_NETWORK_MASK
1014
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1019
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1015
</Directory>
1020
</Directory>
1016
EOF
1021
EOF
1017
} # End of radius_web ()
1022
} # End of radius_web ()
1018
 
1023
 
1019
##################################################################################
1024
##################################################################################
1020
##			Fonction "chilli"					##
1025
##			Fonction "chilli"					##
1021
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1026
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1022
## - Paramètrage de la page d'authentification (intercept.php)			##
1027
## - Paramètrage de la page d'authentification (intercept.php)			##
1023
##################################################################################
1028
##################################################################################
1024
chilli ()
1029
chilli ()
1025
{
1030
{
1026
# chilli unit for systemd
1031
# chilli unit for systemd
1027
cat << EOF > /lib/systemd/system/chilli.service
1032
cat << EOF > /lib/systemd/system/chilli.service
1028
#  This file is part of systemd.
1033
#  This file is part of systemd.
1029
#
1034
#
1030
#  systemd is free software; you can redistribute it and/or modify it
1035
#  systemd is free software; you can redistribute it and/or modify it
1031
#  under the terms of the GNU General Public License as published by
1036
#  under the terms of the GNU General Public License as published by
1032
#  the Free Software Foundation; either version 2 of the License, or
1037
#  the Free Software Foundation; either version 2 of the License, or
1033
#  (at your option) any later version.
1038
#  (at your option) any later version.
1034
[Unit]
1039
[Unit]
1035
Description=chilli is a captive portal daemon
1040
Description=chilli is a captive portal daemon
1036
After=network.target
1041
After=network.target
1037
 
1042
 
1038
[Service]
1043
[Service]
1039
Type=forking
1044
Type=forking
1040
ExecStart=/usr/libexec/chilli start
1045
ExecStart=/usr/libexec/chilli start
1041
ExecStop=/usr/libexec/chilli stop
1046
ExecStop=/usr/libexec/chilli stop
1042
ExecReload=/usr/libexec/chilli reload
1047
ExecReload=/usr/libexec/chilli reload
1043
PIDFile=/var/run/chilli.pid
1048
PIDFile=/var/run/chilli.pid
1044
 
1049
 
1045
[Install]
1050
[Install]
1046
WantedBy=multi-user.target
1051
WantedBy=multi-user.target
1047
EOF
1052
EOF
1048
# init file creation
1053
# init file creation
1049
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1054
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1050
	cat <<EOF > /usr/libexec/chilli
1055
	cat <<EOF > /usr/libexec/chilli
1051
#!/bin/sh
1056
#!/bin/sh
1052
#
1057
#
1053
# chilli CoovaChilli init
1058
# chilli CoovaChilli init
1054
#
1059
#
1055
# chkconfig: 2345 65 35
1060
# chkconfig: 2345 65 35
1056
# description: CoovaChilli
1061
# description: CoovaChilli
1057
### BEGIN INIT INFO
1062
### BEGIN INIT INFO
1058
# Provides:       chilli
1063
# Provides:       chilli
1059
# Required-Start: network 
1064
# Required-Start: network 
1060
# Should-Start: 
1065
# Should-Start: 
1061
# Required-Stop:  network
1066
# Required-Stop:  network
1062
# Should-Stop: 
1067
# Should-Stop: 
1063
# Default-Start:  2 3 5
1068
# Default-Start:  2 3 5
1064
# Default-Stop:
1069
# Default-Stop:
1065
# Description:    CoovaChilli access controller
1070
# Description:    CoovaChilli access controller
1066
### END INIT INFO
1071
### END INIT INFO
1067
 
1072
 
1068
[ -f /usr/sbin/chilli ] || exit 0
1073
[ -f /usr/sbin/chilli ] || exit 0
1069
. /etc/init.d/functions
1074
. /etc/init.d/functions
1070
CONFIG=/etc/chilli.conf
1075
CONFIG=/etc/chilli.conf
1071
pidfile=/var/run/chilli.pid
1076
pidfile=/var/run/chilli.pid
1072
[ -f \$CONFIG ] || {
1077
[ -f \$CONFIG ] || {
1073
    echo "\$CONFIG Not found"
1078
    echo "\$CONFIG Not found"
1074
    exit 0
1079
    exit 0
1075
}
1080
}
1076
RETVAL=0
1081
RETVAL=0
1077
prog="chilli"
1082
prog="chilli"
1078
case \$1 in
1083
case \$1 in
1079
    start)
1084
    start)
1080
	if [ -f \$pidfile ] ; then 
1085
	if [ -f \$pidfile ] ; then 
1081
		gprintf "chilli is already running"
1086
		gprintf "chilli is already running"
1082
	else
1087
	else
1083
        	gprintf "Starting \$prog: "
1088
        	gprintf "Starting \$prog: "
1084
		rm -f /var/run/chilli* # cleaning
1089
		rm -f /var/run/chilli* # cleaning
1085
        	/sbin/modprobe tun >/dev/null 2>&1
1090
        	/sbin/modprobe tun >/dev/null 2>&1
1086
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1091
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1087
		[ -e /dev/net/tun ] || {
1092
		[ -e /dev/net/tun ] || {
1088
	    	(cd /dev; 
1093
	    	(cd /dev; 
1089
			mkdir net; 
1094
			mkdir net; 
1090
			cd net; 
1095
			cd net; 
1091
			mknod tun c 10 200)
1096
			mknod tun c 10 200)
1092
		}
1097
		}
1093
		ifconfig $INTIF 0.0.0.0
1098
		ifconfig $INTIF 0.0.0.0
1094
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1099
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1095
        	RETVAL=$?
1100
        	RETVAL=$?
1096
	fi
1101
	fi
1097
	;;
1102
	;;
1098
 
1103
 
1099
    reload)
1104
    reload)
1100
	killall -HUP chilli
1105
	killall -HUP chilli
1101
	;;
1106
	;;
1102
 
1107
 
1103
    restart)
1108
    restart)
1104
	\$0 stop
1109
	\$0 stop
1105
        sleep 2
1110
        sleep 2
1106
	\$0 start
1111
	\$0 start
1107
	;;
1112
	;;
1108
    
1113
    
1109
    status)
1114
    status)
1110
        status chilli
1115
        status chilli
1111
        RETVAL=0
1116
        RETVAL=0
1112
        ;;
1117
        ;;
1113
 
1118
 
1114
    stop)
1119
    stop)
1115
	if [ -f \$pidfile ] ; then  
1120
	if [ -f \$pidfile ] ; then  
1116
        	gprintf "Shutting down \$prog: "
1121
        	gprintf "Shutting down \$prog: "
1117
		killproc /usr/sbin/chilli
1122
		killproc /usr/sbin/chilli
1118
		RETVAL=\$?
1123
		RETVAL=\$?
1119
		[ \$RETVAL = 0 ] && rm -f $pidfile
1124
		[ \$RETVAL = 0 ] && rm -f $pidfile
1120
	else	
1125
	else	
1121
        	gprintf "chilli is not running"
1126
        	gprintf "chilli is not running"
1122
	fi
1127
	fi
1123
	;;
1128
	;;
1124
    
1129
    
1125
    *)
1130
    *)
1126
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1131
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1127
        exit 1
1132
        exit 1
1128
esac
1133
esac
1129
echo
1134
echo
1130
EOF
1135
EOF
1131
chmod a+x /usr/libexec/chilli
1136
chmod a+x /usr/libexec/chilli
1132
# conf file creation
1137
# conf file creation
1133
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1138
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1134
	cat <<EOF > /etc/chilli.conf
1139
	cat <<EOF > /etc/chilli.conf
1135
# coova config for ALCASAR
1140
# coova config for ALCASAR
1136
cmdsocket	/var/run/chilli.sock
1141
cmdsocket	/var/run/chilli.sock
1137
unixipc		chilli.$INTIF.ipc
1142
unixipc		chilli.$INTIF.ipc
1138
pidfile		/var/run/chilli.$INTIF.pid
1143
pidfile		/var/run/chilli.$INTIF.pid
1139
net		$PRIVATE_NETWORK_MASK
1144
net		$PRIVATE_NETWORK_MASK
1140
dhcpif		$INTIF
1145
dhcpif		$INTIF
1141
ethers		$DIR_DEST_ETC/alcasar-ethers
1146
ethers		$DIR_DEST_ETC/alcasar-ethers
1142
#nodynip
1147
#nodynip
1143
#statip
1148
#statip
1144
dynip		$PRIVATE_NETWORK_MASK
1149
dynip		$PRIVATE_NETWORK_MASK
1145
domain		$DOMAIN
1150
domain		$DOMAIN
1146
dns1		$PRIVATE_IP
1151
dns1		$PRIVATE_IP
1147
dns2		$PRIVATE_IP
1152
dns2		$PRIVATE_IP
1148
uamlisten	$PRIVATE_IP
1153
uamlisten	$PRIVATE_IP
1149
uamport		3990
1154
uamport		3990
1150
macauth
1155
macauth
1151
macpasswd	password
1156
macpasswd	password
1152
locationname	$HOSTNAME.$DOMAIN
1157
locationname	$HOSTNAME.$DOMAIN
1153
radiusserver1	127.0.0.1
1158
radiusserver1	127.0.0.1
1154
radiusserver2	127.0.0.1
1159
radiusserver2	127.0.0.1
1155
radiussecret	$secretradius
1160
radiussecret	$secretradius
1156
radiusauthport	1812
1161
radiusauthport	1812
1157
radiusacctport	1813
1162
radiusacctport	1813
1158
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1163
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1159
radiusnasid	$HOSTNAME.$DOMAIN
1164
radiusnasid	$HOSTNAME.$DOMAIN
1160
uamsecret	$secretuam
1165
uamsecret	$secretuam
1161
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1166
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1162
coaport		3799
1167
coaport		3799
1163
conup		$DIR_DEST_BIN/alcasar-conup.sh
1168
conup		$DIR_DEST_BIN/alcasar-conup.sh
1164
condown		$DIR_DEST_BIN/alcasar-condown.sh
1169
condown		$DIR_DEST_BIN/alcasar-condown.sh
1165
include		$DIR_DEST_ETC/alcasar-uamallowed
1170
include		$DIR_DEST_ETC/alcasar-uamallowed
1166
include		$DIR_DEST_ETC/alcasar-uamdomain
1171
include		$DIR_DEST_ETC/alcasar-uamdomain
1167
#dhcpgateway
1172
#dhcpgateway
1168
#dhcprelayagent
1173
#dhcprelayagent
1169
#dhcpgatewayport
1174
#dhcpgatewayport
1170
EOF
1175
EOF
1171
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1176
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1172
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1177
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1173
# create files for trusted domains and urls
1178
# create files for trusted domains and urls
1174
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1179
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1175
	chown root:apache $DIR_DEST_ETC/alcasar-*
1180
	chown root:apache $DIR_DEST_ETC/alcasar-*
1176
	chmod 660 $DIR_DEST_ETC/alcasar-*
1181
	chmod 660 $DIR_DEST_ETC/alcasar-*
1177
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1182
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1178
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1183
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1179
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1184
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1180
# user 'chilli' creation (in order to run conup/off and up/down scripts
1185
# user 'chilli' creation (in order to run conup/off and up/down scripts
1181
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1186
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1182
	if [ "$chilli_exist" == "1" ]
1187
	if [ "$chilli_exist" == "1" ]
1183
	then
1188
	then
1184
	      userdel -r chilli 2>/dev/null
1189
	      userdel -r chilli 2>/dev/null
1185
	fi
1190
	fi
1186
	groupadd -f chilli
1191
	groupadd -f chilli
1187
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1192
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1188
}  # End of chilli ()
1193
}  # End of chilli ()
1189
 
1194
 
1190
##################################################################
1195
##################################################################
1191
##		Fonction "dansguardian"				##
1196
##		Fonction "dansguardian"				##
1192
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1197
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1193
##################################################################
1198
##################################################################
1194
dansguardian ()
1199
dansguardian ()
1195
{
1200
{
1196
	mkdir /var/dansguardian
1201
	mkdir /var/dansguardian
1197
	chown dansguardian /var/dansguardian
1202
	chown dansguardian /var/dansguardian
1198
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1203
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1199
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1204
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1200
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1205
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1201
# By default the filter is off 
1206
# By default the filter is off 
1202
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1207
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1203
# French deny HTML page
1208
# French deny HTML page
1204
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1209
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1205
# Listen only on LAN side
1210
# Listen only on LAN side
1206
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1211
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1207
# DG send its flow to HAVP
1212
# DG send its flow to HAVP
1208
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1213
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1209
# replace the default deny HTML page
1214
# replace the default deny HTML page
1210
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1215
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1211
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1216
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1212
# Don't log
1217
# Don't log
1213
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1218
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1214
# Run 10 daemons (20 in largest server)
1219
# Run 10 daemons (20 in largest server)
1215
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1220
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1216
# on désactive par défaut le controle de contenu des pages html
1221
# on désactive par défaut le controle de contenu des pages html
1217
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1222
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1218
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1223
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1219
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1224
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1220
# on désactive par défaut le contrôle d'URL par expressions régulières
1225
# on désactive par défaut le contrôle d'URL par expressions régulières
1221
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1226
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1222
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1227
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1223
# on désactive par défaut le contrôle de téléchargement de fichiers
1228
# on désactive par défaut le contrôle de téléchargement de fichiers
1224
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1229
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1225
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1230
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1226
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1231
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1227
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1232
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1228
	touch $DIR_DG/lists/bannedextensionlist
1233
	touch $DIR_DG/lists/bannedextensionlist
1229
	touch $DIR_DG/lists/bannedmimetypelist
1234
	touch $DIR_DG/lists/bannedmimetypelist
1230
# 'Safesearch' regex actualisation
1235
# 'Safesearch' regex actualisation
1231
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1236
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1232
# empty LAN IP list that won't be WEB filtered
1237
# empty LAN IP list that won't be WEB filtered
1233
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1238
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1234
	touch $DIR_DG/lists/exceptioniplist
1239
	touch $DIR_DG/lists/exceptioniplist
1235
# Keep a copy of URL & domain filter configuration files
1240
# Keep a copy of URL & domain filter configuration files
1236
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1241
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1237
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1242
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1238
} # End of dansguardian ()
1243
} # End of dansguardian ()
1239
 
1244
 
1240
##################################################################
1245
##################################################################
1241
##			Fonction "antivirus"			##
1246
##			Fonction "antivirus"			##
1242
## - configuration of havp, libclamav and freshclam		##
1247
## - configuration of havp, libclamav and freshclam		##
1243
##################################################################
1248
##################################################################
1244
antivirus ()		
1249
antivirus ()		
1245
{
1250
{
1246
# create 'havp' user
1251
# create 'havp' user
1247
	havp_exist=`grep havp /etc/passwd|wc -l`
1252
	havp_exist=`grep havp /etc/passwd|wc -l`
1248
	if [ "$havp_exist" == "1" ]
1253
	if [ "$havp_exist" == "1" ]
1249
	then
1254
	then
1250
	      userdel -r havp 2>/dev/null
1255
	      userdel -r havp 2>/dev/null
1251
	      groupdel havp 2>/dev/null
1256
	      groupdel havp 2>/dev/null
1252
	fi
1257
	fi
1253
	groupadd -f havp
1258
	groupadd -f havp
1254
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1259
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1255
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1260
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1256
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1261
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1257
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1262
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1258
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1263
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1259
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1264
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1260
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1265
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1261
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1266
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1262
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1267
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1263
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1268
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1264
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1269
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1265
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1270
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1266
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1271
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1267
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1272
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1268
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1273
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1269
# skip checking of youtube flow (too heavy load / risk too low)
1274
# skip checking of youtube flow (too heavy load / risk too low)
1270
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1275
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1271
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1276
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1272
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1277
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1273
# replacement of init script
1278
# replacement of init script
1274
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1279
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1275
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1280
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1276
# replace of the intercept page (template)
1281
# replace of the intercept page (template)
1277
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1282
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1278
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1283
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1279
# update virus database every 4 hours (24h/6)
1284
# update virus database every 4 hours (24h/6)
1280
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1285
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1281
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1286
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1282
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1287
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1283
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1288
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1284
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1289
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1285
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1290
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1286
# update now
1291
# update now
1287
	/usr/bin/freshclam --no-warnings
1292
	/usr/bin/freshclam --no-warnings
1288
} # End of antivirus ()
1293
} # End of antivirus ()
1289
 
1294
 
1290
##########################################################################
1295
##########################################################################
1291
##			Fonction "tinyproxy"				##
1296
##			Fonction "tinyproxy"				##
1292
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1297
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1293
##########################################################################
1298
##########################################################################
1294
tinyproxy ()		
1299
tinyproxy ()		
1295
{
1300
{
1296
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1301
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1297
	if [ "$tinyproxy_exist" == "1" ]
1302
	if [ "$tinyproxy_exist" == "1" ]
1298
	then
1303
	then
1299
	      userdel -r tinyproxy 2>/dev/null
1304
	      userdel -r tinyproxy 2>/dev/null
1300
	      groupdel tinyproxy 2>/dev/null
1305
	      groupdel tinyproxy 2>/dev/null
1301
	fi
1306
	fi
1302
	groupadd -f tinyproxy
1307
	groupadd -f tinyproxy
1303
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1308
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1304
	mkdir -p /var/run/tinyproxy
1309
	mkdir -p /var/run/tinyproxy
1305
	chown tinyproxy:tinyproxy /var/run/tinyproxy
1310
	chown tinyproxy:tinyproxy /var/run/tinyproxy
1306
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1311
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1307
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1312
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1308
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1313
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1309
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1314
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1310
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1315
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1311
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1316
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1312
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1317
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1313
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1318
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1314
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1319
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1315
# Create the systemd unit
1320
# Create the systemd unit
1316
cat << EOF > /lib/systemd/system/tinyproxy.service
1321
cat << EOF > /lib/systemd/system/tinyproxy.service
1317
#  This file is part of systemd.
1322
#  This file is part of systemd.
1318
#
1323
#
1319
#  systemd is free software; you can redistribute it and/or modify it
1324
#  systemd is free software; you can redistribute it and/or modify it
1320
#  under the terms of the GNU General Public License as published by
1325
#  under the terms of the GNU General Public License as published by
1321
#  the Free Software Foundation; either version 2 of the License, or
1326
#  the Free Software Foundation; either version 2 of the License, or
1322
#  (at your option) any later version.
1327
#  (at your option) any later version.
1323
 
1328
 
1324
# This unit launches tinyproxy (a very light proxy).
1329
# This unit launches tinyproxy (a very light proxy).
1325
[Unit]
1330
[Unit]
1326
Description=Tinyproxy Web Proxy Server
1331
Description=Tinyproxy Web Proxy Server
1327
After=network.target iptables.service
1332
After=network.target iptables.service
1328
 
1333
 
1329
[Service]
1334
[Service]
1330
Type=forking
1335
Type=forking
1331
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1336
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1332
 
1337
 
1333
[Install]
1338
[Install]
1334
WantedBy=multi-user.target
1339
WantedBy=multi-user.target
1335
EOF
1340
EOF
1336
 
1341
 
1337
} # end of tinyproxy
1342
} # end of tinyproxy
1338
##################################################################################
1343
##################################################################################
1339
##			function "ulogd"					##
1344
##			function "ulogd"					##
1340
## - Ulog config for multi-log files 						##
1345
## - Ulog config for multi-log files 						##
1341
##################################################################################
1346
##################################################################################
1342
ulogd ()
1347
ulogd ()
1343
{
1348
{
1344
# Three instances of ulogd (three different logfiles)
1349
# Three instances of ulogd (three different logfiles)
1345
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1350
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1346
	nl=1
1351
	nl=1
1347
	for log_type in traceability ssh ext-access
1352
	for log_type in traceability ssh ext-access
1348
	do
1353
	do
1349
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1354
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1350
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1355
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1351
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1356
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1352
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1357
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1353
		cat << EOF >> /etc/ulogd-$log_type.conf
1358
		cat << EOF >> /etc/ulogd-$log_type.conf
1354
[emu1]
1359
[emu1]
1355
file="/var/log/firewall/$log_type.log"
1360
file="/var/log/firewall/$log_type.log"
1356
sync=1
1361
sync=1
1357
EOF
1362
EOF
1358
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1363
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1359
		nl=`expr $nl + 1`
1364
		nl=`expr $nl + 1`
1360
	done
1365
	done
1361
	chown -R root:apache /var/log/firewall
1366
	chown -R root:apache /var/log/firewall
1362
	chmod 750 /var/log/firewall
1367
	chmod 750 /var/log/firewall
1363
	chmod 640 /var/log/firewall/*
1368
	chmod 640 /var/log/firewall/*
1364
}  # End of ulogd ()
1369
}  # End of ulogd ()
1365
 
1370
 
1366
 
1371
 
1367
##########################################################
1372
##########################################################
1368
##              Function "nfsen"			##
1373
##              Function "nfsen"			##
1369
##########################################################
1374
##########################################################
1370
nfsen()
1375
nfsen()
1371
{
1376
{
1372
	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1377
	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1373
# Add PortTracker plugin
1378
# Add PortTracker plugin
1374
	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1379
	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1375
	do
1380
	do
1376
	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i
1381
	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i
1377
	done
1382
	done
1378
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\"?g" /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
1383
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\"?g" /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
1379
# use of our conf file and init unit
1384
# use of our conf file and init unit
1380
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1385
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1381
# Installation of nfsen
1386
# Installation of nfsen
1382
	DirTmp=$(pwd)
1387
	DirTmp=$(pwd)
1383
	cd /tmp/nfsen-1.3.6p1/
1388
	cd /tmp/nfsen-1.3.6p1/
1384
	/usr/bin/perl5 install.pl etc/nfsen.conf
1389
	/usr/bin/perl5 install.pl etc/nfsen.conf
1385
	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1390
	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1386
# Create RRD DB for porttracker (only in it still doesn't exist)
1391
# Create RRD DB for porttracker (only in it still doesn't exist)
1387
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1392
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1388
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1393
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1389
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1394
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1390
	chmod -R 770 /var/log/netflow/porttracker
1395
	chmod -R 770 /var/log/netflow/porttracker
1391
# Apache conf file
1396
# Apache conf file
1392
	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1397
	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1393
Alias /nfsen /var/www/nfsen 
1398
Alias /nfsen /var/www/nfsen 
1394
<Directory /var/www/nfsen/> 
1399
<Directory /var/www/nfsen/> 
1395
DirectoryIndex nfsen.php 
1400
DirectoryIndex nfsen.php 
1396
Options -Indexes 
1401
Options -Indexes 
1397
AllowOverride all 
1402
AllowOverride all 
1398
order allow,deny 
1403
order allow,deny 
1399
allow from all 
1404
allow from all 
1400
AddType application/x-httpd-php .php 
1405
AddType application/x-httpd-php .php 
1401
php_flag magic_quotes_gpc on 
1406
php_flag magic_quotes_gpc on 
1402
php_flag track_vars on 
1407
php_flag track_vars on 
1403
</Directory>
1408
</Directory>
1404
EOF
1409
EOF
1405
# nfsen unit for systemd
1410
# nfsen unit for systemd
1406
cat << EOF > /lib/systemd/system/nfsen.service
1411
cat << EOF > /lib/systemd/system/nfsen.service
1407
#  This file is part of systemd.
1412
#  This file is part of systemd.
1408
#
1413
#
1409
#  systemd is free software; you can redistribute it and/or modify it
1414
#  systemd is free software; you can redistribute it and/or modify it
1410
#  under the terms of the GNU General Public License as published by
1415
#  under the terms of the GNU General Public License as published by
1411
#  the Free Software Foundation; either version 2 of the License, or
1416
#  the Free Software Foundation; either version 2 of the License, or
1412
#  (at your option) any later version.
1417
#  (at your option) any later version.
1413
 
1418
 
1414
# This unit launches nfsen (a Netflow grapher).
1419
# This unit launches nfsen (a Netflow grapher).
1415
[Unit]
1420
[Unit]
1416
Description= NfSen init script
1421
Description= NfSen init script
1417
After=network.target iptables.service
1422
After=network.target iptables.service
1418
 
1423
 
1419
[Service]
1424
[Service]
1420
Type=oneshot
1425
Type=oneshot
1421
RemainAfterExit=yes
1426
RemainAfterExit=yes
1422
PIDFile=/var/run/nfsen/nfsen.pid
1427
PIDFile=/var/run/nfsen/nfsen.pid
1423
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1428
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1424
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1429
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1425
ExecStart=/usr/bin/nfsen start 
1430
ExecStart=/usr/bin/nfsen start 
1426
ExecStop=/usr/bin/nfsen stop
1431
ExecStop=/usr/bin/nfsen stop
1427
ExecReload=/usr/bin/nfsen restart
1432
ExecReload=/usr/bin/nfsen restart
1428
TimeoutSec=0
1433
TimeoutSec=0
1429
 
1434
 
1430
[Install]
1435
[Install]
1431
WantedBy=multi-user.target
1436
WantedBy=multi-user.target
1432
EOF
1437
EOF
1433
# Add the listen port to collect netflow packet (nfcapd)
1438
# Add the listen port to collect netflow packet (nfcapd)
1434
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1439
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1435
# expire delay for the profile "live"
1440
# expire delay for the profile "live"
1436
	systemctl start nfsen
1441
	systemctl start nfsen
1437
	/bin/nfsen -m live -e 62d 2>/dev/null
1442
	/bin/nfsen -m live -e 62d 2>/dev/null
1438
# add SURFmap plugin
1443
# add SURFmap plugin
1439
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1444
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1440
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1445
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1441
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1446
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1442
	cd /tmp/
1447
	cd /tmp/
1443
	/usr/bin/sh SURFmap/install.sh
1448
	/usr/bin/sh SURFmap/install.sh
1444
# clear the installation
1449
# clear the installation
1445
	cd $DirTmp
1450
	cd $DirTmp
1446
	rm -rf /tmp/nfsen*
1451
	rm -rf /tmp/nfsen*
1447
	rm -rf /tmp/SURFmap*
1452
	rm -rf /tmp/SURFmap*
1448
} # End of nfsen ()
1453
} # End of nfsen ()
1449
 
1454
 
1450
##################################################
1455
##################################################
1451
##		Function "dnsmasq"		##
1456
##		Function "dnsmasq"		##
1452
##################################################
1457
##################################################
1453
dnsmasq ()
1458
dnsmasq ()
1454
{
1459
{
1455
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1460
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1456
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1461
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1457
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1462
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1458
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1463
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1459
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1464
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1460
	cat << EOF > /etc/dnsmasq.conf 
1465
	cat << EOF > /etc/dnsmasq.conf 
1461
# Configuration file for "dnsmasq in forward mode"
1466
# Configuration file for "dnsmasq in forward mode"
1462
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1467
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1463
listen-address=$PRIVATE_IP
1468
listen-address=$PRIVATE_IP
1464
pid-file=/var/run/dnsmasq.pid
1469
pid-file=/var/run/dnsmasq.pid
1465
listen-address=127.0.0.1
1470
listen-address=127.0.0.1
1466
no-dhcp-interface=$INTIF
1471
no-dhcp-interface=$INTIF
1467
no-dhcp-interface=tun0
1472
no-dhcp-interface=tun0
1468
no-dhcp-interface=lo
1473
no-dhcp-interface=lo
1469
bind-interfaces
1474
bind-interfaces
1470
cache-size=256
1475
cache-size=256
1471
domain=$DOMAIN
1476
domain=$DOMAIN
1472
domain-needed
1477
domain-needed
1473
expand-hosts
1478
expand-hosts
1474
bogus-priv
1479
bogus-priv
1475
filterwin2k
1480
filterwin2k
1476
server=$DNS1
1481
server=$DNS1
1477
server=$DNS2
1482
server=$DNS2
1478
# DHCP service is configured. It will be enabled in "bypass" mode
1483
# DHCP service is configured. It will be enabled in "bypass" mode
1479
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1484
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1480
dhcp-option=option:router,$PRIVATE_IP
1485
dhcp-option=option:router,$PRIVATE_IP
1481
dhcp-option=option:ntp-server,$PRIVATE_IP
1486
dhcp-option=option:ntp-server,$PRIVATE_IP
1482
 
1487
 
1483
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1488
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1484
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1489
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1485
EOF
1490
EOF
1486
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1491
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1487
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1492
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1488
# Configuration file for "dnsmasq with blacklist"
1493
# Configuration file for "dnsmasq with blacklist"
1489
# Add Toulouse blacklist domains
1494
# Add Toulouse blacklist domains
1490
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1495
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1491
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1496
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1492
pid-file=/var/run/dnsmasq-blacklist.pid
1497
pid-file=/var/run/dnsmasq-blacklist.pid
1493
listen-address=$PRIVATE_IP
1498
listen-address=$PRIVATE_IP
1494
port=54
1499
port=54
1495
no-dhcp-interface=$INTIF
1500
no-dhcp-interface=$INTIF
1496
no-dhcp-interface=tun0
1501
no-dhcp-interface=tun0
1497
no-dhcp-interface=lo
1502
no-dhcp-interface=lo
1498
bind-interfaces
1503
bind-interfaces
1499
cache-size=256
1504
cache-size=256
1500
domain=$DOMAIN
1505
domain=$DOMAIN
1501
domain-needed
1506
domain-needed
1502
expand-hosts
1507
expand-hosts
1503
bogus-priv
1508
bogus-priv
1504
filterwin2k
1509
filterwin2k
1505
server=$DNS1
1510
server=$DNS1
1506
server=$DNS2
1511
server=$DNS2
1507
EOF
1512
EOF
1508
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1513
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1509
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1514
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1510
# Configuration file for "dnsmasq with whitelist"
1515
# Configuration file for "dnsmasq with whitelist"
1511
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1516
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1512
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1517
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1513
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1518
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1514
pid-file=/var/run/dnsmasq-whitelist.pid
1519
pid-file=/var/run/dnsmasq-whitelist.pid
1515
listen-address=$PRIVATE_IP
1520
listen-address=$PRIVATE_IP
1516
port=55
1521
port=55
1517
no-dhcp-interface=$INTIF
1522
no-dhcp-interface=$INTIF
1518
no-dhcp-interface=tun0
1523
no-dhcp-interface=tun0
1519
no-dhcp-interface=lo
1524
no-dhcp-interface=lo
1520
bind-interfaces
1525
bind-interfaces
1521
cache-size=256
1526
cache-size=256
1522
domain=$DOMAIN
1527
domain=$DOMAIN
1523
domain-needed
1528
domain-needed
1524
expand-hosts
1529
expand-hosts
1525
bogus-priv
1530
bogus-priv
1526
filterwin2k
1531
filterwin2k
1527
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1532
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1528
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1533
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1529
EOF
1534
EOF
1530
# 4th dnsmasq listen on udp 56 ("blackhole")
1535
# 4th dnsmasq listen on udp 56 ("blackhole")
1531
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1536
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1532
# Configuration file for "dnsmasq as a blackhole"
1537
# Configuration file for "dnsmasq as a blackhole"
1533
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1538
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1534
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1539
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1535
pid-file=/var/run/dnsmasq-blackhole.pid
1540
pid-file=/var/run/dnsmasq-blackhole.pid
1536
listen-address=$PRIVATE_IP
1541
listen-address=$PRIVATE_IP
1537
port=56
1542
port=56
1538
no-dhcp-interface=$INTIF
1543
no-dhcp-interface=$INTIF
1539
no-dhcp-interface=tun0
1544
no-dhcp-interface=tun0
1540
no-dhcp-interface=lo
1545
no-dhcp-interface=lo
1541
bind-interfaces
1546
bind-interfaces
1542
cache-size=256
1547
cache-size=256
1543
domain=$DOMAIN
1548
domain=$DOMAIN
1544
domain-needed
1549
domain-needed
1545
expand-hosts
1550
expand-hosts
1546
bogus-priv
1551
bogus-priv
1547
filterwin2k
1552
filterwin2k
1548
EOF
1553
EOF
1549
 
1554
 
1550
# Start after chilli (which create tun0)
1555
# Start after chilli (which create tun0)
1551
	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1556
	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1552
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1557
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1553
	for list in blacklist whitelist blackhole
1558
	for list in blacklist whitelist blackhole
1554
	do
1559
	do
1555
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1560
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1556
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1561
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1557
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1562
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1558
	done
1563
	done
1559
} # End dnsmasq
1564
} # End dnsmasq
1560
 
1565
 
1561
##########################################################
1566
##########################################################
1562
##		Fonction "BL"				##
1567
##		Fonction "BL"				##
1563
##########################################################
1568
##########################################################
1564
BL ()
1569
BL ()
1565
{
1570
{
1566
# modify iptables boot file to start alcasar-iptables.sh when the system is booting
-
 
1567
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
-
 
1568
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
-
 
1569
# copy and extract toulouse BL
1571
# copy and extract toulouse BL
1570
	rm -rf $DIR_DG/lists/blacklists
1572
	rm -rf $DIR_DG/lists/blacklists
1571
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1573
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1572
# creation of the OSSI BL and WL categories (domain name and url)
1574
# creation of the OSSI BL and WL categories (domain name and url)
1573
	mkdir $DIR_DG/lists/blacklists/ossi
1575
	mkdir $DIR_DG/lists/blacklists/ossi
1574
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1576
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1575
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1577
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1576
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1578
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1577
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1579
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1578
# creation of file for the rehabilited domains and urls
1580
# creation of file for the rehabilited domains and urls
1579
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1581
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1580
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1582
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1581
	touch $DIR_DG/lists/exceptionsitelist
1583
	touch $DIR_DG/lists/exceptionsitelist
1582
	touch $DIR_DG/lists/exceptionurllist
1584
	touch $DIR_DG/lists/exceptionurllist
1583
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1585
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1584
	cat <<EOF > $DIR_DG/lists/bannedurllist
1586
	cat <<EOF > $DIR_DG/lists/bannedurllist
1585
# Dansguardian filter config for ALCASAR
1587
# Dansguardian filter config for ALCASAR
1586
EOF
1588
EOF
1587
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1589
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1588
# Dansguardian domain filter config for ALCASAR
1590
# Dansguardian domain filter config for ALCASAR
1589
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1591
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1590
#**
1592
#**
1591
# block all SSL and CONNECT tunnels
1593
# block all SSL and CONNECT tunnels
1592
**s
1594
**s
1593
# block all SSL and CONNECT tunnels specified only as an IP
1595
# block all SSL and CONNECT tunnels specified only as an IP
1594
*ips
1596
*ips
1595
# block all sites specified only by an IP
1597
# block all sites specified only by an IP
1596
*ip
1598
*ip
1597
EOF
1599
EOF
1598
# Add Bing and Youtube to the safesearch url regext list (parental control)
1600
# Add Bing and Youtube to the safesearch url regext list (parental control)
1599
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1601
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1600
# Bing - add 'adlt=strict'
1602
# Bing - add 'adlt=strict'
1601
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1603
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1602
# Youtube - add 'edufilter=your_ID' 
1604
# Youtube - add 'edufilter=your_ID' 
1603
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1605
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1604
EOF
1606
EOF
1605
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1607
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1606
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1608
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1607
# adapt the BL to ALCASAR architecture. Enable the default categories
1609
# adapt the BL to ALCASAR architecture. Enable the default categories
1608
	if [ "$mode" != "update" ]; then
1610
	if [ "$mode" != "update" ]; then
1609
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1611
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1610
		$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1612
		$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1611
# !!! we can be banned by DNS server (waiting for a cool solution	$DIR_DEST_SBIN/alcasar-bl.sh --ip_retrieving
-
 
1612
	fi
1613
	fi
1613
}
1614
}
1614
 
1615
 
1615
##########################################################
1616
##########################################################
1616
##		Fonction "cron"				##
1617
##		Fonction "cron"				##
1617
## - Mise en place des différents fichiers de cron	##
1618
## - Mise en place des différents fichiers de cron	##
1618
##########################################################
1619
##########################################################
1619
cron ()
1620
cron ()
1620
{
1621
{
1621
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1622
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1622
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1623
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1623
	cat <<EOF > /etc/crontab
1624
	cat <<EOF > /etc/crontab
1624
SHELL=/bin/bash
1625
SHELL=/bin/bash
1625
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1626
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1626
MAILTO=root
1627
MAILTO=root
1627
HOME=/
1628
HOME=/
1628
 
1629
 
1629
# run-parts
1630
# run-parts
1630
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1631
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1631
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1632
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1632
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1633
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1633
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1634
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1634
EOF
1635
EOF
1635
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1636
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1636
	cat <<EOF >> /etc/anacrontab
1637
	cat <<EOF >> /etc/anacrontab
1637
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1638
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1638
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1639
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1639
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1640
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1640
EOF
1641
EOF
1641
 
1642
 
1642
	cat <<EOF > /etc/cron.d/alcasar-mysql
1643
	cat <<EOF > /etc/cron.d/alcasar-mysql
1643
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1644
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1644
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1645
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1645
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1646
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1646
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1647
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1647
EOF
1648
EOF
1648
	cat <<EOF > /etc/cron.d/alcasar-archive
1649
	cat <<EOF > /etc/cron.d/alcasar-archive
1649
# Archive des logs et de la base de données (tous les lundi à 5h35)
1650
# Archive des logs et de la base de données (tous les lundi à 5h35)
1650
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1651
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1651
EOF
1652
EOF
1652
	cat << EOF > /etc/cron.d/alcasar-clean_import
1653
	cat << EOF > /etc/cron.d/alcasar-clean_import
1653
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
1654
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
1654
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
1655
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
1655
EOF
1656
EOF
1656
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1657
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1657
# mise à jour automatique de la distribution tous les jours 3h30
1658
# mise à jour automatique de la distribution tous les jours 3h30
1658
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1659
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1659
EOF
1660
EOF
1660
	#cat << EOF > /etc/cron.d/alcasar-netflow
1661
	#cat << EOF > /etc/cron.d/alcasar-netflow
1661
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1662
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1662
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1663
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1663
#EOF
1664
#EOF
1664
 
1665
 
1665
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1666
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1666
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1667
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1667
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1668
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1668
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1669
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1669
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1670
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1670
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1671
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1671
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1672
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1672
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1673
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1673
	rm -f /etc/cron.daily/freeradius-web
1674
	rm -f /etc/cron.daily/freeradius-web
1674
	rm -f /etc/cron.monthly/freeradius-web
1675
	rm -f /etc/cron.monthly/freeradius-web
1675
	cat << EOF > /etc/cron.d/freeradius-web
1676
	cat << EOF > /etc/cron.d/freeradius-web
1676
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1677
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1677
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1678
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1678
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1679
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1679
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1680
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1680
EOF
1681
EOF
1681
	cat << EOF > /etc/cron.d/alcasar-watchdog
1682
	cat << EOF > /etc/cron.d/alcasar-watchdog
1682
# activation du "chien de garde" (watchdog) toutes les 3'
1683
# activation du "chien de garde" (watchdog) toutes les 3'
1683
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1684
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1684
EOF
1685
EOF
1685
# activation du "chien de garde des services" (watchdog) toutes les 18'
1686
# activation du "chien de garde des services" (watchdog) toutes les 18'
1686
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1687
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1687
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1688
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1688
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1689
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1689
EOF
1690
EOF
1690
# suppression des crons usagers
1691
# suppression des crons usagers
1691
	rm -f /var/spool/cron/*
1692
	rm -f /var/spool/cron/*
1692
} # End cron
1693
} # End cron
1693
 
1694
 
1694
##################################################################
1695
##################################################################
1695
## 			Fonction "Fail2Ban"			##
1696
## 			Fonction "Fail2Ban"			##
1696
##- Modification de la configuration de fail2ban		##
1697
##- Modification de la configuration de fail2ban		##
1697
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1698
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1698
##################################################################
1699
##################################################################
1699
fail2ban()
1700
fail2ban()
1700
{
1701
{
1701
	$DIR_CONF/fail2ban.sh
1702
	$DIR_CONF/fail2ban.sh
1702
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1703
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1703
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1704
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1704
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1705
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1705
	chmod 644 /var/log/fail2ban.log
1706
	chmod 644 /var/log/fail2ban.log
1706
	chmod 644 /var/Save/security/watchdog.log
1707
	chmod 644 /var/Save/security/watchdog.log
1707
	/usr/bin/touch /var/log/auth.log
1708
	/usr/bin/touch /var/log/auth.log
1708
	
1709
	
1709
 
1710
 
1710
# Edition de l'unité fail2ban
1711
# Edition de l'unité fail2ban
1711
[ -e /usr/lib/systemd/system/fail2ban.service ] && cp /usr/lib/systemd/system/fail2ban.service /usr/lib/systemd/system/fail2ban.service.default
1712
[ -e /usr/lib/systemd/system/fail2ban.service ] && cp /usr/lib/systemd/system/fail2ban.service /usr/lib/systemd/system/fail2ban.service.default
1712
$SED '/Type/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1713
$SED '/Type/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1713
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1714
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1714
 
1715
 
1715
 
1716
 
1716
} #Fin de fail2ban_install()
1717
} #Fin de fail2ban_install()
1717
 
1718
 
1718
##################################################################
1719
##################################################################
1719
## 			Fonction "gammu_smsd"			##
1720
## 			Fonction "gammu_smsd"			##
1720
## - Creation de la base de donnée Gammu			##
1721
## - Creation de la base de donnée Gammu			##
1721
## - Creation du fichier de config: gammu_smsd_conf		##
1722
## - Creation du fichier de config: gammu_smsd_conf		##
1722
##								##
1723
##								##
1723
##################################################################
1724
##################################################################
1724
gammu_smsd()
1725
gammu_smsd()
1725
{
1726
{
1726
# Create 'gammu' databse
1727
# Create 'gammu' databse
1727
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1728
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1728
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1729
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1729
# Add a gammu database structure
1730
# Add a gammu database structure
1730
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1731
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1731
 
1732
 
1732
# config file for the daemon
1733
# config file for the daemon
1733
cat << EOF > /etc/gammu_smsd_conf
1734
cat << EOF > /etc/gammu_smsd_conf
1734
[gammu]
1735
[gammu]
1735
port = /dev/ttyUSB0
1736
port = /dev/ttyUSB0
1736
connection = at115200
1737
connection = at115200
1737
 
1738
 
1738
;########################################################
1739
;########################################################
1739
 
1740
 
1740
[smsd]
1741
[smsd]
1741
 
1742
 
1742
PIN = 1234
1743
PIN = 1234
1743
 
1744
 
1744
logfile = /var/log/gammu-smsd/gammu-smsd.log
1745
logfile = /var/log/gammu-smsd/gammu-smsd.log
1745
logformat = textall
1746
logformat = textall
1746
debuglevel = 0
1747
debuglevel = 0
1747
 
1748
 
1748
service = sql
1749
service = sql
1749
driver = native_mysql
1750
driver = native_mysql
1750
user = $DB_USER
1751
user = $DB_USER
1751
password = $radiuspwd
1752
password = $radiuspwd
1752
pc = localhost
1753
pc = localhost
1753
database = $DB_GAMMU
1754
database = $DB_GAMMU
1754
 
1755
 
1755
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1756
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1756
 
1757
 
1757
StatusFrequency = 30
1758
StatusFrequency = 30
1758
;LoopSleep = 2
1759
;LoopSleep = 2
1759
 
1760
 
1760
;ResetFrequency = 300
1761
;ResetFrequency = 300
1761
;HardResetFrequency = 120
1762
;HardResetFrequency = 120
1762
 
1763
 
1763
CheckSecurity = 1 
1764
CheckSecurity = 1 
1764
CheckSignal = 1
1765
CheckSignal = 1
1765
CheckBattery = 0
1766
CheckBattery = 0
1766
EOF
1767
EOF
1767
 
1768
 
1768
chmod 755 /etc/gammu_smsd_conf
1769
chmod 755 /etc/gammu_smsd_conf
1769
 
1770
 
1770
#Creation dossier de log Gammu-smsd
1771
#Creation dossier de log Gammu-smsd
1771
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1772
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1772
chmod 755 /var/log/gammu-smsd
1773
chmod 755 /var/log/gammu-smsd
1773
 
1774
 
1774
#Edition du script sql gammu <-> radius
1775
#Edition du script sql gammu <-> radius
1775
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1776
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1776
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1777
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1777
 
1778
 
1778
#Création de la règle udev pour les Huawei // idVendor: 12d1
1779
#Création de la règle udev pour les Huawei // idVendor: 12d1
1779
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1780
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1780
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
1781
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
1781
EOF
1782
EOF
1782
 
1783
 
1783
} # END gammu_smsd()
1784
} # END gammu_smsd()
1784
 
1785
 
1785
##################################################################
1786
##################################################################
1786
##			Fonction "post_install"			##
1787
##			Fonction "post_install"			##
1787
## - Modification des bannières (locales et ssh) et des prompts ##
1788
## - Modification des bannières (locales et ssh) et des prompts ##
1788
## - Installation de la structure de chiffrement pour root	##
1789
## - Installation de la structure de chiffrement pour root	##
1789
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1790
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1790
## - Mise en place du la rotation des logs			##
1791
## - Mise en place du la rotation des logs			##
1791
## - Configuration dans le cas d'une mise à jour		##
1792
## - Configuration dans le cas d'une mise à jour		##
1792
##################################################################
1793
##################################################################
1793
post_install()
1794
post_install()
1794
{
1795
{
1795
# création de la bannière locale
1796
# création de la bannière locale
1796
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1797
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1797
	cp -f $DIR_CONF/banner /etc/mageia-release
1798
	cp -f $DIR_CONF/banner /etc/mageia-release
1798
	echo " V$VERSION" >> /etc/mageia-release
1799
	echo " V$VERSION" >> /etc/mageia-release
1799
# création de la bannière SSH
1800
# création de la bannière SSH
1800
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1801
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1801
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1802
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1802
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1803
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1803
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1804
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1804
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1805
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1805
# postfix banner anonymisation
1806
# postfix banner anonymisation
1806
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1807
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1807
# sshd écoute côté LAN et WAN
1808
# sshd écoute côté LAN et WAN
1808
	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1809
	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1809
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1810
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1810
	echo "SSH=off" >> $CONF_FILE
1811
	echo "SSH=off" >> $CONF_FILE
1811
	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
1812
	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
1812
	echo "QOS=off" >> $CONF_FILE
1813
	echo "QOS=off" >> $CONF_FILE
1813
	echo "LDAP=off" >> $CONF_FILE
1814
	echo "LDAP=off" >> $CONF_FILE
1814
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1815
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1815
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1816
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1816
	echo "MULTIWAN=off" >> $CONF_FILE
1817
	echo "MULTIWAN=off" >> $CONF_FILE
1817
	echo "FAILOVER=30" >> $CONF_FILE
1818
	echo "FAILOVER=30" >> $CONF_FILE
1818
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1819
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1819
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1820
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1820
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1821
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1821
# Coloration des prompts
1822
# Coloration des prompts
1822
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1823
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1823
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1824
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1824
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1825
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1825
# Droits d'exécution pour utilisateur apache et sysadmin
1826
# Droits d'exécution pour utilisateur apache et sysadmin
1826
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1827
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1827
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1828
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1828
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1829
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1829
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1830
# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1830
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1831
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1831
	chmod 644 /etc/logrotate.d/*
1832
	chmod 644 /etc/logrotate.d/*
1832
# rectification sur versions précédentes de la compression des logs
1833
# rectification sur versions précédentes de la compression des logs
1833
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1834
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1834
# actualisation des fichiers logs compressés
1835
# actualisation des fichiers logs compressés
1835
	for dir in firewall dansguardian httpd
1836
	for dir in firewall dansguardian httpd
1836
	do
1837
	do
1837
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1838
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1838
	done
1839
	done
1839
# create the alcasar-load_balancing unit
1840
# create the alcasar-load_balancing unit
1840
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1841
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1841
#  This file is part of systemd.
1842
#  This file is part of systemd.
1842
#
1843
#
1843
#  systemd is free software; you can redistribute it and/or modify it
1844
#  systemd is free software; you can redistribute it and/or modify it
1844
#  under the terms of the GNU General Public License as published by
1845
#  under the terms of the GNU General Public License as published by
1845
#  the Free Software Foundation; either version 2 of the License, or
1846
#  the Free Software Foundation; either version 2 of the License, or
1846
#  (at your option) any later version.
1847
#  (at your option) any later version.
1847
 
1848
 
1848
# This unit lauches alcasar-load-balancing.sh script.
1849
# This unit lauches alcasar-load-balancing.sh script.
1849
[Unit]
1850
[Unit]
1850
Description=alcasar-load_balancing.sh execution
1851
Description=alcasar-load_balancing.sh execution
1851
After=network.target iptables.service
1852
After=network.target iptables.service
1852
 
1853
 
1853
[Service]
1854
[Service]
1854
Type=oneshot
1855
Type=oneshot
1855
RemainAfterExit=yes
1856
RemainAfterExit=yes
1856
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1857
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1857
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1858
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1858
TimeoutSec=0
1859
TimeoutSec=0
1859
SysVStartPriority=99
1860
SysVStartPriority=99
1860
 
1861
 
1861
[Install]
1862
[Install]
1862
WantedBy=multi-user.target
1863
WantedBy=multi-user.target
1863
EOF
1864
EOF
1864
# processes launched at boot time (Systemctl)
1865
# processes launched at boot time (Systemctl)
1865
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy
1866
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy
1866
	do
1867
	do
1867
		systemctl -q enable $i.service
1868
		systemctl -q enable $i.service
1868
	done
1869
	done
1869
	
1870
	
1870
# disable processes at boot time (Systemctl)
1871
# disable processes at boot time (Systemctl)
1871
	for i in ulogd
1872
	for i in ulogd
1872
	do
1873
	do
1873
		systemctl -q disable $i.service
1874
		systemctl -q disable $i.service
1874
	done
1875
	done
1875
	
1876
	
1876
# Apply French Security Agency (ANSSI) rules
1877
# Apply French Security Agency (ANSSI) rules
1877
# ignore ICMP broadcast (smurf attack)
1878
# ignore ICMP broadcast (smurf attack)
1878
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1879
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1879
# ignore ICMP errors bogus
1880
# ignore ICMP errors bogus
1880
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1881
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1881
# remove ICMP redirects responces
1882
# remove ICMP redirects responces
1882
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1883
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1883
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1884
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1884
# enable SYN Cookies (Syn flood attacks)
1885
# enable SYN Cookies (Syn flood attacks)
1885
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1886
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1886
# enable kernel antispoofing
1887
# enable kernel antispoofing
1887
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1888
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1888
# ignore source routing
1889
# ignore source routing
1889
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1890
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1890
# set conntrack timer to 1h (3600s) instead of 5 weeks
1891
# set conntrack timer to 1h (3600s) instead of 5 weeks
1891
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1892
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1892
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1893
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1893
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1894
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1894
# remove Magic SysReq Keys
1895
# remove Magic SysReq Keys
1895
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1896
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1896
# switch to multi-users runlevel (instead of x11)
1897
# switch to multi-users runlevel (instead of x11)
1897
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1898
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1898
#	GRUB modifications
1899
#	GRUB modifications
1899
# limit wait time to 3s
1900
# limit wait time to 3s
1900
# create an alcasar entry instead of linux-nonfb
1901
# create an alcasar entry instead of linux-nonfb
1901
# change display to 1024*768 (vga791)
1902
# change display to 1024*768 (vga791)
1902
	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1903
	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1903
	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1904
	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1904
	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1905
	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1905
	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
1906
	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
1906
	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1907
	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1907
	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1908
	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1908
# Remove unused services and users
1909
# Remove unused services and users
1909
	for svc in sshd
1910
	for svc in sshd
1910
	do
1911
	do
1911
		/bin/systemctl -q disable $svc.service
1912
		/bin/systemctl -q disable $svc.service
1912
	done
1913
	done
1913
# Load and apply the previous conf file
1914
# Load and apply the previous conf file
1914
	if [ "$mode" = "update" ]
1915
	if [ "$mode" = "update" ]
1915
	then
1916
	then
1916
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1917
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1917
		$DIR_DEST_BIN/alcasar-conf.sh --load
1918
		$DIR_DEST_BIN/alcasar-conf.sh --load
1918
		PARENT_SCRIPT=`basename $0`
1919
		PARENT_SCRIPT=`basename $0`
1919
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1920
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1920
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1921
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1921
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1922
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1922
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1923
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1923
		if [ $MAJ_PREVIOUS_VERSION -lt 2 ] || ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
1924
		if [ $MAJ_PREVIOUS_VERSION -lt 2 ] || ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
1924
		# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
1925
		# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
1925
		then
1926
		then
1926
			header_install
1927
			header_install
1927
			if [ $Lang == "fr" ]
1928
			if [ $Lang == "fr" ]
1928
			then 
1929
			then 
1929
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
1930
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
1930
				echo
1931
				echo
1931
				echo -n "Nom : "
1932
				echo -n "Nom : "
1932
			else
1933
			else
1933
				echo "This update need to redefine the first admin account"
1934
				echo "This update need to redefine the first admin account"
1934
				echo
1935
				echo
1935
				echo -n "Account : "
1936
				echo -n "Account : "
1936
			fi
1937
			fi
1937
			read admin_portal
1938
			read admin_portal
1938
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
1939
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
1939
			mkdir -p $DIR_DEST_ETC/digest
1940
			mkdir -p $DIR_DEST_ETC/digest
1940
			chmod 755 $DIR_DEST_ETC/digest
1941
			chmod 755 $DIR_DEST_ETC/digest
1941
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
1942
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
1942
			do
1943
			do
1943
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1944
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1944
			done
1945
			done
1945
			$DIR_DEST_SBIN/alcasar-profil.sh --list
1946
			$DIR_DEST_SBIN/alcasar-profil.sh --list
1946
		fi
1947
		fi
1947
	fi
1948
	fi
1948
	rm -f /tmp/alcasar-conf*
1949
	rm -f /tmp/alcasar-conf*
1949
	chown -R root:apache $DIR_DEST_ETC/*
1950
	chown -R root:apache $DIR_DEST_ETC/*
1950
	chmod -R 660 $DIR_DEST_ETC/*
1951
	chmod -R 660 $DIR_DEST_ETC/*
1951
	chmod ug+x $DIR_DEST_ETC/digest
1952
	chmod ug+x $DIR_DEST_ETC/digest
1952
# Apply and save the firewall rules
1953
# Apply and save the firewall rules
1953
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1954
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1954
	sleep 2
1955
	sleep 2
1955
	cd $DIR_INSTALL
1956
	cd $DIR_INSTALL
1956
	echo ""
1957
	echo ""
1957
	echo "#############################################################################"
1958
	echo "#############################################################################"
1958
	if [ $Lang == "fr" ]
1959
	if [ $Lang == "fr" ]
1959
		then
1960
		then
1960
		echo "#                        Fin d'installation d'ALCASAR                       #"
1961
		echo "#                        Fin d'installation d'ALCASAR                       #"
1961
		echo "#                                                                           #"
1962
		echo "#                                                                           #"
1962
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1963
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1963
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1964
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1964
		echo "#                                                                           #"
1965
		echo "#                                                                           #"
1965
		echo "#############################################################################"
1966
		echo "#############################################################################"
1966
		echo
1967
		echo
1967
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1968
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1968
		echo
1969
		echo
1969
		echo "- Lisez attentivement la documentation d'exploitation"
1970
		echo "- Lisez attentivement la documentation d'exploitation"
1970
		echo
1971
		echo
1971
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1972
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1972
		echo
1973
		echo
1973
		echo "                   Appuyez sur 'Entrée' pour continuer"
1974
		echo "                   Appuyez sur 'Entrée' pour continuer"
1974
	else	
1975
	else	
1975
		echo "#                        Enf of ALCASAR install process                     #"
1976
		echo "#                        Enf of ALCASAR install process                     #"
1976
		echo "#                                                                           #"
1977
		echo "#                                                                           #"
1977
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1978
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1978
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1979
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1979
		echo "#                                                                           #"
1980
		echo "#                                                                           #"
1980
		echo "#############################################################################"
1981
		echo "#############################################################################"
1981
		echo
1982
		echo
1982
		echo "- The system will be rebooted in order to operate ALCASAR"
1983
		echo "- The system will be rebooted in order to operate ALCASAR"
1983
		echo
1984
		echo
1984
		echo "- Read the exploitation documentation"
1985
		echo "- Read the exploitation documentation"
1985
		echo
1986
		echo
1986
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1987
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
1987
		echo
1988
		echo
1988
		echo "                   Hit 'Enter' to continue"
1989
		echo "                   Hit 'Enter' to continue"
1989
	fi
1990
	fi
1990
	sleep 2
1991
	sleep 2
1991
	if [ "$mode" != "update" ]
1992
	if [ "$mode" != "update" ]
1992
	then
1993
	then
1993
		read a
1994
		read a
1994
	fi
1995
	fi
1995
	clear
1996
	clear
1996
	reboot
1997
	reboot
1997
} # End post_install ()
1998
} # End post_install ()
1998
 
1999
 
1999
#################################
2000
#################################
2000
#  	Main Install loop  	#
2001
#  	Main Install loop  	#
2001
#################################
2002
#################################
2002
dir_exec=`dirname "$0"`
2003
dir_exec=`dirname "$0"`
2003
if [ $dir_exec != "." ]
2004
if [ $dir_exec != "." ]
2004
then
2005
then
2005
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2006
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2006
	echo "Launch this program from the ALCASAR archive directory"
2007
	echo "Launch this program from the ALCASAR archive directory"
2007
	exit 0
2008
	exit 0
2008
fi
2009
fi
2009
VERSION=`cat $DIR_INSTALL/VERSION`
2010
VERSION=`cat $DIR_INSTALL/VERSION`
2010
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2011
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2011
nb_args=$#
2012
nb_args=$#
2012
args=$1
2013
args=$1
2013
if [ $nb_args -eq 0 ]
2014
if [ $nb_args -eq 0 ]
2014
then
2015
then
2015
	nb_args=1
2016
	nb_args=1
2016
	args="-h"
2017
	args="-h"
2017
fi
2018
fi
2018
chmod -R u+x $DIR_SCRIPTS/*
2019
chmod -R u+x $DIR_SCRIPTS/*
2019
case $args in
2020
case $args in
2020
	-\? | -h* | --h*)
2021
	-\? | -h* | --h*)
2021
		echo "$usage"
2022
		echo "$usage"
2022
		exit 0
2023
		exit 0
2023
		;;
2024
		;;
2024
	-i | --install)
2025
	-i | --install)
2025
		license
2026
		license
2026
		header_install
2027
		header_install
2027
		testing
2028
		testing
2028
# RPMs install
2029
# RPMs install
2029
		$DIR_SCRIPTS/alcasar-urpmi.sh
2030
		$DIR_SCRIPTS/alcasar-urpmi.sh
2030
		if [ "$?" != "0" ]
2031
		if [ "$?" != "0" ]
2031
		then
2032
		then
2032
			exit 0
2033
			exit 0
2033
		fi
2034
		fi
2034
		if [ -e $CONF_FILE ]
2035
		if [ -e $CONF_FILE ]
2035
		then
2036
		then
2036
# Uninstall the running version
2037
# Uninstall the running version
2037
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2038
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2038
		fi
2039
		fi
2039
# Test if manual update	
2040
# Test if manual update	
2040
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2041
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2041
		then
2042
		then
2042
			header_install
2043
			header_install
2043
			if [ $Lang == "fr" ]
2044
			if [ $Lang == "fr" ]
2044
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2045
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2045
				else echo "The configuration file of an old version has been found";
2046
				else echo "The configuration file of an old version has been found";
2046
			fi
2047
			fi
2047
			response=0
2048
			response=0
2048
			PTN='^[oOnNyY]$'
2049
			PTN='^[oOnNyY]$'
2049
			until [[ $(expr $response : $PTN) -gt 0 ]]
2050
			until [[ $(expr $response : $PTN) -gt 0 ]]
2050
			do
2051
			do
2051
				if [ $Lang == "fr" ]
2052
				if [ $Lang == "fr" ]
2052
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2053
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2053
					else echo -n "Do you want to use it (Y/n)?";
2054
					else echo -n "Do you want to use it (Y/n)?";
2054
				 fi
2055
				 fi
2055
				read response
2056
				read response
2056
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2057
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2057
				then rm -f /tmp/alcasar-conf*
2058
				then rm -f /tmp/alcasar-conf*
2058
				fi
2059
				fi
2059
			done
2060
			done
2060
		fi
2061
		fi
2061
# Test if update
2062
# Test if update
2062
		if [ -e /tmp/alcasar-conf* ] 
2063
		if [ -e /tmp/alcasar-conf* ] 
2063
		then
2064
		then
2064
			if [ $Lang == "fr" ]
2065
			if [ $Lang == "fr" ]
2065
				then echo "#### Installation avec mise à jour ####";
2066
				then echo "#### Installation avec mise à jour ####";
2066
				else echo "#### Installation with update     ####";
2067
				else echo "#### Installation with update     ####";
2067
			fi
2068
			fi
2068
# Extract the central configuration file
2069
# Extract the central configuration file
2069
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2070
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2070
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2071
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2071
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2072
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2072
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2073
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2073
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2074
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2074
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2075
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2075
			mode="update"
2076
			mode="update"
2076
		fi
2077
		fi
2077
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
2078
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
2078
		do
2079
		do
2079
			$func
2080
			$func
2080
# echo "*** 'debug' : end of function $func ***"; read a
2081
# echo "*** 'debug' : end of function $func ***"; read a
2081
		done
2082
		done
2082
		;;
2083
		;;
2083
	-u | --uninstall)
2084
	-u | --uninstall)
2084
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
2085
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
2085
		then
2086
		then
2086
			if [ $Lang == "fr" ]
2087
			if [ $Lang == "fr" ]
2087
				then echo "ALCASAR n'est pas installé!";
2088
				then echo "ALCASAR n'est pas installé!";
2088
				else echo "ALCASAR isn't installed!";
2089
				else echo "ALCASAR isn't installed!";
2089
			fi
2090
			fi
2090
			exit 0
2091
			exit 0
2091
		fi
2092
		fi
2092
		response=0
2093
		response=0
2093
		PTN='^[oOnN]$'
2094
		PTN='^[oOnN]$'
2094
		until [[ $(expr $response : $PTN) -gt 0 ]]
2095
		until [[ $(expr $response : $PTN) -gt 0 ]]
2095
		do
2096
		do
2096
			if [ $Lang == "fr" ]
2097
			if [ $Lang == "fr" ]
2097
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2098
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2098
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2099
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2099
			fi
2100
			fi
2100
			read response
2101
			read response
2101
		done
2102
		done
2102
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2103
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2103
		then
2104
		then
2104
			$DIR_SCRIPTS/alcasar-conf.sh --create
2105
			$DIR_SCRIPTS/alcasar-conf.sh --create
2105
		else	
2106
		else	
2106
			rm -f /tmp/alcasar-conf*
2107
			rm -f /tmp/alcasar-conf*
2107
		fi
2108
		fi
2108
# Uninstall the running version
2109
# Uninstall the running version
2109
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2110
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2110
		;;
2111
		;;
2111
	*)
2112
	*)
2112
		echo "Argument inconnu :$1";
2113
		echo "Argument inconnu :$1";
2113
		echo "Unknown argument :$1";
2114
		echo "Unknown argument :$1";
2114
		echo "$usage"
2115
		echo "$usage"
2115
		exit 1
2116
		exit 1
2116
		;;
2117
		;;
2117
esac
2118
esac
2118
# end of script
2119
# end of script
2119
 
2120
 
2120
 
2121