Subversion Repositories ALCASAR

Rev

Rev 1544 | Rev 1548 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1544 Rev 1547
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 1544 2014-12-23 16:48:10Z richard $ 
2
#  $Id: alcasar.sh 1547 2014-12-23 17:25:24Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
32
#	ACC			: ALCASAR Control Center installation
32
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
33
#	CA			: Certification Authority initialization
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	radius			: FreeRadius initialisation
35
#	radius			: FreeRadius initialisation
36
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
36
#	radius_web		: copy ans modifiy original "freeradius web" in ACC
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
42
#	nfsen		:	: Configuration du grapheur nfsen pour apache 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	post_install		: Security, log rotation, etc.
49
#	post_install		: Security, log rotation, etc.
50
 
50
 
51
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
53
Lang=`echo $LANG|cut -c 1-2`
53
Lang=`echo $LANG|cut -c 1-2`
54
mode="install"
54
mode="install"
55
# ******* Files parameters - paramètres fichiers *********
55
# ******* Files parameters - paramètres fichiers *********
56
DIR_INSTALL=`pwd`				# current directory 
56
DIR_INSTALL=`pwd`				# current directory 
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SAVE="/var/Save"				# backup directory (system_backup, user_db_backup, logs)
59
DIR_SAVE="/var/Save"				# backup directory (system_backup, user_db_backup, logs)
60
DIR_WEB="/var/www/html"				# directory of APACHE
60
DIR_WEB="/var/www/html"				# directory of APACHE
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
61
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
62
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
63
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
64
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
64
DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
# ******* DBMS parameters - paramètres SGBD ********
69
# ******* DBMS parameters - paramètres SGBD ********
70
DB_RADIUS="radius"				# database name used by FreeRadius server
70
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_USER="radius"				# user name allows to request the users database
71
DB_USER="radius"				# user name allows to request the users database
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
# ******* Network parameters - paramètres réseau *******
73
# ******* Network parameters - paramètres réseau *******
74
HOSTNAME="alcasar"				# default hostname
74
HOSTNAME="alcasar"				# default hostname
75
DOMAIN="localdomain"				# default local domain
75
DOMAIN="localdomain"				# default local domain
76
EXTIF=`/sbin/ip route|grep default|cut -d" " -f5`						# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
76
EXTIF=`/sbin/ip route|grep default|cut -d" " -f5`						# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
77
INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
MTU="1500"
78
MTU="1500"
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
# ****** Paths - chemin des commandes *******
80
# ****** Paths - chemin des commandes *******
81
SED="/bin/sed -i"
81
SED="/bin/sed -i"
82
# ****************** End of global parameters *********************
82
# ****************** End of global parameters *********************
83
 
83
 
84
license ()
84
license ()
85
{
85
{
86
	if [ $Lang == "fr" ]
86
	if [ $Lang == "fr" ]
87
	then
87
	then
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
	else
89
	else
90
		cat $DIR_INSTALL/gpl-warning.txt | more
90
		cat $DIR_INSTALL/gpl-warning.txt | more
91
	fi
91
	fi
92
	response=0
92
	response=0
93
	PTN='^[oOyYnN]$'
93
	PTN='^[oOyYnN]$'
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
95
	do
95
	do
96
		if [ $Lang == "fr" ]
96
		if [ $Lang == "fr" ]
97
			then echo -n "Accéptez-vous les termes de cette licence (O/n)? : "
97
			then echo -n "Accéptez-vous les termes de cette licence (O/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
		fi
99
		fi
100
		read response
100
		read response
101
	done
101
	done
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	then
103
	then
104
		exit 1
104
		exit 1
105
	fi
105
	fi
106
}
106
}
107
 
107
 
108
header_install ()
108
header_install ()
109
{
109
{
110
	clear
110
	clear
111
	echo "-----------------------------------------------------------------------------"
111
	echo "-----------------------------------------------------------------------------"
112
	echo "                     ALCASAR V$VERSION Installation"
112
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
}
115
}
116
 
116
 
117
##################################################################
117
##################################################################
118
##			Function "testing"			##
118
##			Function "testing"			##
119
## - Test of Mageia version					##
119
## - Test of Mageia version					##
120
## - Test of ALCASAR version (if already installed)		##
120
## - Test of ALCASAR version (if already installed)		##
121
## - Test of free space on /var  (>10G)				##
121
## - Test of free space on /var  (>10G)				##
122
## - Test of Internet access					##
122
## - Test of Internet access					##
123
##################################################################
123
##################################################################
124
testing ()
124
testing ()
125
{
125
{
126
# Test of Mageia version
126
# Test of Mageia version
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
	fic=`cat /etc/product.id`
128
	fic=`cat /etc/product.id`
129
	unknown_os=0
129
	unknown_os=0
130
	old="$IFS"
130
	old="$IFS"
131
	IFS=","
131
	IFS=","
132
	set $fic
132
	set $fic
133
	for i in $*
133
	for i in $*
134
	do
134
	do
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
			then 
136
			then 
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			unknown_os=`expr $unknown_os + 1`
138
			unknown_os=`expr $unknown_os + 1`
139
		fi
139
		fi
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
			then 
141
			then 
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			unknown_os=`expr $unknown_os + 1`
143
			unknown_os=`expr $unknown_os + 1`
144
		fi
144
		fi
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
			then 
146
			then 
147
			ARCH=`echo $i|cut -d"=" -f2`
147
			ARCH=`echo $i|cut -d"=" -f2`
148
			unknown_os=`expr $unknown_os + 1`
148
			unknown_os=`expr $unknown_os + 1`
149
		fi
149
		fi
150
	done
150
	done
151
	IFS="$old"
151
	IFS="$old"
152
# Test if ALCASAR is already installed
152
# Test if ALCASAR is already installed
153
	if [ -e $CONF_FILE ]
153
	if [ -e $CONF_FILE ]
154
	then
154
	then
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
159
		fi
159
		fi
160
		response=0
160
		response=0
161
		PTN='^[oOnNyY]$'
161
		PTN='^[oOnNyY]$'
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
163
		do
163
		do
164
			if [ $Lang == "fr" ]
164
			if [ $Lang == "fr" ]
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
166
				else echo -n "Do you want to update (Y/n)?";
166
				else echo -n "Do you want to update (Y/n)?";
167
			 fi
167
			 fi
168
			read response
168
			read response
169
		done
169
		done
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
171
		then
171
		then
172
			rm -f /tmp/alcasar-conf*
172
			rm -f /tmp/alcasar-conf*
173
		else
173
		else
174
# Create a backup of running importants files
174
# Create a backup of running importants files
175
			$DIR_SCRIPTS/alcasar-conf.sh --create
175
			$DIR_SCRIPTS/alcasar-conf.sh --create
176
			mode="update"
176
			mode="update"
177
		fi
177
		fi
178
	fi
178
	fi
179
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "4" ) ]]
179
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "4" ) ]]
180
		then
180
		then
181
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
181
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
182
			then
182
			then
183
			echo
183
			echo
184
			if [ $Lang == "fr" ]
184
			if [ $Lang == "fr" ]
185
				then	
185
				then	
186
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
186
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
187
				echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
187
				echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
188
				echo "2 - Installez Linux-Mageia4.1 (cf. doc d'installation)"
188
				echo "2 - Installez Linux-Mageia4.1 (cf. doc d'installation)"
189
				echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
189
				echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
190
			else
190
			else
191
				echo "The automatic update of ALCASAR can't be performed."
191
				echo "The automatic update of ALCASAR can't be performed."
192
				echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
192
				echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
193
				echo "2 - Install Linux-Mageia4.1 (cf. installation doc)"
193
				echo "2 - Install Linux-Mageia4.1 (cf. installation doc)"
194
				echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
194
				echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
195
			fi
195
			fi
196
		else
196
		else
197
			if [ $Lang == "fr" ]
197
			if [ $Lang == "fr" ]
198
				then	
198
				then	
199
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
199
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
200
			else
200
			else
201
				echo "The installation of ALCASAR can't be performed."
201
				echo "The installation of ALCASAR can't be performed."
202
			fi
202
			fi
203
		fi
203
		fi
204
		echo
204
		echo
205
		if [ $Lang == "fr" ]
205
		if [ $Lang == "fr" ]
206
			then	
206
			then	
207
			echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
207
			echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
208
		else
208
		else
209
			echo "The OS must be replaced (Mageia4.1)"
209
			echo "The OS must be replaced (Mageia4.1)"
210
		fi
210
		fi
211
		exit 0
211
		exit 0
212
	fi
212
	fi
213
	if [ ! -d /var/log/netflow/porttracker ]
213
	if [ ! -d /var/log/netflow/porttracker ]
214
		then
214
		then
215
# Test of free space on /var
215
# Test of free space on /var
216
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
216
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
217
		if [ $free_space -lt 10 ]
217
		if [ $free_space -lt 10 ]
218
			then
218
			then
219
			if [ $Lang == "fr" ]
219
			if [ $Lang == "fr" ]
220
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
220
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
221
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
221
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
222
			fi
222
			fi
223
		exit 0
223
		exit 0
224
		fi
224
		fi
225
	fi
225
	fi
226
	if [ $Lang == "fr" ]
226
	if [ $Lang == "fr" ]
227
		then echo -n "Tests des paramètres réseau : "
227
		then echo -n "Tests des paramètres réseau : "
228
		else echo -n "Network parameters tests : "
228
		else echo -n "Network parameters tests : "
229
	fi
229
	fi
230
# Test of Ethernet links state
230
# Test of Ethernet links state
231
	DOWN_IF=`/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
231
	DOWN_IF=`/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
232
	for i in $DOWN_IF
232
	for i in $DOWN_IF
233
	do
233
	do
234
		if [ $Lang == "fr" ]
234
		if [ $Lang == "fr" ]
235
		then 
235
		then 
236
			echo "Échec"
236
			echo "Échec"
237
			echo "Le lien réseau de la carte $i n'est pas actif."
237
			echo "Le lien réseau de la carte $i n'est pas actif."
238
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
238
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
239
		else
239
		else
240
			echo "Failed"
240
			echo "Failed"
241
			echo "The link state of $i interface is down."
241
			echo "The link state of $i interface is down."
242
			echo "Make sure that this network card is connected to a switch or an A.P."
242
			echo "Make sure that this network card is connected to a switch or an A.P."
243
		fi
243
		fi
244
		exit 0
244
		exit 0
245
	done
245
	done
246
	echo -n "."
246
	echo -n "."
247
 
247
 
248
# Test EXTIF config files
248
# Test EXTIF config files
249
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
249
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
250
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
250
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
251
	PUBLIC_GATEWAY=`ip route list|grep ^default|cut -d" " -f3`
251
	PUBLIC_GATEWAY=`ip route list|grep ^default|cut -d" " -f3`
252
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
252
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
253
	then
253
	then
254
		if [ $Lang == "fr" ]
254
		if [ $Lang == "fr" ]
255
		then 
255
		then 
256
			echo "Échec"
256
			echo "Échec"
257
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
257
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
258
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
258
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
259
			echo "Appliquez les changements : 'systemctl restart network'"
259
			echo "Appliquez les changements : 'systemctl restart network'"
260
		else
260
		else
261
			echo "Failed"
261
			echo "Failed"
262
			echo "The Internet connected network card ($EXTIF) isn't well configured."
262
			echo "The Internet connected network card ($EXTIF) isn't well configured."
263
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
263
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
264
			echo "Apply the new configuration 'systemctl restart network'"
264
			echo "Apply the new configuration 'systemctl restart network'"
265
		fi
265
		fi
266
		echo "DEVICE=$EXTIF"
266
		echo "DEVICE=$EXTIF"
267
		echo "IPADDR="
267
		echo "IPADDR="
268
		echo "NETMASK="
268
		echo "NETMASK="
269
		echo "GATEWAY="
269
		echo "GATEWAY="
270
		echo "DNS1="
270
		echo "DNS1="
271
		echo "DNS2="
271
		echo "DNS2="
272
		echo "ONBOOT=yes"
272
		echo "ONBOOT=yes"
273
		exit 0
273
		exit 0
274
	fi
274
	fi
275
	echo -n "."
275
	echo -n "."
276
 
276
 
277
# Test if router is alive (Box FAI)
277
# Test if router is alive (Box FAI)
278
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
278
	if [ `ip route list|grep -c ^default` -ne "1" ] ; then
279
		if [ $Lang == "fr" ]
279
		if [ $Lang == "fr" ]
280
		then 
280
		then 
281
			echo "Échec"
281
			echo "Échec"
282
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
282
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
283
			echo "Réglez ce problème puis relancez ce script."
283
			echo "Réglez ce problème puis relancez ce script."
284
		else
284
		else
285
			echo "Failed"
285
			echo "Failed"
286
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
286
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
287
			echo "Resolv this problem, then restart this script."
287
			echo "Resolv this problem, then restart this script."
288
		fi
288
		fi
289
		exit 0
289
		exit 0
290
	fi
290
	fi
291
	echo -n "."
291
	echo -n "."
292
# On teste le lien vers le routeur par defaut
292
# On teste le lien vers le routeur par defaut
293
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
293
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
294
	if [ $(expr $arp_reply) -eq 0 ]
294
	if [ $(expr $arp_reply) -eq 0 ]
295
	       	then
295
	       	then
296
		if [ $Lang == "fr" ]
296
		if [ $Lang == "fr" ]
297
		then 
297
		then 
298
			echo "Échec"
298
			echo "Échec"
299
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
299
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
300
			echo "Réglez ce problème puis relancez ce script."
300
			echo "Réglez ce problème puis relancez ce script."
301
		else
301
		else
302
			echo "Failed"
302
			echo "Failed"
303
			echo "The Internet gateway doesn't answered"
303
			echo "The Internet gateway doesn't answered"
304
			echo "Resolv this problem, then restart this script."
304
			echo "Resolv this problem, then restart this script."
305
		fi
305
		fi
306
		exit 0
306
		exit 0
307
	fi
307
	fi
308
	echo -n "."
308
	echo -n "."
309
# On teste la connectivité Internet
309
# On teste la connectivité Internet
310
	rm -rf /tmp/con_ok.html
310
	rm -rf /tmp/con_ok.html
311
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
311
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
312
	if [ ! -e /tmp/con_ok.html ]
312
	if [ ! -e /tmp/con_ok.html ]
313
	then
313
	then
314
		if [ $Lang == "fr" ]
314
		if [ $Lang == "fr" ]
315
		then 
315
		then 
316
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
316
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
317
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
317
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
318
			echo "Vérifiez la validité des adresses IP des DNS."
318
			echo "Vérifiez la validité des adresses IP des DNS."
319
		else
319
		else
320
			echo "The Internet connection try failed (google.fr)."
320
			echo "The Internet connection try failed (google.fr)."
321
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
321
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
322
			echo "Verify the DNS IP addresses"
322
			echo "Verify the DNS IP addresses"
323
		fi
323
		fi
324
		exit 0
324
		exit 0
325
	fi
325
	fi
326
	rm -rf /tmp/con_ok.html
326
	rm -rf /tmp/con_ok.html
327
	echo ". : ok"
327
	echo ". : ok"
328
} # end of testing ()
328
} # end of testing ()
329
 
329
 
330
##################################################################
330
##################################################################
331
##			Function "init"				##
331
##			Function "init"				##
332
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
332
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
333
## - Installation et modification des scripts du portail	##
333
## - Installation et modification des scripts du portail	##
334
##################################################################
334
##################################################################
335
init ()
335
init ()
336
{
336
{
337
	if [ "$mode" != "update" ]
337
	if [ "$mode" != "update" ]
338
	then
338
	then
339
# On affecte le nom d'organisme
339
# On affecte le nom d'organisme
340
		header_install
340
		header_install
341
		ORGANISME=!
341
		ORGANISME=!
342
		PTN='^[a-zA-Z0-9-]*$'
342
		PTN='^[a-zA-Z0-9-]*$'
343
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
343
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
344
                do
344
                do
345
			if [ $Lang == "fr" ]
345
			if [ $Lang == "fr" ]
346
			       	then echo -n "Entrez le nom de votre organisme : "
346
			       	then echo -n "Entrez le nom de votre organisme : "
347
				else echo -n "Enter the name of your organism : "
347
				else echo -n "Enter the name of your organism : "
348
			fi
348
			fi
349
			read ORGANISME
349
			read ORGANISME
350
			if [ "$ORGANISME" == "" ]
350
			if [ "$ORGANISME" == "" ]
351
				then
351
				then
352
				ORGANISME=!
352
				ORGANISME=!
353
			fi
353
			fi
354
		done
354
		done
355
	fi
355
	fi
356
# On crée aléatoirement les mots de passe et les secrets partagés
356
# On crée aléatoirement les mots de passe et les secrets partagés
357
	rm -f $PASSWD_FILE
357
	rm -f $PASSWD_FILE
358
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
358
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
359
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
359
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
360
	echo "$grubpwd" >> $PASSWD_FILE
360
	echo "$grubpwd" >> $PASSWD_FILE
361
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
361
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
362
	$SED "/^password.*/d" /boot/grub/menu.lst
362
	$SED "/^password.*/d" /boot/grub/menu.lst
363
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
363
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
364
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
364
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
365
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
365
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
366
	echo "root / $mysqlpwd" >> $PASSWD_FILE
366
	echo "root / $mysqlpwd" >> $PASSWD_FILE
367
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
367
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
368
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
368
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
369
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
369
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
370
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
370
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
371
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
371
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
372
	echo "$secretuam" >> $PASSWD_FILE
372
	echo "$secretuam" >> $PASSWD_FILE
373
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
373
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
374
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
374
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
375
	echo "$secretradius" >> $PASSWD_FILE
375
	echo "$secretradius" >> $PASSWD_FILE
376
	chmod 640 $PASSWD_FILE
376
	chmod 640 $PASSWD_FILE
377
# Scripts and conf files copy 
377
# Scripts and conf files copy 
378
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
378
#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
379
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
379
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
380
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
380
#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
381
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
381
	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
382
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
382
#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
383
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
383
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
384
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
384
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
385
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
385
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
386
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
386
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
388
# generate central conf file
388
# generate central conf file
389
	cat <<EOF > $CONF_FILE
389
	cat <<EOF > $CONF_FILE
390
##########################################
390
##########################################
391
##                                      ##
391
##                                      ##
392
##          ALCASAR Parameters          ##
392
##          ALCASAR Parameters          ##
393
##                                      ##
393
##                                      ##
394
##########################################
394
##########################################
395
 
395
 
396
INSTALL_DATE=$DATE
396
INSTALL_DATE=$DATE
397
VERSION=$VERSION
397
VERSION=$VERSION
398
ORGANISM=$ORGANISME
398
ORGANISM=$ORGANISME
399
DOMAIN=$DOMAIN
399
DOMAIN=$DOMAIN
400
EOF
400
EOF
401
	chmod o-rwx $CONF_FILE
401
	chmod o-rwx $CONF_FILE
402
} # End of init ()
402
} # End of init ()
403
 
403
 
404
##################################################################
404
##################################################################
405
##			Function "network"			##
405
##			Function "network"			##
406
## - Définition du plan d'adressage du réseau de consultation	##
406
## - Définition du plan d'adressage du réseau de consultation	##
407
## - Nommage DNS du système 					##
407
## - Nommage DNS du système 					##
408
## - Configuration de l'interface INTIF (réseau de consultation)##
408
## - Configuration de l'interface INTIF (réseau de consultation)##
409
## - Modification du fichier /etc/hosts				##
409
## - Modification du fichier /etc/hosts				##
410
## - Configuration du serveur de temps (NTP)			##
410
## - Configuration du serveur de temps (NTP)			##
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
412
##################################################################
412
##################################################################
413
network ()
413
network ()
414
{
414
{
415
	header_install
415
	header_install
416
	if [ "$mode" != "update" ]
416
	if [ "$mode" != "update" ]
417
		then
417
		then
418
		if [ $Lang == "fr" ]
418
		if [ $Lang == "fr" ]
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
421
		fi
421
		fi
422
		response=0
422
		response=0
423
		PTN='^[oOyYnN]$'
423
		PTN='^[oOyYnN]$'
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
425
		do
425
		do
426
			if [ $Lang == "fr" ]
426
			if [ $Lang == "fr" ]
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
429
			fi
429
			fi
430
			read response
430
			read response
431
		done
431
		done
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
433
		then
433
		then
434
			PRIVATE_IP_MASK="0"
434
			PRIVATE_IP_MASK="0"
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
437
			do
437
			do
438
				if [ $Lang == "fr" ]
438
				if [ $Lang == "fr" ]
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
441
				fi
441
				fi
442
				read PRIVATE_IP_MASK
442
				read PRIVATE_IP_MASK
443
			done
443
			done
444
		else
444
		else
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
446
		fi
446
		fi
447
	else
447
	else
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
449
		rm -rf conf/etc/alcasar.conf
449
		rm -rf conf/etc/alcasar.conf
450
	fi
450
	fi
451
# Define LAN side global parameters
451
# Define LAN side global parameters
452
	hostname $HOSTNAME.$DOMAIN
452
	hostname $HOSTNAME.$DOMAIN
453
	echo $HOSTNAME.$DOMAIN > /etc/hostname
453
	echo $HOSTNAME.$DOMAIN > /etc/hostname
454
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
454
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
455
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
455
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
456
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
456
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
457
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
457
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
458
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
458
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
459
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
459
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
460
		then
460
		then
461
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
461
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
462
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
462
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
463
	fi	
463
	fi	
464
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
464
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
465
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
465
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
466
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
466
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
467
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
467
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
468
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
468
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
469
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
469
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
470
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
470
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
471
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
471
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
472
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
472
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
473
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6`				# MAC address of INTIF
473
	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6`				# MAC address of INTIF
474
# Define Internet parameters
474
# Define Internet parameters
475
	DNS1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`				# 1st DNS server
475
	DNS1=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|head -n 1`				# 1st DNS server
476
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
476
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
477
	if [ $nb_dns == 2 ]
477
	if [ $nb_dns == 2 ]
478
		then
478
		then
479
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
479
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
480
	fi
480
	fi
481
	DNS1=${DNS1:=208.67.220.220}
481
	DNS1=${DNS1:=208.67.220.220}
482
	DNS2=${DNS2:=208.67.222.222}
482
	DNS2=${DNS2:=208.67.222.222}
483
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
483
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
484
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
484
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
485
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
485
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
486
# Wrtie the conf file
486
# Wrtie the conf file
487
	echo "EXTIF=$EXTIF" >> $CONF_FILE
487
	echo "EXTIF=$EXTIF" >> $CONF_FILE
488
	echo "INTIF=$INTIF" >> $CONF_FILE
488
	echo "INTIF=$INTIF" >> $CONF_FILE
489
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
489
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
490
	if [ $IP_SETTING == "dhcp" ]
490
	if [ $IP_SETTING == "dhcp" ]
491
		then
491
		then
492
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
492
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
493
		echo "GW=dhcp" >> $CONF_FILE 
493
		echo "GW=dhcp" >> $CONF_FILE 
494
	else
494
	else
495
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
495
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
496
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
496
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 
497
	fi
497
	fi
498
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
498
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
499
	echo "DNS1=$DNS1" >> $CONF_FILE
499
	echo "DNS1=$DNS1" >> $CONF_FILE
500
	echo "DNS2=$DNS2" >> $CONF_FILE
500
	echo "DNS2=$DNS2" >> $CONF_FILE
501
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
501
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
502
	echo "DHCP=on" >> $CONF_FILE
502
	echo "DHCP=on" >> $CONF_FILE
503
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
503
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
505
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
505
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
506
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
506
	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
507
# network default
507
# network default
508
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
508
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
509
	cat <<EOF > /etc/sysconfig/network
509
	cat <<EOF > /etc/sysconfig/network
510
NETWORKING=yes
510
NETWORKING=yes
511
HOSTNAME="$HOSTNAME.$DOMAIN"
511
HOSTNAME="$HOSTNAME.$DOMAIN"
512
FORWARD_IPV4=true
512
FORWARD_IPV4=true
513
EOF
513
EOF
514
# /etc/hosts config
514
# /etc/hosts config
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
516
	cat <<EOF > /etc/hosts
516
	cat <<EOF > /etc/hosts
517
127.0.0.1	localhost
517
127.0.0.1	localhost
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
519
EOF
519
EOF
520
# EXTIF (Internet) config
520
# EXTIF (Internet) config
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
522
	if [ $IP_SETTING == "dhcp" ]
522
	if [ $IP_SETTING == "dhcp" ]
523
		then
523
		then
524
		$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
524
		$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
525
		$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
525
		$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
526
		echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
526
		echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
527
	else	
527
	else	
528
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
528
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
529
DEVICE=$EXTIF
529
DEVICE=$EXTIF
530
BOOTPROTO=static
530
BOOTPROTO=static
531
IPADDR=$PUBLIC_IP
531
IPADDR=$PUBLIC_IP
532
NETMASK=$PUBLIC_NETMASK
532
NETMASK=$PUBLIC_NETMASK
533
GATEWAY=$PUBLIC_GATEWAY
533
GATEWAY=$PUBLIC_GATEWAY
534
DNS1=127.0.0.1
534
DNS1=127.0.0.1
535
RESOLV_MODS=yes
535
RESOLV_MODS=yes
536
ONBOOT=yes
536
ONBOOT=yes
537
METRIC=10
537
METRIC=10
538
MII_NOT_SUPPORTED=yes
538
MII_NOT_SUPPORTED=yes
539
IPV6INIT=no
539
IPV6INIT=no
540
IPV6TO4INIT=no
540
IPV6TO4INIT=no
541
ACCOUNTING=no
541
ACCOUNTING=no
542
USERCTL=no
542
USERCTL=no
543
MTU=$MTU
543
MTU=$MTU
544
EOF
544
EOF
545
	fi
545
	fi
546
# Config INTIF (consultation LAN) in normal mode
546
# Config INTIF (consultation LAN) in normal mode
547
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
547
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
548
DEVICE=$INTIF
548
DEVICE=$INTIF
549
BOOTPROTO=static
549
BOOTPROTO=static
550
ONBOOT=yes
550
ONBOOT=yes
551
NOZEROCONF=yes
551
NOZEROCONF=yes
552
MII_NOT_SUPPORTED=yes
552
MII_NOT_SUPPORTED=yes
553
IPV6INIT=no
553
IPV6INIT=no
554
IPV6TO4INIT=no
554
IPV6TO4INIT=no
555
ACCOUNTING=no
555
ACCOUNTING=no
556
USERCTL=no
556
USERCTL=no
557
EOF
557
EOF
558
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
558
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
559
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
559
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
560
DEVICE=$INTIF
560
DEVICE=$INTIF
561
BOOTPROTO=static
561
BOOTPROTO=static
562
IPADDR=$PRIVATE_IP
562
IPADDR=$PRIVATE_IP
563
NETMASK=$PRIVATE_NETMASK
563
NETMASK=$PRIVATE_NETMASK
564
ONBOOT=yes
564
ONBOOT=yes
565
METRIC=10
565
METRIC=10
566
NOZEROCONF=yes
566
NOZEROCONF=yes
567
MII_NOT_SUPPORTED=yes
567
MII_NOT_SUPPORTED=yes
568
IPV6INIT=no
568
IPV6INIT=no
569
IPV6TO4INIT=no
569
IPV6TO4INIT=no
570
ACCOUNTING=no
570
ACCOUNTING=no
571
USERCTL=no
571
USERCTL=no
572
EOF
572
EOF
573
# Mise à l'heure du serveur
573
# Mise à l'heure du serveur
574
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
574
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
575
	cat <<EOF > /etc/ntp/step-tickers
575
	cat <<EOF > /etc/ntp/step-tickers
576
0.fr.pool.ntp.org	# adapt to your country
576
0.fr.pool.ntp.org	# adapt to your country
577
1.fr.pool.ntp.org
577
1.fr.pool.ntp.org
578
2.fr.pool.ntp.org
578
2.fr.pool.ntp.org
579
EOF
579
EOF
580
# Configuration du serveur de temps (sur lui même)
580
# Configuration du serveur de temps (sur lui même)
581
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
581
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
582
	cat <<EOF > /etc/ntp.conf
582
	cat <<EOF > /etc/ntp.conf
583
server 0.fr.pool.ntp.org	# adapt to your country
583
server 0.fr.pool.ntp.org	# adapt to your country
584
server 1.fr.pool.ntp.org
584
server 1.fr.pool.ntp.org
585
server 2.fr.pool.ntp.org
585
server 2.fr.pool.ntp.org
586
server 127.127.1.0   		# local clock si NTP internet indisponible ...
586
server 127.127.1.0   		# local clock si NTP internet indisponible ...
587
fudge 127.127.1.0 stratum 10
587
fudge 127.127.1.0 stratum 10
588
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
588
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
589
restrict 127.0.0.1
589
restrict 127.0.0.1
590
driftfile /var/lib/ntp/drift
590
driftfile /var/lib/ntp/drift
591
logfile /var/log/ntp.log
591
logfile /var/log/ntp.log
592
EOF
592
EOF
593
 
593
 
594
	chown -R ntp:ntp /var/lib/ntp
594
	chown -R ntp:ntp /var/lib/ntp
595
# Renseignement des fichiers hosts.allow et hosts.deny
595
# Renseignement des fichiers hosts.allow et hosts.deny
596
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
596
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
597
	cat <<EOF > /etc/hosts.allow
597
	cat <<EOF > /etc/hosts.allow
598
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
598
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
599
sshd: ALL
599
sshd: ALL
600
ntpd: $PRIVATE_NETWORK_SHORT
600
ntpd: $PRIVATE_NETWORK_SHORT
601
EOF
601
EOF
602
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
602
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
603
	cat <<EOF > /etc/hosts.deny
603
	cat <<EOF > /etc/hosts.deny
604
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
604
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
605
EOF
605
EOF
606
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
606
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
607
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
607
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
608
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
608
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
609
# load conntrack ftp module
609
# load conntrack ftp module
610
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
610
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
611
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
611
	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
612
# load ipt_NETFLOW module
612
# load ipt_NETFLOW module
613
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
613
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
614
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
614
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
615
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
615
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
616
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
616
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
617
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
617
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
618
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
618
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
619
# 
619
# 
620
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
620
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
621
} # End of network ()
621
} # End of network ()
622
 
622
 
623
##################################################################
623
##################################################################
624
##			Function "ACC"				##
624
##			Function "ACC"				##
625
## - installation du centre de gestion (ALCASAR Control Center)	##
625
## - installation du centre de gestion (ALCASAR Control Center)	##
626
## - configuration du serveur web (Apache)			##
626
## - configuration du serveur web (Apache)			##
627
## - définition du 1er comptes de gestion 			##
627
## - définition du 1er comptes de gestion 			##
628
## - sécurisation des accès					##
628
## - sécurisation des accès					##
629
##################################################################
629
##################################################################
630
ACC ()
630
ACC ()
631
{
631
{
632
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
632
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
633
	mkdir $DIR_WEB
633
	mkdir $DIR_WEB
634
# Copie et configuration des fichiers du centre de gestion
634
# Copie et configuration des fichiers du centre de gestion
635
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
635
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
636
	echo "$VERSION" > $DIR_WEB/VERSION
636
	echo "$VERSION" > $DIR_WEB/VERSION
637
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
637
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
638
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
638
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
639
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
639
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
640
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
640
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
641
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
641
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
642
	chown -R apache:apache $DIR_WEB/*
642
	chown -R apache:apache $DIR_WEB/*
643
# create the backup structure :
643
# create the backup structure :
644
# - base = users database
644
# - base = users database
645
# - system_backup = alcasar conf file + users database
645
# - system_backup = alcasar conf file + users database
646
# - archive = tarball of "base + http firewall + netflow"
646
# - archive = tarball of "base + http firewall + netflow"
647
# - security = watchdog disconnection)
647
# - security = watchdog disconnection)
648
	for i in system_backup base archive security;
648
	for i in system_backup base archive security;
649
	do
649
	do
650
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
650
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
651
	done
651
	done
652
	chown -R root:apache $DIR_SAVE
652
	chown -R root:apache $DIR_SAVE
653
# Configuration et sécurisation php
653
# Configuration et sécurisation php
654
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
654
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
655
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
655
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
656
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
656
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
657
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
657
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
658
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
658
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
659
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
659
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
660
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
660
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
661
# Configuration et sécurisation Apache
661
# Configuration et sécurisation Apache
662
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
662
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
663
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
663
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
664
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
664
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
665
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
665
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
666
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
666
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
667
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
667
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
668
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
668
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
669
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
669
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
670
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
670
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
671
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
671
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
672
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
672
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
673
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
673
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
674
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
674
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
675
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
675
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
676
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
676
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
677
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
677
	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
678
# Error page management
678
# Error page management
679
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
679
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
680
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
680
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
681
Alias /error/ "/var/www/html/"
681
Alias /error/ "/var/www/html/"
682
<Directory "/usr/share/httpd/error">
682
<Directory "/usr/share/httpd/error">
683
    AllowOverride None
683
    AllowOverride None
684
    Options IncludesNoExec
684
    Options IncludesNoExec
685
    AddOutputFilter Includes html
685
    AddOutputFilter Includes html
686
    AddHandler type-map var
686
    AddHandler type-map var
687
    Require all granted
687
    Require all granted
688
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
688
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
689
    ForceLanguagePriority Prefer Fallback
689
    ForceLanguagePriority Prefer Fallback
690
</Directory>
690
</Directory>
691
ErrorDocument 400 /error/error.php?error=400
691
ErrorDocument 400 /error/error.php?error=400
692
ErrorDocument 401 /error/error.php?error=401
692
ErrorDocument 401 /error/error.php?error=401
693
ErrorDocument 403 /error/error.php?error=403
693
ErrorDocument 403 /error/error.php?error=403
694
ErrorDocument 404 /error/error.php?error=404
694
ErrorDocument 404 /error/error.php?error=404
695
ErrorDocument 405 /error/error.php?error=405
695
ErrorDocument 405 /error/error.php?error=405
696
ErrorDocument 408 /error/error.php?error=408
696
ErrorDocument 408 /error/error.php?error=408
697
ErrorDocument 410 /error/error.php?error=410
697
ErrorDocument 410 /error/error.php?error=410
698
ErrorDocument 411 /error/error.php?error=411
698
ErrorDocument 411 /error/error.php?error=411
699
ErrorDocument 412 /error/error.php?error=412
699
ErrorDocument 412 /error/error.php?error=412
700
ErrorDocument 413 /error/error.php?error=413
700
ErrorDocument 413 /error/error.php?error=413
701
ErrorDocument 414 /error/error.php?error=414
701
ErrorDocument 414 /error/error.php?error=414
702
ErrorDocument 415 /error/error.php?error=415
702
ErrorDocument 415 /error/error.php?error=415
703
ErrorDocument 500 /error/error.php?error=500
703
ErrorDocument 500 /error/error.php?error=500
704
ErrorDocument 501 /error/error.php?error=501
704
ErrorDocument 501 /error/error.php?error=501
705
ErrorDocument 502 /error/error.php?error=502
705
ErrorDocument 502 /error/error.php?error=502
706
ErrorDocument 503 /error/error.php?error=503
706
ErrorDocument 503 /error/error.php?error=503
707
ErrorDocument 506 /error/error.php?error=506
707
ErrorDocument 506 /error/error.php?error=506
708
EOF
708
EOF
709
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
709
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
710
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
710
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
711
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
711
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
712
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
712
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
713
</body>
713
</body>
714
</html>
714
</html>
715
EOF
715
EOF
716
# Définition du premier compte lié au profil 'admin'
716
# Définition du premier compte lié au profil 'admin'
717
	header_install
717
	header_install
718
	if [ "$mode" = "install" ]
718
	if [ "$mode" = "install" ]
719
	then
719
	then
720
		admin_portal=!
720
		admin_portal=!
721
		PTN='^[a-zA-Z0-9-]*$'
721
		PTN='^[a-zA-Z0-9-]*$'
722
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
722
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
723
                	do
723
                	do
724
			header_install
724
			header_install
725
			if [ $Lang == "fr" ]
725
			if [ $Lang == "fr" ]
726
			then 
726
			then 
727
				echo ""
727
				echo ""
728
				echo "Définissez un premier compte d'administration du portail :"
728
				echo "Définissez un premier compte d'administration du portail :"
729
				echo
729
				echo
730
				echo -n "Nom : "
730
				echo -n "Nom : "
731
			else
731
			else
732
				echo ""
732
				echo ""
733
				echo "Define the first account allow to administrate the portal :"
733
				echo "Define the first account allow to administrate the portal :"
734
				echo
734
				echo
735
				echo -n "Account : "
735
				echo -n "Account : "
736
			fi
736
			fi
737
			read admin_portal
737
			read admin_portal
738
			if [ "$admin_portal" == "" ]
738
			if [ "$admin_portal" == "" ]
739
				then
739
				then
740
				admin_portal=!
740
				admin_portal=!
741
			fi
741
			fi
742
			done
742
			done
743
# Creation of keys file for the admin account ("admin")
743
# Creation of keys file for the admin account ("admin")
744
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
744
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
745
		mkdir -p $DIR_DEST_ETC/digest
745
		mkdir -p $DIR_DEST_ETC/digest
746
		chmod 755 $DIR_DEST_ETC/digest
746
		chmod 755 $DIR_DEST_ETC/digest
747
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
747
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
748
			do
748
			do
749
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
749
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
750
			done
750
			done
751
		$DIR_DEST_SBIN/alcasar-profil.sh --list
751
		$DIR_DEST_SBIN/alcasar-profil.sh --list
752
	fi
752
	fi
753
# synchronisation horaire
753
# synchronisation horaire
754
	ntpd -q -g &
754
	ntpd -q -g &
755
# Sécurisation du centre
755
# Sécurisation du centre
756
	rm -f /etc/httpd/conf/webapps.d/alcasar*
756
	rm -f /etc/httpd/conf/webapps.d/alcasar*
757
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
757
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
758
<Directory $DIR_ACC>
758
<Directory $DIR_ACC>
759
	SSLRequireSSL
759
	SSLRequireSSL
760
	AllowOverride None
760
	AllowOverride None
761
	Order deny,allow
761
	Order deny,allow
762
	Deny from all
762
	Deny from all
763
	Allow from 127.0.0.1
763
	Allow from 127.0.0.1
764
	Allow from $PRIVATE_NETWORK_MASK
764
	Allow from $PRIVATE_NETWORK_MASK
765
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
765
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
766
	require valid-user
766
	require valid-user
767
	AuthType digest
767
	AuthType digest
768
	AuthName $HOSTNAME.$DOMAIN
768
	AuthName $HOSTNAME.$DOMAIN
769
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
769
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
770
	AuthUserFile $DIR_DEST_ETC/digest/key_all
770
	AuthUserFile $DIR_DEST_ETC/digest/key_all
771
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
771
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
772
</Directory>
772
</Directory>
773
<Directory $DIR_ACC/admin>
773
<Directory $DIR_ACC/admin>
774
	SSLRequireSSL
774
	SSLRequireSSL
775
	AllowOverride None
775
	AllowOverride None
776
	Order deny,allow
776
	Order deny,allow
777
	Deny from all
777
	Deny from all
778
	Allow from 127.0.0.1
778
	Allow from 127.0.0.1
779
	Allow from $PRIVATE_NETWORK_MASK
779
	Allow from $PRIVATE_NETWORK_MASK
780
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
780
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
781
	require valid-user
781
	require valid-user
782
	AuthType digest
782
	AuthType digest
783
	AuthName $HOSTNAME.$DOMAIN
783
	AuthName $HOSTNAME.$DOMAIN
784
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
784
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
785
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
785
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
786
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
786
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
787
</Directory>
787
</Directory>
788
<Directory $DIR_ACC/manager>
788
<Directory $DIR_ACC/manager>
789
	SSLRequireSSL
789
	SSLRequireSSL
790
	AllowOverride None
790
	AllowOverride None
791
	Order deny,allow
791
	Order deny,allow
792
	Deny from all
792
	Deny from all
793
	Allow from 127.0.0.1
793
	Allow from 127.0.0.1
794
	Allow from $PRIVATE_NETWORK_MASK
794
	Allow from $PRIVATE_NETWORK_MASK
795
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
795
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
796
	require valid-user
796
	require valid-user
797
	AuthType digest
797
	AuthType digest
798
	AuthName $HOSTNAME.$DOMAIN
798
	AuthName $HOSTNAME.$DOMAIN
799
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
799
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
800
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
800
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
801
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
801
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
802
</Directory>
802
</Directory>
803
<Directory $DIR_ACC/backup>
803
<Directory $DIR_ACC/backup>
804
	SSLRequireSSL
804
	SSLRequireSSL
805
	AllowOverride None
805
	AllowOverride None
806
	Order deny,allow
806
	Order deny,allow
807
	Deny from all
807
	Deny from all
808
	Allow from 127.0.0.1
808
	Allow from 127.0.0.1
809
	Allow from $PRIVATE_NETWORK_MASK
809
	Allow from $PRIVATE_NETWORK_MASK
810
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
810
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
811
	require valid-user
811
	require valid-user
812
	AuthType digest
812
	AuthType digest
813
	AuthName $HOSTNAME.$DOMAIN
813
	AuthName $HOSTNAME.$DOMAIN
814
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
814
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
815
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
815
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
816
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
816
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
817
</Directory>
817
</Directory>
818
Alias /save/ "$DIR_SAVE/"
818
Alias /save/ "$DIR_SAVE/"
819
<Directory $DIR_SAVE>
819
<Directory $DIR_SAVE>
820
	SSLRequireSSL
820
	SSLRequireSSL
821
	Options Indexes
821
	Options Indexes
822
	Order deny,allow
822
	Order deny,allow
823
	Deny from all
823
	Deny from all
824
	Allow from 127.0.0.1
824
	Allow from 127.0.0.1
825
	Allow from $PRIVATE_NETWORK_MASK
825
	Allow from $PRIVATE_NETWORK_MASK
826
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
826
#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP
827
	require valid-user
827
	require valid-user
828
	AuthType digest
828
	AuthType digest
829
	AuthName $HOSTNAME.$DOMAIN
829
	AuthName $HOSTNAME.$DOMAIN
830
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
830
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
831
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
831
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
832
</Directory>
832
</Directory>
833
EOF
833
EOF
834
# Launch after coova
834
# Launch after coova
835
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
835
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
836
} # End of ACC ()
836
} # End of ACC ()
837
 
837
 
838
##########################################################################################
838
##########################################################################################
839
##				Fonction "CA"						##
839
##				Fonction "CA"						##
840
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
840
## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##
841
##########################################################################################
841
##########################################################################################
842
CA ()
842
CA ()
843
{
843
{
844
	$DIR_DEST_BIN/alcasar-CA.sh
844
	$DIR_DEST_BIN/alcasar-CA.sh
845
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
845
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
846
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
846
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
847
	cat <<EOF > $FIC_VIRTUAL_SSL
847
	cat <<EOF > $FIC_VIRTUAL_SSL
848
# default SSL virtual host, used for all HTTPS requests that do not
848
# default SSL virtual host, used for all HTTPS requests that do not
849
# match a ServerName or ServerAlias in any <VirtualHost> block.
849
# match a ServerName or ServerAlias in any <VirtualHost> block.
850
 
850
 
851
<VirtualHost _default_:443>
851
<VirtualHost _default_:443>
852
# general configuration
852
# general configuration
853
    ServerAdmin root@localhost
853
    ServerAdmin root@localhost
854
    ServerName localhost
854
    ServerName localhost
855
 
855
 
856
# SSL configuration
856
# SSL configuration
857
    SSLEngine on
857
    SSLEngine on
858
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
858
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
859
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
859
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
860
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
860
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
861
    CustomLog logs/ssl_request_log \
861
    CustomLog logs/ssl_request_log \
862
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
862
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
863
    ErrorLog logs/ssl_error_log
863
    ErrorLog logs/ssl_error_log
864
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
864
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
865
</VirtualHost>
865
</VirtualHost>
866
EOF
866
EOF
867
 
867
 
868
	chown -R root:apache /etc/pki
868
	chown -R root:apache /etc/pki
869
	chmod -R 750 /etc/pki
869
	chmod -R 750 /etc/pki
870
} # End of CA ()
870
} # End of CA ()
871
 
871
 
872
##########################################################################################
872
##########################################################################################
873
##			Fonction "init_db"						##
873
##			Fonction "init_db"						##
874
## - Initialisation de la base Mysql							##
874
## - Initialisation de la base Mysql							##
875
## - Affectation du mot de passe de l'administrateur (root)				##
875
## - Affectation du mot de passe de l'administrateur (root)				##
876
## - Suppression des bases et des utilisateurs superflus				##
876
## - Suppression des bases et des utilisateurs superflus				##
877
## - Création de la base 'radius'							##
877
## - Création de la base 'radius'							##
878
## - Installation du schéma de cette base						##
878
## - Installation du schéma de cette base						##
879
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
879
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
880
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
880
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
881
##########################################################################################
881
##########################################################################################
882
init_db ()
882
init_db ()
883
{
883
{
884
	rm -rf /var/lib/mysql # to be sure that there is no former installation
884
	rm -rf /var/lib/mysql # to be sure that there is no former installation
885
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
885
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
886
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
886
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
887
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
887
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
888
	systemctl start mysqld.service
888
	systemctl start mysqld.service
889
	sleep 4
889
	sleep 4
890
	mysqladmin -u root password $mysqlpwd
890
	mysqladmin -u root password $mysqlpwd
891
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
891
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
892
# Secure the server
892
# Secure the server
893
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
893
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
894
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
894
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
895
# Create 'radius' database
895
# Create 'radius' database
896
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
896
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
897
# Add an empty radius database structure
897
# Add an empty radius database structure
898
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
898
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
899
# modify the start script in order to close accounting connexion when the system is comming down or up
899
# modify the start script in order to close accounting connexion when the system is comming down or up
900
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
900
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
901
	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
901
	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
902
	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
902
	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
903
	systemctl daemon-reload
903
	systemctl daemon-reload
904
} # End of init_db ()
904
} # End of init_db ()
905
 
905
 
906
##########################################################################
906
##########################################################################
907
##			Fonction "radius"				##
907
##			Fonction "radius"				##
908
## - Paramètrage des fichiers de configuration FreeRadius		##
908
## - Paramètrage des fichiers de configuration FreeRadius		##
909
## - Affectation du secret partagé entre coova-chilli et freeradius	##
909
## - Affectation du secret partagé entre coova-chilli et freeradius	##
910
## - Modification de fichier de conf pour l'accès à Mysql		##
910
## - Modification de fichier de conf pour l'accès à Mysql		##
911
##########################################################################
911
##########################################################################
912
radius ()
912
radius ()
913
{
913
{
914
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
914
	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
915
	chown -R radius:radius /etc/raddb
915
	chown -R radius:radius /etc/raddb
916
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
916
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
917
# Set radius.conf parameters
917
# Set radius.conf parameters
918
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
918
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
919
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
919
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
920
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
920
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
921
# remove the proxy function
921
# remove the proxy function
922
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
922
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
923
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
923
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
924
# remove EAP module
924
# remove EAP module
925
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
925
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
926
# listen on loopback (should be modified later if EAP enabled)
926
# listen on loopback (should be modified later if EAP enabled)
927
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
927
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
928
# enable the  SQL module (and SQL counter)
928
# enable the  SQL module (and SQL counter)
929
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
929
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
930
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
930
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
931
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
931
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
932
# only include modules for ALCASAR needs
932
# only include modules for ALCASAR needs
933
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
933
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
934
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
934
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
935
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
935
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
936
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
936
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
937
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
937
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
938
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
938
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
939
# remvove virtual server and copy our conf file
939
# remvove virtual server and copy our conf file
940
	rm -f /etc/raddb/sites-enabled/*
940
	rm -f /etc/raddb/sites-enabled/*
941
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
941
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
942
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
942
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
943
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
943
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
944
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
944
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
945
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
945
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
946
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
946
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
947
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
947
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
948
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
948
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
949
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
949
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
950
	cat << EOF > /etc/raddb/clients.conf
950
	cat << EOF > /etc/raddb/clients.conf
951
client 127.0.0.1 {
951
client 127.0.0.1 {
952
	secret = $secretradius
952
	secret = $secretradius
953
	shortname = localhost
953
	shortname = localhost
954
}
954
}
955
EOF
955
EOF
956
# sql.conf modification
956
# sql.conf modification
957
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
957
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
958
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
958
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
959
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
959
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
960
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
960
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
961
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
961
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
962
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
962
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
963
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
963
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
964
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
964
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
965
# counter.conf modification (change the Max-All-Session-Time counter)
965
# counter.conf modification (change the Max-All-Session-Time counter)
966
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
966
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
967
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
967
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
968
	chown -R radius:radius /etc/raddb/sql/mysql/*
968
	chown -R radius:radius /etc/raddb/sql/mysql/*
969
# make certain that mysql is up before radius start
969
# make certain that mysql is up before radius start
970
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
970
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
971
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
971
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
972
	systemctl daemon-reload
972
	systemctl daemon-reload
973
} # End radius ()
973
} # End radius ()
974
 
974
 
975
##########################################################################
975
##########################################################################
976
##			Function "radius_web"				##
976
##			Function "radius_web"				##
977
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
977
## - Import, modification et paramètrage de l'interface "dialupadmin"	##
978
## - Création du lien vers la page de changement de mot de passe        ##
978
## - Création du lien vers la page de changement de mot de passe        ##
979
##########################################################################
979
##########################################################################
980
radius_web ()
980
radius_web ()
981
{
981
{
982
# copie de l'interface d'origine dans la structure Alcasar
982
# copie de l'interface d'origine dans la structure Alcasar
983
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
983
	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
984
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
984
	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme 
985
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
985
	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
986
# copie des fichiers modifiés
986
# copie des fichiers modifiés
987
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
987
	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
988
	chown -R apache:apache $DIR_ACC/manager/
988
	chown -R apache:apache $DIR_ACC/manager/
989
# Modification des fichiers de configuration
989
# Modification des fichiers de configuration
990
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
990
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
991
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
991
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
992
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
992
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
993
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
993
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
994
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
994
	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
995
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
995
	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
996
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
996
	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
997
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
997
	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
998
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
998
	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
999
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
999
	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
1000
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1000
	[ -e /etc/freeradius-web/config.php.default ] || cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1001
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
1001
	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
1002
	cat <<EOF > /etc/freeradius-web/naslist.conf
1002
	cat <<EOF > /etc/freeradius-web/naslist.conf
1003
nas1_name: alcasar-$ORGANISME
1003
nas1_name: alcasar-$ORGANISME
1004
nas1_model: Portail captif
1004
nas1_model: Portail captif
1005
nas1_ip: $PRIVATE_IP
1005
nas1_ip: $PRIVATE_IP
1006
nas1_port_num: 0
1006
nas1_port_num: 0
1007
nas1_community: public
1007
nas1_community: public
1008
EOF
1008
EOF
1009
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
1009
# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
1010
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1010
	[ -e /etc/freeradius-web/user_edit.attrs.default ] || mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1011
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
1011
	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
1012
# Ajout du mappage des attributs chillispot
1012
# Ajout du mappage des attributs chillispot
1013
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1013
	[ -e /etc/freeradius-web/sql.attrmap.default ] || mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1014
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1014
	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1015
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1015
# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1016
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1016
	[ -e /etc/freeradius-web/sql.attrs.default ] || cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1017
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
1017
	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
1018
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
1018
	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
1019
	chown -R apache:apache /etc/freeradius-web
1019
	chown -R apache:apache /etc/freeradius-web
1020
# Ajout de l'alias vers la page de "changement de mot de passe usager"
1020
# Ajout de l'alias vers la page de "changement de mot de passe usager"
1021
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1021
	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
1022
<Directory $DIR_WEB/pass>
1022
<Directory $DIR_WEB/pass>
1023
	SSLRequireSSL
1023
	SSLRequireSSL
1024
	AllowOverride None
1024
	AllowOverride None
1025
	Order deny,allow
1025
	Order deny,allow
1026
	Deny from all
1026
	Deny from all
1027
	Allow from 127.0.0.1
1027
	Allow from 127.0.0.1
1028
	Allow from $PRIVATE_NETWORK_MASK
1028
	Allow from $PRIVATE_NETWORK_MASK
1029
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1029
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1030
</Directory>
1030
</Directory>
1031
EOF
1031
EOF
1032
} # End of radius_web ()
1032
} # End of radius_web ()
1033
 
1033
 
1034
##################################################################################
1034
##################################################################################
1035
##			Fonction "chilli"					##
1035
##			Fonction "chilli"					##
1036
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1036
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1037
## - Paramètrage de la page d'authentification (intercept.php)			##
1037
## - Paramètrage de la page d'authentification (intercept.php)			##
1038
##################################################################################
1038
##################################################################################
1039
chilli ()
1039
chilli ()
1040
{
1040
{
1041
# chilli unit for systemd
1041
# chilli unit for systemd
1042
cat << EOF > /lib/systemd/system/chilli.service
1042
cat << EOF > /lib/systemd/system/chilli.service
1043
#  This file is part of systemd.
1043
#  This file is part of systemd.
1044
#
1044
#
1045
#  systemd is free software; you can redistribute it and/or modify it
1045
#  systemd is free software; you can redistribute it and/or modify it
1046
#  under the terms of the GNU General Public License as published by
1046
#  under the terms of the GNU General Public License as published by
1047
#  the Free Software Foundation; either version 2 of the License, or
1047
#  the Free Software Foundation; either version 2 of the License, or
1048
#  (at your option) any later version.
1048
#  (at your option) any later version.
1049
[Unit]
1049
[Unit]
1050
Description=chilli is a captive portal daemon
1050
Description=chilli is a captive portal daemon
1051
After=network.target
1051
After=network.target
1052
 
1052
 
1053
[Service]
1053
[Service]
1054
Type=forking
1054
Type=forking
1055
ExecStart=/usr/libexec/chilli start
1055
ExecStart=/usr/libexec/chilli start
1056
ExecStop=/usr/libexec/chilli stop
1056
ExecStop=/usr/libexec/chilli stop
1057
ExecReload=/usr/libexec/chilli reload
1057
ExecReload=/usr/libexec/chilli reload
1058
PIDFile=/var/run/chilli.pid
1058
PIDFile=/var/run/chilli.pid
1059
 
1059
 
1060
[Install]
1060
[Install]
1061
WantedBy=multi-user.target
1061
WantedBy=multi-user.target
1062
EOF
1062
EOF
1063
# init file creation
1063
# init file creation
1064
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1064
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1065
	cat <<EOF > /usr/libexec/chilli
1065
	cat <<EOF > /usr/libexec/chilli
1066
#!/bin/sh
1066
#!/bin/sh
1067
#
1067
#
1068
# chilli CoovaChilli init
1068
# chilli CoovaChilli init
1069
#
1069
#
1070
# chkconfig: 2345 65 35
1070
# chkconfig: 2345 65 35
1071
# description: CoovaChilli
1071
# description: CoovaChilli
1072
### BEGIN INIT INFO
1072
### BEGIN INIT INFO
1073
# Provides:       chilli
1073
# Provides:       chilli
1074
# Required-Start: network 
1074
# Required-Start: network 
1075
# Should-Start: 
1075
# Should-Start: 
1076
# Required-Stop:  network
1076
# Required-Stop:  network
1077
# Should-Stop: 
1077
# Should-Stop: 
1078
# Default-Start:  2 3 5
1078
# Default-Start:  2 3 5
1079
# Default-Stop:
1079
# Default-Stop:
1080
# Description:    CoovaChilli access controller
1080
# Description:    CoovaChilli access controller
1081
### END INIT INFO
1081
### END INIT INFO
1082
 
1082
 
1083
[ -f /usr/sbin/chilli ] || exit 0
1083
[ -f /usr/sbin/chilli ] || exit 0
1084
. /etc/init.d/functions
1084
. /etc/init.d/functions
1085
CONFIG=/etc/chilli.conf
1085
CONFIG=/etc/chilli.conf
1086
pidfile=/var/run/chilli.pid
1086
pidfile=/var/run/chilli.pid
1087
[ -f \$CONFIG ] || {
1087
[ -f \$CONFIG ] || {
1088
    echo "\$CONFIG Not found"
1088
    echo "\$CONFIG Not found"
1089
    exit 0
1089
    exit 0
1090
}
1090
}
1091
RETVAL=0
1091
RETVAL=0
1092
prog="chilli"
1092
prog="chilli"
1093
case \$1 in
1093
case \$1 in
1094
    start)
1094
    start)
1095
	if [ -f \$pidfile ] ; then 
1095
	if [ -f \$pidfile ] ; then 
1096
		gprintf "chilli is already running"
1096
		gprintf "chilli is already running"
1097
	else
1097
	else
1098
        	gprintf "Starting \$prog: "
1098
        	gprintf "Starting \$prog: "
1099
		rm -f /var/run/chilli* # cleaning
1099
		rm -f /var/run/chilli* # cleaning
1100
        	/sbin/modprobe tun >/dev/null 2>&1
1100
        	/sbin/modprobe tun >/dev/null 2>&1
1101
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1101
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1102
		[ -e /dev/net/tun ] || {
1102
		[ -e /dev/net/tun ] || {
1103
	    	(cd /dev; 
1103
	    	(cd /dev; 
1104
			mkdir net; 
1104
			mkdir net; 
1105
			cd net; 
1105
			cd net; 
1106
			mknod tun c 10 200)
1106
			mknod tun c 10 200)
1107
		}
1107
		}
1108
		ifconfig $INTIF 0.0.0.0
1108
		ifconfig $INTIF 0.0.0.0
1109
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1109
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1110
        	RETVAL=$?
1110
        	RETVAL=$?
1111
	fi
1111
	fi
1112
	;;
1112
	;;
1113
 
1113
 
1114
    reload)
1114
    reload)
1115
	killall -HUP chilli
1115
	killall -HUP chilli
1116
	;;
1116
	;;
1117
 
1117
 
1118
    restart)
1118
    restart)
1119
	\$0 stop
1119
	\$0 stop
1120
        sleep 2
1120
        sleep 2
1121
	\$0 start
1121
	\$0 start
1122
	;;
1122
	;;
1123
    
1123
    
1124
    status)
1124
    status)
1125
        status chilli
1125
        status chilli
1126
        RETVAL=0
1126
        RETVAL=0
1127
        ;;
1127
        ;;
1128
 
1128
 
1129
    stop)
1129
    stop)
1130
	if [ -f \$pidfile ] ; then  
1130
	if [ -f \$pidfile ] ; then  
1131
        	gprintf "Shutting down \$prog: "
1131
        	gprintf "Shutting down \$prog: "
1132
		killproc /usr/sbin/chilli
1132
		killproc /usr/sbin/chilli
1133
		RETVAL=\$?
1133
		RETVAL=\$?
1134
		[ \$RETVAL = 0 ] && rm -f $pidfile
1134
		[ \$RETVAL = 0 ] && rm -f $pidfile
1135
	else	
1135
	else	
1136
        	gprintf "chilli is not running"
1136
        	gprintf "chilli is not running"
1137
	fi
1137
	fi
1138
	;;
1138
	;;
1139
    
1139
    
1140
    *)
1140
    *)
1141
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1141
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1142
        exit 1
1142
        exit 1
1143
esac
1143
esac
1144
echo
1144
echo
1145
EOF
1145
EOF
1146
chmod a+x /usr/libexec/chilli
1146
chmod a+x /usr/libexec/chilli
1147
# conf file creation
1147
# conf file creation
1148
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1148
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1149
	cat <<EOF > /etc/chilli.conf
1149
	cat <<EOF > /etc/chilli.conf
1150
# coova config for ALCASAR
1150
# coova config for ALCASAR
1151
cmdsocket	/var/run/chilli.sock
1151
cmdsocket	/var/run/chilli.sock
1152
unixipc		chilli.$INTIF.ipc
1152
unixipc		chilli.$INTIF.ipc
1153
pidfile		/var/run/chilli.$INTIF.pid
1153
pidfile		/var/run/chilli.$INTIF.pid
1154
net		$PRIVATE_NETWORK_MASK
1154
net		$PRIVATE_NETWORK_MASK
1155
dhcpif		$INTIF
1155
dhcpif		$INTIF
1156
ethers		$DIR_DEST_ETC/alcasar-ethers
1156
ethers		$DIR_DEST_ETC/alcasar-ethers
1157
#nodynip
1157
#nodynip
1158
#statip
1158
#statip
1159
dynip		$PRIVATE_NETWORK_MASK
1159
dynip		$PRIVATE_NETWORK_MASK
1160
domain		$DOMAIN
1160
domain		$DOMAIN
1161
dns1		$PRIVATE_IP
1161
dns1		$PRIVATE_IP
1162
dns2		$PRIVATE_IP
1162
dns2		$PRIVATE_IP
1163
uamlisten	$PRIVATE_IP
1163
uamlisten	$PRIVATE_IP
1164
uamport		3990
1164
uamport		3990
1165
macauth
1165
macauth
1166
macpasswd	password
1166
macpasswd	password
1167
locationname	$HOSTNAME.$DOMAIN
1167
locationname	$HOSTNAME.$DOMAIN
1168
radiusserver1	127.0.0.1
1168
radiusserver1	127.0.0.1
1169
radiusserver2	127.0.0.1
1169
radiusserver2	127.0.0.1
1170
radiussecret	$secretradius
1170
radiussecret	$secretradius
1171
radiusauthport	1812
1171
radiusauthport	1812
1172
radiusacctport	1813
1172
radiusacctport	1813
1173
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1173
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1174
radiusnasid	$HOSTNAME.$DOMAIN
1174
radiusnasid	$HOSTNAME.$DOMAIN
1175
uamsecret	$secretuam
1175
uamsecret	$secretuam
1176
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1176
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1177
coaport		3799
1177
coaport		3799
1178
conup		$DIR_DEST_BIN/alcasar-conup.sh
1178
conup		$DIR_DEST_BIN/alcasar-conup.sh
1179
condown		$DIR_DEST_BIN/alcasar-condown.sh
1179
condown		$DIR_DEST_BIN/alcasar-condown.sh
1180
include		$DIR_DEST_ETC/alcasar-uamallowed
1180
include		$DIR_DEST_ETC/alcasar-uamallowed
1181
include		$DIR_DEST_ETC/alcasar-uamdomain
1181
include		$DIR_DEST_ETC/alcasar-uamdomain
1182
#dhcpgateway
1182
#dhcpgateway
1183
#dhcprelayagent
1183
#dhcprelayagent
1184
#dhcpgatewayport
1184
#dhcpgatewayport
1185
EOF
1185
EOF
1186
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1186
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1187
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1187
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1188
# create files for trusted domains and urls
1188
# create files for trusted domains and urls
1189
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1189
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1190
	chown root:apache $DIR_DEST_ETC/alcasar-*
1190
	chown root:apache $DIR_DEST_ETC/alcasar-*
1191
	chmod 660 $DIR_DEST_ETC/alcasar-*
1191
	chmod 660 $DIR_DEST_ETC/alcasar-*
1192
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1192
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1193
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1193
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1194
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1194
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1195
# user 'chilli' creation (in order to run conup/off and up/down scripts
1195
# user 'chilli' creation (in order to run conup/off and up/down scripts
1196
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1196
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1197
	if [ "$chilli_exist" == "1" ]
1197
	if [ "$chilli_exist" == "1" ]
1198
	then
1198
	then
1199
	      userdel -r chilli 2>/dev/null
1199
	      userdel -r chilli 2>/dev/null
1200
	fi
1200
	fi
1201
	groupadd -f chilli
1201
	groupadd -f chilli
1202
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1202
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1203
}  # End of chilli ()
1203
}  # End of chilli ()
1204
 
1204
 
1205
##################################################################
1205
##################################################################
1206
##		Fonction "dansguardian"				##
1206
##		Fonction "dansguardian"				##
1207
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1207
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1208
##################################################################
1208
##################################################################
1209
dansguardian ()
1209
dansguardian ()
1210
{
1210
{
1211
	mkdir /var/dansguardian
1211
	mkdir /var/dansguardian
1212
	chown dansguardian /var/dansguardian
1212
	chown dansguardian /var/dansguardian
1213
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1213
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1214
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1214
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1215
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1215
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1216
# By default the filter is off 
1216
# By default the filter is off 
1217
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1217
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1218
# French deny HTML page
1218
# French deny HTML page
1219
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1219
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1220
# Listen only on LAN side
1220
# Listen only on LAN side
1221
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1221
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1222
# DG send its flow to HAVP
1222
# DG send its flow to HAVP
1223
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1223
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1224
# replace the default deny HTML page
1224
# replace the default deny HTML page
1225
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1225
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1226
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1226
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1227
# Don't log
1227
# Don't log
1228
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1228
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1229
# Run 10 daemons (20 in largest server)
1229
# Run 10 daemons (20 in largest server)
1230
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1230
	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1231
# on désactive par défaut le controle de contenu des pages html
1231
# on désactive par défaut le controle de contenu des pages html
1232
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1232
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1233
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1233
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1234
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1234
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1235
# on désactive par défaut le contrôle d'URL par expressions régulières
1235
# on désactive par défaut le contrôle d'URL par expressions régulières
1236
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1236
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1237
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1237
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1238
# on désactive par défaut le contrôle de téléchargement de fichiers
1238
# on désactive par défaut le contrôle de téléchargement de fichiers
1239
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1239
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1240
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1240
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1241
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1241
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1242
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1242
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1243
	touch $DIR_DG/lists/bannedextensionlist
1243
	touch $DIR_DG/lists/bannedextensionlist
1244
	touch $DIR_DG/lists/bannedmimetypelist
1244
	touch $DIR_DG/lists/bannedmimetypelist
1245
# 'Safesearch' regex actualisation
1245
# 'Safesearch' regex actualisation
1246
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1246
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1247
# empty LAN IP list that won't be WEB filtered
1247
# empty LAN IP list that won't be WEB filtered
1248
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1248
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1249
	touch $DIR_DG/lists/exceptioniplist
1249
	touch $DIR_DG/lists/exceptioniplist
1250
# Keep a copy of URL & domain filter configuration files
1250
# Keep a copy of URL & domain filter configuration files
1251
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1251
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1252
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1252
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1253
} # End of dansguardian ()
1253
} # End of dansguardian ()
1254
 
1254
 
1255
##################################################################
1255
##################################################################
1256
##			Fonction "antivirus"			##
1256
##			Fonction "antivirus"			##
1257
## - configuration of havp, libclamav and freshclam		##
1257
## - configuration of havp, libclamav and freshclam		##
1258
##################################################################
1258
##################################################################
1259
antivirus ()		
1259
antivirus ()		
1260
{
1260
{
1261
# create 'havp' user
1261
# create 'havp' user
1262
	havp_exist=`grep havp /etc/passwd|wc -l`
1262
	havp_exist=`grep havp /etc/passwd|wc -l`
1263
	if [ "$havp_exist" == "1" ]
1263
	if [ "$havp_exist" == "1" ]
1264
	then
1264
	then
1265
	      userdel -r havp 2>/dev/null
1265
	      userdel -r havp 2>/dev/null
1266
	      groupdel havp 2>/dev/null
1266
	      groupdel havp 2>/dev/null
1267
	fi
1267
	fi
1268
	groupadd -f havp
1268
	groupadd -f havp
1269
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1269
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1270
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1270
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1271
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1271
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1272
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1272
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1273
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1273
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1274
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1274
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1275
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1275
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1276
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1276
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1277
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1277
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1278
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1278
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1279
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1279
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1280
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1280
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1281
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1281
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1282
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1282
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1283
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1283
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1284
# skip checking of youtube flow (too heavy load / risk too low)
1284
# skip checking of youtube flow (too heavy load / risk too low)
1285
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1285
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1286
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1286
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1287
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1287
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1288
# adapt init script and systemd unit
1288
# adapt init script and systemd unit
1289
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1289
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1290
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1290
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
-
 
1291
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1291
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir /var/run/havp" /lib/systemd/system/havp.service
1292
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1292
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1293
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1293
# replace of the intercept page (template)
1294
# replace of the intercept page (template)
1294
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1295
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1295
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1296
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1296
# update virus database every 4 hours (24h/6)
1297
# update virus database every 4 hours (24h/6)
1297
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1298
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1298
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1299
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1299
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1300
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1300
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1301
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1301
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1302
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1302
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1303
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1303
# update now
1304
# update now
1304
	/usr/bin/freshclam --no-warnings
1305
	/usr/bin/freshclam --no-warnings
1305
} # End of antivirus ()
1306
} # End of antivirus ()
1306
 
1307
 
1307
##########################################################################
1308
##########################################################################
1308
##			Fonction "tinyproxy"				##
1309
##			Fonction "tinyproxy"				##
1309
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1310
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1310
##########################################################################
1311
##########################################################################
1311
tinyproxy ()		
1312
tinyproxy ()		
1312
{
1313
{
1313
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1314
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1314
	if [ "$tinyproxy_exist" == "1" ]
1315
	if [ "$tinyproxy_exist" == "1" ]
1315
	then
1316
	then
1316
	      userdel -r tinyproxy 2>/dev/null
1317
	      userdel -r tinyproxy 2>/dev/null
1317
	      groupdel tinyproxy 2>/dev/null
1318
	      groupdel tinyproxy 2>/dev/null
1318
	fi
1319
	fi
1319
	groupadd -f tinyproxy
1320
	groupadd -f tinyproxy
1320
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1321
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1321
	mkdir -p var/run/tinyproxy /var/log/tinyproxy
1322
	mkdir -p var/run/tinyproxy /var/log/tinyproxy
1322
	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1323
	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1323
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1324
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1324
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1325
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1325
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1326
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1326
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1327
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1327
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1328
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1328
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1329
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1329
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1330
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1330
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1331
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1331
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1332
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1332
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1333
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1333
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1334
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1334
# Create the systemd unit
1335
# Create the systemd unit
1335
cat << EOF > /lib/systemd/system/tinyproxy.service
1336
cat << EOF > /lib/systemd/system/tinyproxy.service
1336
#  This file is part of systemd.
1337
#  This file is part of systemd.
1337
#
1338
#
1338
#  systemd is free software; you can redistribute it and/or modify it
1339
#  systemd is free software; you can redistribute it and/or modify it
1339
#  under the terms of the GNU General Public License as published by
1340
#  under the terms of the GNU General Public License as published by
1340
#  the Free Software Foundation; either version 2 of the License, or
1341
#  the Free Software Foundation; either version 2 of the License, or
1341
#  (at your option) any later version.
1342
#  (at your option) any later version.
1342
 
1343
 
1343
# This unit launches tinyproxy (a very light proxy).
1344
# This unit launches tinyproxy (a very light proxy).
1344
# The "sleep 2" is needed because the pid file isn't ready for systemd
1345
# The "sleep 2" is needed because the pid file isn't ready for systemd
1345
[Unit]
1346
[Unit]
1346
Description=Tinyproxy Web Proxy Server
1347
Description=Tinyproxy Web Proxy Server
1347
After=network.target iptables.service
1348
After=network.target iptables.service
1348
 
1349
 
1349
[Service]
1350
[Service]
1350
Type=forking
1351
Type=forking
1351
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1352
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1352
ExecStartPre=/bin/sleep 2
1353
ExecStartPre=/bin/sleep 2
1353
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1354
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1354
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1355
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1355
 
1356
 
1356
[Install]
1357
[Install]
1357
WantedBy=multi-user.target
1358
WantedBy=multi-user.target
1358
EOF
1359
EOF
1359
 
1360
 
1360
} # end of tinyproxy
1361
} # end of tinyproxy
1361
##################################################################################
1362
##################################################################################
1362
##			function "ulogd"					##
1363
##			function "ulogd"					##
1363
## - Ulog config for multi-log files 						##
1364
## - Ulog config for multi-log files 						##
1364
##################################################################################
1365
##################################################################################
1365
ulogd ()
1366
ulogd ()
1366
{
1367
{
1367
# Three instances of ulogd (three different logfiles)
1368
# Three instances of ulogd (three different logfiles)
1368
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1369
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1369
	nl=1
1370
	nl=1
1370
	for log_type in traceability ssh ext-access
1371
	for log_type in traceability ssh ext-access
1371
	do
1372
	do
1372
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1373
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1373
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1374
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1374
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1375
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1375
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1376
		$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf 
1376
		cat << EOF >> /etc/ulogd-$log_type.conf
1377
		cat << EOF >> /etc/ulogd-$log_type.conf
1377
[emu1]
1378
[emu1]
1378
file="/var/log/firewall/$log_type.log"
1379
file="/var/log/firewall/$log_type.log"
1379
sync=1
1380
sync=1
1380
EOF
1381
EOF
1381
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1382
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1382
		nl=`expr $nl + 1`
1383
		nl=`expr $nl + 1`
1383
	done
1384
	done
1384
	chown -R root:apache /var/log/firewall
1385
	chown -R root:apache /var/log/firewall
1385
	chmod 750 /var/log/firewall
1386
	chmod 750 /var/log/firewall
1386
	chmod 640 /var/log/firewall/*
1387
	chmod 640 /var/log/firewall/*
1387
}  # End of ulogd ()
1388
}  # End of ulogd ()
1388
 
1389
 
1389
 
1390
 
1390
##########################################################
1391
##########################################################
1391
##              Function "nfsen"			##
1392
##              Function "nfsen"			##
1392
##########################################################
1393
##########################################################
1393
nfsen()
1394
nfsen()
1394
{
1395
{
1395
	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1396
	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1396
# Add PortTracker plugin
1397
# Add PortTracker plugin
1397
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1398
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1398
	do
1399
	do
1399
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1400
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1400
	done
1401
	done
1401
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
1402
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
1402
# use of our conf file and init unit
1403
# use of our conf file and init unit
1403
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1404
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1404
# Installation of nfsen
1405
# Installation of nfsen
1405
	DirTmp=$(pwd)
1406
	DirTmp=$(pwd)
1406
	cd /tmp/nfsen-1.3.6p1/
1407
	cd /tmp/nfsen-1.3.6p1/
1407
	/usr/bin/perl5 install.pl etc/nfsen.conf
1408
	/usr/bin/perl5 install.pl etc/nfsen.conf
1408
	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1409
	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1409
# Create RRD DB for porttracker (only in it still doesn't exist)
1410
# Create RRD DB for porttracker (only in it still doesn't exist)
1410
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1411
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1411
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1412
	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1412
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1413
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1413
	chmod -R 770 /var/log/netflow/porttracker
1414
	chmod -R 770 /var/log/netflow/porttracker
1414
# nfsen unit for systemd
1415
# nfsen unit for systemd
1415
cat << EOF > /lib/systemd/system/nfsen.service
1416
cat << EOF > /lib/systemd/system/nfsen.service
1416
#  This file is part of systemd.
1417
#  This file is part of systemd.
1417
#
1418
#
1418
#  systemd is free software; you can redistribute it and/or modify it
1419
#  systemd is free software; you can redistribute it and/or modify it
1419
#  under the terms of the GNU General Public License as published by
1420
#  under the terms of the GNU General Public License as published by
1420
#  the Free Software Foundation; either version 2 of the License, or
1421
#  the Free Software Foundation; either version 2 of the License, or
1421
#  (at your option) any later version.
1422
#  (at your option) any later version.
1422
 
1423
 
1423
# This unit launches nfsen (a Netflow grapher).
1424
# This unit launches nfsen (a Netflow grapher).
1424
[Unit]
1425
[Unit]
1425
Description= NfSen init script
1426
Description= NfSen init script
1426
After=network.target iptables.service
1427
After=network.target iptables.service
1427
 
1428
 
1428
[Service]
1429
[Service]
1429
Type=oneshot
1430
Type=oneshot
1430
RemainAfterExit=yes
1431
RemainAfterExit=yes
1431
PIDFile=/var/run/nfsen/nfsen.pid
1432
PIDFile=/var/run/nfsen/nfsen.pid
1432
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1433
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1433
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1434
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1434
ExecStart=/usr/bin/nfsen start 
1435
ExecStart=/usr/bin/nfsen start 
1435
ExecStop=/usr/bin/nfsen stop
1436
ExecStop=/usr/bin/nfsen stop
1436
ExecReload=/usr/bin/nfsen restart
1437
ExecReload=/usr/bin/nfsen restart
1437
TimeoutSec=0
1438
TimeoutSec=0
1438
 
1439
 
1439
[Install]
1440
[Install]
1440
WantedBy=multi-user.target
1441
WantedBy=multi-user.target
1441
EOF
1442
EOF
1442
# Add the listen port to collect netflow packet (nfcapd)
1443
# Add the listen port to collect netflow packet (nfcapd)
1443
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1444
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1444
# expire delay for the profile "live"
1445
# expire delay for the profile "live"
1445
	systemctl start nfsen
1446
	systemctl start nfsen
1446
	/bin/nfsen -m live -e 62d 2>/dev/null
1447
	/bin/nfsen -m live -e 62d 2>/dev/null
1447
# add SURFmap plugin
1448
# add SURFmap plugin
1448
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1449
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1449
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1450
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1450
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1451
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1451
	cd /tmp/
1452
	cd /tmp/
1452
	/usr/bin/sh SURFmap/install.sh
1453
	/usr/bin/sh SURFmap/install.sh
1453
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1454
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1454
# clear the installation
1455
# clear the installation
1455
	cd $DirTmp
1456
	cd $DirTmp
1456
	rm -rf /tmp/nfsen*
1457
	rm -rf /tmp/nfsen*
1457
	rm -rf /tmp/SURFmap*
1458
	rm -rf /tmp/SURFmap*
1458
} # End of nfsen ()
1459
} # End of nfsen ()
1459
 
1460
 
1460
##################################################
1461
##################################################
1461
##		Function "vnstat"		##
1462
##		Function "vnstat"		##
1462
## Initialization of Vnstat and vnstat phpFE    ##
1463
## Initialization of Vnstat and vnstat phpFE    ##
1463
##################################################
1464
##################################################
1464
vnstat ()
1465
vnstat ()
1465
{
1466
{
1466
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1467
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1467
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1468
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1468
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1469
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1469
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1470
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1470
	 $SED "s?\$iface_title.*?\$iface_title['$EXTIF'] = 'Internet outbound';?g" $DIR_ACC/manager/stats/config.php
1471
	 $SED "s?\$iface_title.*?\$iface_title['$EXTIF'] = 'Internet outbound';?g" $DIR_ACC/manager/stats/config.php
1471
	/usr/bin/vnstat -u -i $EXTIF
1472
	/usr/bin/vnstat -u -i $EXTIF
1472
} # End of vnstat	
1473
} # End of vnstat	
1473
##################################################
1474
##################################################
1474
##		Function "dnsmasq"		##
1475
##		Function "dnsmasq"		##
1475
##################################################
1476
##################################################
1476
dnsmasq ()
1477
dnsmasq ()
1477
{
1478
{
1478
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1479
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1479
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1480
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1480
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1481
	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1481
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1482
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1482
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1483
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1483
	cat << EOF > /etc/dnsmasq.conf 
1484
	cat << EOF > /etc/dnsmasq.conf 
1484
# Configuration file for "dnsmasq in forward mode"
1485
# Configuration file for "dnsmasq in forward mode"
1485
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1486
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1486
listen-address=$PRIVATE_IP
1487
listen-address=$PRIVATE_IP
1487
pid-file=/var/run/dnsmasq.pid
1488
pid-file=/var/run/dnsmasq.pid
1488
listen-address=127.0.0.1
1489
listen-address=127.0.0.1
1489
no-dhcp-interface=$INTIF
1490
no-dhcp-interface=$INTIF
1490
no-dhcp-interface=tun0
1491
no-dhcp-interface=tun0
1491
no-dhcp-interface=lo
1492
no-dhcp-interface=lo
1492
bind-interfaces
1493
bind-interfaces
1493
cache-size=256
1494
cache-size=256
1494
domain=$DOMAIN
1495
domain=$DOMAIN
1495
domain-needed
1496
domain-needed
1496
expand-hosts
1497
expand-hosts
1497
bogus-priv
1498
bogus-priv
1498
filterwin2k
1499
filterwin2k
1499
server=$DNS1
1500
server=$DNS1
1500
server=$DNS2
1501
server=$DNS2
1501
# DHCP service is configured. It will be enabled in "bypass" mode
1502
# DHCP service is configured. It will be enabled in "bypass" mode
1502
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1503
dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1503
dhcp-option=option:router,$PRIVATE_IP
1504
dhcp-option=option:router,$PRIVATE_IP
1504
dhcp-option=option:ntp-server,$PRIVATE_IP
1505
dhcp-option=option:ntp-server,$PRIVATE_IP
1505
 
1506
 
1506
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1507
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1507
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1508
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1508
EOF
1509
EOF
1509
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1510
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1510
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1511
	cat << EOF > /etc/dnsmasq-blacklist.conf 
1511
# Configuration file for "dnsmasq with blacklist"
1512
# Configuration file for "dnsmasq with blacklist"
1512
# Add Toulouse blacklist domains
1513
# Add Toulouse blacklist domains
1513
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1514
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1514
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1515
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1515
pid-file=/var/run/dnsmasq-blacklist.pid
1516
pid-file=/var/run/dnsmasq-blacklist.pid
1516
listen-address=$PRIVATE_IP
1517
listen-address=$PRIVATE_IP
1517
port=54
1518
port=54
1518
no-dhcp-interface=$INTIF
1519
no-dhcp-interface=$INTIF
1519
no-dhcp-interface=tun0
1520
no-dhcp-interface=tun0
1520
no-dhcp-interface=lo
1521
no-dhcp-interface=lo
1521
bind-interfaces
1522
bind-interfaces
1522
cache-size=256
1523
cache-size=256
1523
domain=$DOMAIN
1524
domain=$DOMAIN
1524
domain-needed
1525
domain-needed
1525
expand-hosts
1526
expand-hosts
1526
bogus-priv
1527
bogus-priv
1527
filterwin2k
1528
filterwin2k
1528
server=$DNS1
1529
server=$DNS1
1529
server=$DNS2
1530
server=$DNS2
1530
EOF
1531
EOF
1531
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1532
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1532
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1533
	cat << EOF > /etc/dnsmasq-whitelist.conf 
1533
# Configuration file for "dnsmasq with whitelist"
1534
# Configuration file for "dnsmasq with whitelist"
1534
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1535
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1535
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1536
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1536
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1537
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1537
pid-file=/var/run/dnsmasq-whitelist.pid
1538
pid-file=/var/run/dnsmasq-whitelist.pid
1538
listen-address=$PRIVATE_IP
1539
listen-address=$PRIVATE_IP
1539
port=55
1540
port=55
1540
no-dhcp-interface=$INTIF
1541
no-dhcp-interface=$INTIF
1541
no-dhcp-interface=tun0
1542
no-dhcp-interface=tun0
1542
no-dhcp-interface=lo
1543
no-dhcp-interface=lo
1543
bind-interfaces
1544
bind-interfaces
1544
cache-size=256
1545
cache-size=256
1545
domain=$DOMAIN
1546
domain=$DOMAIN
1546
domain-needed
1547
domain-needed
1547
expand-hosts
1548
expand-hosts
1548
bogus-priv
1549
bogus-priv
1549
filterwin2k
1550
filterwin2k
1550
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1551
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1551
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1552
ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1552
EOF
1553
EOF
1553
# 4th dnsmasq listen on udp 56 ("blackhole")
1554
# 4th dnsmasq listen on udp 56 ("blackhole")
1554
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1555
	cat << EOF > /etc/dnsmasq-blackhole.conf 
1555
# Configuration file for "dnsmasq as a blackhole"
1556
# Configuration file for "dnsmasq as a blackhole"
1556
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1557
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1557
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1558
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1558
pid-file=/var/run/dnsmasq-blackhole.pid
1559
pid-file=/var/run/dnsmasq-blackhole.pid
1559
listen-address=$PRIVATE_IP
1560
listen-address=$PRIVATE_IP
1560
port=56
1561
port=56
1561
no-dhcp-interface=$INTIF
1562
no-dhcp-interface=$INTIF
1562
no-dhcp-interface=tun0
1563
no-dhcp-interface=tun0
1563
no-dhcp-interface=lo
1564
no-dhcp-interface=lo
1564
bind-interfaces
1565
bind-interfaces
1565
cache-size=256
1566
cache-size=256
1566
domain=$DOMAIN
1567
domain=$DOMAIN
1567
domain-needed
1568
domain-needed
1568
expand-hosts
1569
expand-hosts
1569
bogus-priv
1570
bogus-priv
1570
filterwin2k
1571
filterwin2k
1571
EOF
1572
EOF
1572
 
1573
 
1573
# the main instance should start after network and chilli (which create tun0)
1574
# the main instance should start after network and chilli (which create tun0)
1574
	[ -e /lib/systemd/system/dnsmasq.service.old ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.old
1575
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1575
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1576
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1576
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1577
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1577
	for list in blacklist whitelist blackhole
1578
	for list in blacklist whitelist blackhole
1578
	do
1579
	do
1579
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1580
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1580
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1581
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1581
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1582
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1582
	done
1583
	done
1583
} # End dnsmasq
1584
} # End dnsmasq
1584
 
1585
 
1585
##########################################################
1586
##########################################################
1586
##		Fonction "BL"				##
1587
##		Fonction "BL"				##
1587
##########################################################
1588
##########################################################
1588
BL ()
1589
BL ()
1589
{
1590
{
1590
# copy and extract toulouse BL
1591
# copy and extract toulouse BL
1591
	rm -rf $DIR_DG/lists/blacklists
1592
	rm -rf $DIR_DG/lists/blacklists
1592
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1593
	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1593
# creation of the OSSI BL and WL categories (domain name and url)
1594
# creation of the OSSI BL and WL categories (domain name and url)
1594
	mkdir $DIR_DG/lists/blacklists/ossi
1595
	mkdir $DIR_DG/lists/blacklists/ossi
1595
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1596
	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
1596
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1597
	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1597
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1598
	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
1598
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1599
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1599
# creation of file for the rehabilited domains and urls
1600
# creation of file for the rehabilited domains and urls
1600
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1601
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1601
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1602
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1602
	touch $DIR_DG/lists/exceptionsitelist
1603
	touch $DIR_DG/lists/exceptionsitelist
1603
	touch $DIR_DG/lists/exceptionurllist
1604
	touch $DIR_DG/lists/exceptionurllist
1604
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1605
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1605
	cat <<EOF > $DIR_DG/lists/bannedurllist
1606
	cat <<EOF > $DIR_DG/lists/bannedurllist
1606
# Dansguardian filter config for ALCASAR
1607
# Dansguardian filter config for ALCASAR
1607
EOF
1608
EOF
1608
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1609
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1609
# Dansguardian domain filter config for ALCASAR
1610
# Dansguardian domain filter config for ALCASAR
1610
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1611
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1611
#**
1612
#**
1612
# block all SSL and CONNECT tunnels
1613
# block all SSL and CONNECT tunnels
1613
**s
1614
**s
1614
# block all SSL and CONNECT tunnels specified only as an IP
1615
# block all SSL and CONNECT tunnels specified only as an IP
1615
*ips
1616
*ips
1616
# block all sites specified only by an IP
1617
# block all sites specified only by an IP
1617
*ip
1618
*ip
1618
EOF
1619
EOF
1619
# Add Bing and Youtube to the safesearch url regext list (parental control)
1620
# Add Bing and Youtube to the safesearch url regext list (parental control)
1620
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1621
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1621
# Bing - add 'adlt=strict'
1622
# Bing - add 'adlt=strict'
1622
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1623
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1623
# Youtube - add 'edufilter=your_ID' 
1624
# Youtube - add 'edufilter=your_ID' 
1624
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1625
#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&edufilter=ABCD1234567890abcdef"
1625
EOF
1626
EOF
1626
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1627
# change the the google safesearch ("safe=strict" instead of "safe=vss")
1627
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1628
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1628
# adapt the BL to ALCASAR architecture. Enable the default categories
1629
# adapt the BL to ALCASAR architecture. Enable the default categories
1629
	if [ "$mode" != "update" ]; then
1630
	if [ "$mode" != "update" ]; then
1630
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1631
		$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1631
		$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1632
		$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1632
	fi
1633
	fi
1633
}
1634
}
1634
 
1635
 
1635
##########################################################
1636
##########################################################
1636
##		Fonction "cron"				##
1637
##		Fonction "cron"				##
1637
## - Mise en place des différents fichiers de cron	##
1638
## - Mise en place des différents fichiers de cron	##
1638
##########################################################
1639
##########################################################
1639
cron ()
1640
cron ()
1640
{
1641
{
1641
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1642
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1642
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1643
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1643
	cat <<EOF > /etc/crontab
1644
	cat <<EOF > /etc/crontab
1644
SHELL=/bin/bash
1645
SHELL=/bin/bash
1645
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1646
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1646
MAILTO=root
1647
MAILTO=root
1647
HOME=/
1648
HOME=/
1648
 
1649
 
1649
# run-parts
1650
# run-parts
1650
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1651
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1651
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1652
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1652
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1653
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1653
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1654
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1654
EOF
1655
EOF
1655
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1656
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1656
	cat <<EOF >> /etc/anacrontab
1657
	cat <<EOF >> /etc/anacrontab
1657
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1658
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1658
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1659
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1659
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1660
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1660
EOF
1661
EOF
1661
 
1662
 
1662
	cat <<EOF > /etc/cron.d/alcasar-mysql
1663
	cat <<EOF > /etc/cron.d/alcasar-mysql
1663
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1664
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1664
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1665
45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
1665
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1666
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1666
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1667
40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1667
EOF
1668
EOF
1668
	cat <<EOF > /etc/cron.d/alcasar-archive
1669
	cat <<EOF > /etc/cron.d/alcasar-archive
1669
# Archive des logs et de la base de données (tous les lundi à 5h35)
1670
# Archive des logs et de la base de données (tous les lundi à 5h35)
1670
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1671
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1671
EOF
1672
EOF
1672
	cat << EOF > /etc/cron.d/alcasar-clean_import
1673
	cat << EOF > /etc/cron.d/alcasar-clean_import
1673
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
1674
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
1674
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
1675
30 * * * *  root $DIR_DEST_BIN/alcasar-import-clean.sh
1675
EOF
1676
EOF
1676
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1677
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1677
# mise à jour automatique de la distribution tous les jours 3h30
1678
# mise à jour automatique de la distribution tous les jours 3h30
1678
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1679
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1679
EOF
1680
EOF
1680
	#cat << EOF > /etc/cron.d/alcasar-netflow
1681
	#cat << EOF > /etc/cron.d/alcasar-netflow
1681
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1682
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1682
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1683
#15 0 * * 1  root $DIR_DEST_BIN/alcasar-netflow.sh
1683
#EOF
1684
#EOF
1684
 
1685
 
1685
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1686
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
1686
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1687
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
1687
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1688
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') 
1688
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1689
# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
1689
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1690
# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
1690
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1691
# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
1691
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1692
	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
1692
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1693
	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
1693
	rm -f /etc/cron.daily/freeradius-web
1694
	rm -f /etc/cron.daily/freeradius-web
1694
	rm -f /etc/cron.monthly/freeradius-web
1695
	rm -f /etc/cron.monthly/freeradius-web
1695
	cat << EOF > /etc/cron.d/freeradius-web
1696
	cat << EOF > /etc/cron.d/freeradius-web
1696
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1697
1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
1697
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1698
5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
1698
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1699
10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
1699
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1700
15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
1700
EOF
1701
EOF
1701
	cat << EOF > /etc/cron.d/alcasar-watchdog
1702
	cat << EOF > /etc/cron.d/alcasar-watchdog
1702
# activation du "chien de garde" (watchdog) toutes les 3'
1703
# activation du "chien de garde" (watchdog) toutes les 3'
1703
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1704
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1704
EOF
1705
EOF
1705
# activation du "chien de garde des services" (watchdog) toutes les 18'
1706
# activation du "chien de garde des services" (watchdog) toutes les 18'
1706
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1707
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1707
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1708
# activation du "chien de garde" (daemon-watchdog) toutes les 18'
1708
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1709
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1709
EOF
1710
EOF
1710
# suppression des crons usagers
1711
# suppression des crons usagers
1711
	rm -f /var/spool/cron/*
1712
	rm -f /var/spool/cron/*
1712
} # End cron
1713
} # End cron
1713
 
1714
 
1714
##################################################################
1715
##################################################################
1715
## 			Fonction "Fail2Ban"			##
1716
## 			Fonction "Fail2Ban"			##
1716
##- Modification de la configuration de fail2ban		##
1717
##- Modification de la configuration de fail2ban		##
1717
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1718
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1718
##################################################################
1719
##################################################################
1719
fail2ban()
1720
fail2ban()
1720
{
1721
{
1721
	$DIR_CONF/fail2ban.sh
1722
	$DIR_CONF/fail2ban.sh
1722
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1723
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1723
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1724
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1724
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1725
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1725
	chmod 644 /var/log/fail2ban.log
1726
	chmod 644 /var/log/fail2ban.log
1726
	chmod 644 /var/Save/security/watchdog.log
1727
	chmod 644 /var/Save/security/watchdog.log
1727
	/usr/bin/touch /var/log/auth.log
1728
	/usr/bin/touch /var/log/auth.log
1728
# fail2ban unit
1729
# fail2ban unit
1729
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1730
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1730
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1731
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1731
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1732
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1732
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1733
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1733
} #Fin de fail2ban_install()
1734
} #Fin de fail2ban_install()
1734
 
1735
 
1735
##################################################################
1736
##################################################################
1736
## 			Fonction "gammu_smsd"			##
1737
## 			Fonction "gammu_smsd"			##
1737
## - Creation de la base de donnée Gammu			##
1738
## - Creation de la base de donnée Gammu			##
1738
## - Creation du fichier de config: gammu_smsd_conf		##
1739
## - Creation du fichier de config: gammu_smsd_conf		##
1739
##								##
1740
##								##
1740
##################################################################
1741
##################################################################
1741
gammu_smsd()
1742
gammu_smsd()
1742
{
1743
{
1743
# Create 'gammu' databse
1744
# Create 'gammu' databse
1744
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1745
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1745
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1746
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1746
# Add a gammu database structure
1747
# Add a gammu database structure
1747
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1748
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
1748
 
1749
 
1749
# config file for the daemon
1750
# config file for the daemon
1750
cat << EOF > /etc/gammu_smsd_conf
1751
cat << EOF > /etc/gammu_smsd_conf
1751
[gammu]
1752
[gammu]
1752
port = /dev/ttyUSB0
1753
port = /dev/ttyUSB0
1753
connection = at115200
1754
connection = at115200
1754
 
1755
 
1755
;########################################################
1756
;########################################################
1756
 
1757
 
1757
[smsd]
1758
[smsd]
1758
 
1759
 
1759
PIN = 1234
1760
PIN = 1234
1760
 
1761
 
1761
logfile = /var/log/gammu-smsd/gammu-smsd.log
1762
logfile = /var/log/gammu-smsd/gammu-smsd.log
1762
logformat = textall
1763
logformat = textall
1763
debuglevel = 0
1764
debuglevel = 0
1764
 
1765
 
1765
service = sql
1766
service = sql
1766
driver = native_mysql
1767
driver = native_mysql
1767
user = $DB_USER
1768
user = $DB_USER
1768
password = $radiuspwd
1769
password = $radiuspwd
1769
pc = localhost
1770
pc = localhost
1770
database = $DB_GAMMU
1771
database = $DB_GAMMU
1771
 
1772
 
1772
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1773
RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
1773
 
1774
 
1774
StatusFrequency = 30
1775
StatusFrequency = 30
1775
;LoopSleep = 2
1776
;LoopSleep = 2
1776
 
1777
 
1777
;ResetFrequency = 300
1778
;ResetFrequency = 300
1778
;HardResetFrequency = 120
1779
;HardResetFrequency = 120
1779
 
1780
 
1780
CheckSecurity = 1 
1781
CheckSecurity = 1 
1781
CheckSignal = 1
1782
CheckSignal = 1
1782
CheckBattery = 0
1783
CheckBattery = 0
1783
EOF
1784
EOF
1784
 
1785
 
1785
chmod 755 /etc/gammu_smsd_conf
1786
chmod 755 /etc/gammu_smsd_conf
1786
 
1787
 
1787
#Creation dossier de log Gammu-smsd
1788
#Creation dossier de log Gammu-smsd
1788
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1789
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1789
chmod 755 /var/log/gammu-smsd
1790
chmod 755 /var/log/gammu-smsd
1790
 
1791
 
1791
#Edition du script sql gammu <-> radius
1792
#Edition du script sql gammu <-> radius
1792
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1793
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1793
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1794
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1794
 
1795
 
1795
#Création de la règle udev pour les Huawei // idVendor: 12d1
1796
#Création de la règle udev pour les Huawei // idVendor: 12d1
1796
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1797
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1797
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
1798
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
1798
EOF
1799
EOF
1799
 
1800
 
1800
} # END gammu_smsd()
1801
} # END gammu_smsd()
1801
 
1802
 
1802
##################################################################
1803
##################################################################
1803
##			Fonction "post_install"			##
1804
##			Fonction "post_install"			##
1804
## - Modification des bannières (locales et ssh) et des prompts ##
1805
## - Modification des bannières (locales et ssh) et des prompts ##
1805
## - Installation de la structure de chiffrement pour root	##
1806
## - Installation de la structure de chiffrement pour root	##
1806
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1807
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1807
## - Mise en place du la rotation des logs			##
1808
## - Mise en place du la rotation des logs			##
1808
## - Configuration dans le cas d'une mise à jour		##
1809
## - Configuration dans le cas d'une mise à jour		##
1809
##################################################################
1810
##################################################################
1810
post_install()
1811
post_install()
1811
{
1812
{
1812
# création de la bannière locale
1813
# création de la bannière locale
1813
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1814
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1814
	cp -f $DIR_CONF/banner /etc/mageia-release
1815
	cp -f $DIR_CONF/banner /etc/mageia-release
1815
	echo " V$VERSION" >> /etc/mageia-release
1816
	echo " V$VERSION" >> /etc/mageia-release
1816
# création de la bannière SSH
1817
# création de la bannière SSH
1817
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1818
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1818
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1819
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1819
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1820
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1820
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1821
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1821
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1822
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1822
# postfix banner anonymisation
1823
# postfix banner anonymisation
1823
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1824
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1824
# sshd écoute côté LAN et WAN
1825
# sshd écoute côté LAN et WAN
1825
	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1826
	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1826
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1827
	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
1827
	echo "SSH=off" >> $CONF_FILE
1828
	echo "SSH=off" >> $CONF_FILE
1828
	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
1829
	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
1829
	echo "QOS=off" >> $CONF_FILE
1830
	echo "QOS=off" >> $CONF_FILE
1830
	echo "LDAP=off" >> $CONF_FILE
1831
	echo "LDAP=off" >> $CONF_FILE
1831
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1832
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1832
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1833
	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1833
	echo "MULTIWAN=off" >> $CONF_FILE
1834
	echo "MULTIWAN=off" >> $CONF_FILE
1834
	echo "FAILOVER=30" >> $CONF_FILE
1835
	echo "FAILOVER=30" >> $CONF_FILE
1835
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1836
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1836
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1837
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1837
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1838
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1838
# Coloration des prompts
1839
# Coloration des prompts
1839
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1840
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1840
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1841
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1841
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1842
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1842
# Droits d'exécution pour utilisateur apache et sysadmin
1843
# Droits d'exécution pour utilisateur apache et sysadmin
1843
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1844
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1844
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1845
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1845
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1846
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1846
# Modify some logrotate files (gammu, ulogd)
1847
# Modify some logrotate files (gammu, ulogd)
1847
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1848
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1848
	chmod 644 /etc/logrotate.d/*
1849
	chmod 644 /etc/logrotate.d/*
1849
# rectification sur versions précédentes de la compression des logs
1850
# rectification sur versions précédentes de la compression des logs
1850
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1851
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1851
# actualisation des fichiers logs compressés
1852
# actualisation des fichiers logs compressés
1852
	for dir in firewall dansguardian httpd
1853
	for dir in firewall dansguardian httpd
1853
	do
1854
	do
1854
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1855
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1855
	done
1856
	done
1856
# create the alcasar-load_balancing unit
1857
# create the alcasar-load_balancing unit
1857
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1858
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1858
#  This file is part of systemd.
1859
#  This file is part of systemd.
1859
#
1860
#
1860
#  systemd is free software; you can redistribute it and/or modify it
1861
#  systemd is free software; you can redistribute it and/or modify it
1861
#  under the terms of the GNU General Public License as published by
1862
#  under the terms of the GNU General Public License as published by
1862
#  the Free Software Foundation; either version 2 of the License, or
1863
#  the Free Software Foundation; either version 2 of the License, or
1863
#  (at your option) any later version.
1864
#  (at your option) any later version.
1864
 
1865
 
1865
# This unit lauches alcasar-load-balancing.sh script.
1866
# This unit lauches alcasar-load-balancing.sh script.
1866
[Unit]
1867
[Unit]
1867
Description=alcasar-load_balancing.sh execution
1868
Description=alcasar-load_balancing.sh execution
1868
After=network.target iptables.service
1869
After=network.target iptables.service
1869
 
1870
 
1870
[Service]
1871
[Service]
1871
Type=oneshot
1872
Type=oneshot
1872
RemainAfterExit=yes
1873
RemainAfterExit=yes
1873
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1874
ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
1874
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1875
ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
1875
TimeoutSec=0
1876
TimeoutSec=0
1876
SysVStartPriority=99
1877
SysVStartPriority=99
1877
 
1878
 
1878
[Install]
1879
[Install]
1879
WantedBy=multi-user.target
1880
WantedBy=multi-user.target
1880
EOF
1881
EOF
1881
# processes launched at boot time (Systemctl)
1882
# processes launched at boot time (Systemctl)
1882
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1883
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1883
	do
1884
	do
1884
		systemctl -q enable $i.service
1885
		systemctl -q enable $i.service
1885
	done
1886
	done
1886
	
1887
	
1887
# disable processes at boot time (Systemctl)
1888
# disable processes at boot time (Systemctl)
1888
	for i in ulogd
1889
	for i in ulogd
1889
	do
1890
	do
1890
		systemctl -q disable $i.service
1891
		systemctl -q disable $i.service
1891
	done
1892
	done
1892
	
1893
	
1893
# Apply French Security Agency (ANSSI) rules
1894
# Apply French Security Agency (ANSSI) rules
1894
# ignore ICMP broadcast (smurf attack)
1895
# ignore ICMP broadcast (smurf attack)
1895
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1896
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1896
# ignore ICMP errors bogus
1897
# ignore ICMP errors bogus
1897
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1898
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1898
# remove ICMP redirects responces
1899
# remove ICMP redirects responces
1899
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1900
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1900
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1901
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1901
# enable SYN Cookies (Syn flood attacks)
1902
# enable SYN Cookies (Syn flood attacks)
1902
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1903
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1903
# enable kernel antispoofing
1904
# enable kernel antispoofing
1904
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1905
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1905
# ignore source routing
1906
# ignore source routing
1906
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1907
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1907
# set conntrack timer to 1h (3600s) instead of 5 weeks
1908
# set conntrack timer to 1h (3600s) instead of 5 weeks
1908
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1909
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1909
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1910
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1910
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1911
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1911
# remove Magic SysReq Keys
1912
# remove Magic SysReq Keys
1912
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1913
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1913
# switch to multi-users runlevel (instead of x11)
1914
# switch to multi-users runlevel (instead of x11)
1914
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1915
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1915
#	GRUB modifications
1916
#	GRUB modifications
1916
# limit wait time to 3s
1917
# limit wait time to 3s
1917
# create an alcasar entry instead of linux-nonfb
1918
# create an alcasar entry instead of linux-nonfb
1918
# change display to 1024*768 (vga791)
1919
# change display to 1024*768 (vga791)
1919
	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1920
	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1920
	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1921
	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1921
	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1922
	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1922
	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
1923
	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
1923
	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1924
	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1924
	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1925
	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1925
# Remove unused services and users
1926
# Remove unused services and users
1926
	for svc in sshd
1927
	for svc in sshd
1927
	do
1928
	do
1928
		/bin/systemctl -q disable $svc.service
1929
		/bin/systemctl -q disable $svc.service
1929
	done
1930
	done
1930
# Load and apply the previous conf file
1931
# Load and apply the previous conf file
1931
	if [ "$mode" = "update" ]
1932
	if [ "$mode" = "update" ]
1932
	then
1933
	then
1933
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1934
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1934
		$DIR_DEST_BIN/alcasar-conf.sh --load
1935
		$DIR_DEST_BIN/alcasar-conf.sh --load
1935
		PARENT_SCRIPT=`basename $0`
1936
		PARENT_SCRIPT=`basename $0`
1936
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1937
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
1937
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1938
		$DIR_DEST_BIN/alcasar-conf.sh --apply
1938
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1939
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
1939
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1940
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1940
		if [ $MAJ_PREVIOUS_VERSION -lt 2 ] || ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
1941
		if [ $MAJ_PREVIOUS_VERSION -lt 2 ] || ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
1941
		# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
1942
		# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
1942
		then
1943
		then
1943
			header_install
1944
			header_install
1944
			if [ $Lang == "fr" ]
1945
			if [ $Lang == "fr" ]
1945
			then 
1946
			then 
1946
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
1947
				echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
1947
				echo
1948
				echo
1948
				echo -n "Nom : "
1949
				echo -n "Nom : "
1949
			else
1950
			else
1950
				echo "This update need to redefine the first admin account"
1951
				echo "This update need to redefine the first admin account"
1951
				echo
1952
				echo
1952
				echo -n "Account : "
1953
				echo -n "Account : "
1953
			fi
1954
			fi
1954
			read admin_portal
1955
			read admin_portal
1955
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
1956
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
1956
			mkdir -p $DIR_DEST_ETC/digest
1957
			mkdir -p $DIR_DEST_ETC/digest
1957
			chmod 755 $DIR_DEST_ETC/digest
1958
			chmod 755 $DIR_DEST_ETC/digest
1958
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
1959
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
1959
			do
1960
			do
1960
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1961
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1961
			done
1962
			done
1962
			$DIR_DEST_SBIN/alcasar-profil.sh --list
1963
			$DIR_DEST_SBIN/alcasar-profil.sh --list
1963
		fi
1964
		fi
1964
	fi
1965
	fi
1965
	rm -f /tmp/alcasar-conf*
1966
	rm -f /tmp/alcasar-conf*
1966
	chown -R root:apache $DIR_DEST_ETC/*
1967
	chown -R root:apache $DIR_DEST_ETC/*
1967
	chmod -R 660 $DIR_DEST_ETC/*
1968
	chmod -R 660 $DIR_DEST_ETC/*
1968
	chmod ug+x $DIR_DEST_ETC/digest
1969
	chmod ug+x $DIR_DEST_ETC/digest
1969
# Apply and save the firewall rules
1970
# Apply and save the firewall rules
1970
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1971
 	sh $DIR_DEST_BIN/alcasar-iptables.sh
1971
	sleep 2
1972
	sleep 2
1972
	cd $DIR_INSTALL
1973
	cd $DIR_INSTALL
1973
	echo ""
1974
	echo ""
1974
	echo "#############################################################################"
1975
	echo "#############################################################################"
1975
	if [ $Lang == "fr" ]
1976
	if [ $Lang == "fr" ]
1976
		then
1977
		then
1977
		echo "#                        Fin d'installation d'ALCASAR                       #"
1978
		echo "#                        Fin d'installation d'ALCASAR                       #"
1978
		echo "#                                                                           #"
1979
		echo "#                                                                           #"
1979
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1980
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1980
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1981
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1981
		echo "#                                                                           #"
1982
		echo "#                                                                           #"
1982
		echo "#############################################################################"
1983
		echo "#############################################################################"
1983
		echo
1984
		echo
1984
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1985
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
1985
		echo
1986
		echo
1986
		echo "- Lisez attentivement la documentation d'exploitation"
1987
		echo "- Lisez attentivement la documentation d'exploitation"
1987
		echo
1988
		echo
1988
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1989
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
1989
		echo
1990
		echo
1990
		echo "                   Appuyez sur 'Entrée' pour continuer"
1991
		echo "                   Appuyez sur 'Entrée' pour continuer"
1991
	else	
1992
	else	
1992
		echo "#                        Enf of ALCASAR install process                     #"
1993
		echo "#                        Enf of ALCASAR install process                     #"
1993
		echo "#                                                                           #"
1994
		echo "#                                                                           #"
1994
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1995
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
1995
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1996
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
1996
		echo "#                                                                           #"
1997
		echo "#                                                                           #"
1997
		echo "#############################################################################"
1998
		echo "#############################################################################"
1998
		echo
1999
		echo
1999
		echo "- The system will be rebooted in order to operate ALCASAR"
2000
		echo "- The system will be rebooted in order to operate ALCASAR"
2000
		echo
2001
		echo
2001
		echo "- Read the exploitation documentation"
2002
		echo "- Read the exploitation documentation"
2002
		echo
2003
		echo
2003
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2004
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2004
		echo
2005
		echo
2005
		echo "                   Hit 'Enter' to continue"
2006
		echo "                   Hit 'Enter' to continue"
2006
	fi
2007
	fi
2007
	sleep 2
2008
	sleep 2
2008
	if [ "$mode" != "update" ]
2009
	if [ "$mode" != "update" ]
2009
	then
2010
	then
2010
		read a
2011
		read a
2011
	fi
2012
	fi
2012
	clear
2013
	clear
2013
	reboot
2014
	reboot
2014
} # End post_install ()
2015
} # End post_install ()
2015
 
2016
 
2016
#################################
2017
#################################
2017
#  	Main Install loop  	#
2018
#  	Main Install loop  	#
2018
#################################
2019
#################################
2019
dir_exec=`dirname "$0"`
2020
dir_exec=`dirname "$0"`
2020
if [ $dir_exec != "." ]
2021
if [ $dir_exec != "." ]
2021
then
2022
then
2022
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2023
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2023
	echo "Launch this program from the ALCASAR archive directory"
2024
	echo "Launch this program from the ALCASAR archive directory"
2024
	exit 0
2025
	exit 0
2025
fi
2026
fi
2026
VERSION=`cat $DIR_INSTALL/VERSION`
2027
VERSION=`cat $DIR_INSTALL/VERSION`
2027
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2028
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2028
nb_args=$#
2029
nb_args=$#
2029
args=$1
2030
args=$1
2030
if [ $nb_args -eq 0 ]
2031
if [ $nb_args -eq 0 ]
2031
then
2032
then
2032
	nb_args=1
2033
	nb_args=1
2033
	args="-h"
2034
	args="-h"
2034
fi
2035
fi
2035
chmod -R u+x $DIR_SCRIPTS/*
2036
chmod -R u+x $DIR_SCRIPTS/*
2036
case $args in
2037
case $args in
2037
	-\? | -h* | --h*)
2038
	-\? | -h* | --h*)
2038
		echo "$usage"
2039
		echo "$usage"
2039
		exit 0
2040
		exit 0
2040
		;;
2041
		;;
2041
	-i | --install)
2042
	-i | --install)
2042
		header_install
2043
		header_install
2043
		license
2044
		license
2044
		header_install
2045
		header_install
2045
		testing
2046
		testing
2046
# RPMs install
2047
# RPMs install
2047
		$DIR_SCRIPTS/alcasar-urpmi.sh
2048
		$DIR_SCRIPTS/alcasar-urpmi.sh
2048
		if [ "$?" != "0" ]
2049
		if [ "$?" != "0" ]
2049
		then
2050
		then
2050
			exit 0
2051
			exit 0
2051
		fi
2052
		fi
2052
		if [ -e $CONF_FILE ]
2053
		if [ -e $CONF_FILE ]
2053
		then
2054
		then
2054
# Uninstall the running version
2055
# Uninstall the running version
2055
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2056
			$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2056
		fi
2057
		fi
2057
# Test if manual update	
2058
# Test if manual update	
2058
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2059
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2059
		then
2060
		then
2060
			header_install
2061
			header_install
2061
			if [ $Lang == "fr" ]
2062
			if [ $Lang == "fr" ]
2062
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2063
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2063
				else echo "The configuration file of an old version has been found";
2064
				else echo "The configuration file of an old version has been found";
2064
			fi
2065
			fi
2065
			response=0
2066
			response=0
2066
			PTN='^[oOnNyY]$'
2067
			PTN='^[oOnNyY]$'
2067
			until [[ $(expr $response : $PTN) -gt 0 ]]
2068
			until [[ $(expr $response : $PTN) -gt 0 ]]
2068
			do
2069
			do
2069
				if [ $Lang == "fr" ]
2070
				if [ $Lang == "fr" ]
2070
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2071
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2071
					else echo -n "Do you want to use it (Y/n)?";
2072
					else echo -n "Do you want to use it (Y/n)?";
2072
				 fi
2073
				 fi
2073
				read response
2074
				read response
2074
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2075
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2075
				then rm -f /tmp/alcasar-conf*
2076
				then rm -f /tmp/alcasar-conf*
2076
				fi
2077
				fi
2077
			done
2078
			done
2078
		fi
2079
		fi
2079
# Test if update
2080
# Test if update
2080
		if [ -e /tmp/alcasar-conf* ] 
2081
		if [ -e /tmp/alcasar-conf* ] 
2081
		then
2082
		then
2082
			if [ $Lang == "fr" ]
2083
			if [ $Lang == "fr" ]
2083
				then echo "#### Installation avec mise à jour ####";
2084
				then echo "#### Installation avec mise à jour ####";
2084
				else echo "#### Installation with update     ####";
2085
				else echo "#### Installation with update     ####";
2085
			fi
2086
			fi
2086
# Extract the central configuration file
2087
# Extract the central configuration file
2087
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2088
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2088
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2089
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2089
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2090
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2090
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2091
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2091
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2092
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2092
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2093
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2093
			mode="update"
2094
			mode="update"
2094
		fi
2095
		fi
2095
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2096
		for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2096
		do
2097
		do
2097
			$func
2098
			$func
2098
# echo "*** 'debug' : end of function $func ***"; read a
2099
# echo "*** 'debug' : end of function $func ***"; read a
2099
		done
2100
		done
2100
		;;
2101
		;;
2101
	-u | --uninstall)
2102
	-u | --uninstall)
2102
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
2103
		if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
2103
		then
2104
		then
2104
			if [ $Lang == "fr" ]
2105
			if [ $Lang == "fr" ]
2105
				then echo "ALCASAR n'est pas installé!";
2106
				then echo "ALCASAR n'est pas installé!";
2106
				else echo "ALCASAR isn't installed!";
2107
				else echo "ALCASAR isn't installed!";
2107
			fi
2108
			fi
2108
			exit 0
2109
			exit 0
2109
		fi
2110
		fi
2110
		response=0
2111
		response=0
2111
		PTN='^[oOnN]$'
2112
		PTN='^[oOnN]$'
2112
		until [[ $(expr $response : $PTN) -gt 0 ]]
2113
		until [[ $(expr $response : $PTN) -gt 0 ]]
2113
		do
2114
		do
2114
			if [ $Lang == "fr" ]
2115
			if [ $Lang == "fr" ]
2115
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2116
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2116
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2117
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2117
			fi
2118
			fi
2118
			read response
2119
			read response
2119
		done
2120
		done
2120
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2121
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2121
		then
2122
		then
2122
			$DIR_SCRIPTS/alcasar-conf.sh --create
2123
			$DIR_SCRIPTS/alcasar-conf.sh --create
2123
		else	
2124
		else	
2124
			rm -f /tmp/alcasar-conf*
2125
			rm -f /tmp/alcasar-conf*
2125
		fi
2126
		fi
2126
# Uninstall the running version
2127
# Uninstall the running version
2127
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2128
		$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
2128
		;;
2129
		;;
2129
	*)
2130
	*)
2130
		echo "Argument inconnu :$1";
2131
		echo "Argument inconnu :$1";
2131
		echo "Unknown argument :$1";
2132
		echo "Unknown argument :$1";
2132
		echo "$usage"
2133
		echo "$usage"
2133
		exit 1
2134
		exit 1
2134
		;;
2135
		;;
2135
esac
2136
esac
2136
# end of script
2137
# end of script
2137
 
2138
 
2138
 
2139