WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/bash
#  $Id: alcasar.sh 1574 2015-03-01 23:17:07Z richard $ 
 
# alcasar.sh
 
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
# Ce programme est un logiciel libre ; This software is free and open source

{
	rm -rf /var/lib/mysql # to be sure that there is no former installation
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
	/usr/bin/systemctl start mysqld.service
	sleep 4
	mysqladmin -u root password $mysqlpwd
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
# Secure the server
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"

	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
# modify the start script in order to close accounting connexion when the system is comming down or up
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
	/usr/bin/systemctl daemon-reload
} # End of init_db ()
 
##########################################################################
##			Fonction "radius"				##
## - Paramètrage des fichiers de configuration FreeRadius		##

	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
	chown -R radius:radius /etc/raddb/sql/mysql/*
# make certain that mysql is up before radius start
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
	/usr/bin/systemctl daemon-reload
} # End radius ()
 
##########################################################################
##			Function "radius_web"				##
## - Import, modification et paramètrage de l'interface "dialupadmin"	##

WantedBy=multi-user.target
EOF
# Add the listen port to collect netflow packet (nfcapd)
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
# expire delay for the profile "live"
	/usr/bin/systemctl start nfsen
	/bin/nfsen -m live -e 62d 2>/dev/null
# add SURFmap plugin
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/

WantedBy=multi-user.target
EOF
# processes launched at boot time (Systemctl)
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
	do
		/usr/bin/systemctl -q enable $i.service
	done
	
# disable processes at boot time (Systemctl)
	for i in ulogd
	do
		/usr/bin/systemctl -q disable $i.service
	done
	
# Apply French Security Agency (ANSSI) rules
# ignore ICMP broadcast (smurf attack)
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf

	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
	$SED "/^gfxmenu/d" /boot/grub/menu.lst
# Remove unused services and users
	for svc in sshd
	do
		/usr/bin/systemctl -q disable $svc.service
	done
# Load and apply the previous conf file
	if [ "$mode" = "update" ]
	then
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs

Rev 1570	Rev 1574
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar.sh 1570 2015-02-13 22:42:09Z richard $`	2	`# $Id: alcasar.sh 1574 2015-03-01 23:17:07Z richard $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5		5
6	`# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]`	6	`# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]`
7	`# Ce programme est un logiciel libre ; This software is free and open source`	7	`# Ce programme est un logiciel libre ; This software is free and open source`
Line 885...	Line 885...
885	`{`	885	`{`
886	`rm -rf /var/lib/mysql # to be sure that there is no former installation`	886	`rm -rf /var/lib/mysql # to be sure that there is no former installation`
887	`[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default`	887	`[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default`
888	`$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf`	888	`$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf`
889	`$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf`	889	`$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf`
890	`systemctl start mysqld.service`	890	`/usr/bin/systemctl start mysqld.service`
891	`sleep 4`	891	`sleep 4`
892	`mysqladmin -u root password $mysqlpwd`	892	`mysqladmin -u root password $mysqlpwd`
893	`MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"`	893	`MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"`
894	`# Secure the server`	894	`# Secure the server`
895	`$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"`	895	`$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"`
Line 900...	Line 900...
900	`mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql`	900	`mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql`
901	`# modify the start script in order to close accounting connexion when the system is comming down or up`	901	`# modify the start script in order to close accounting connexion when the system is comming down or up`
902	`[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default`	902	`[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default`
903	`$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service`	903	`$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service`
904	`$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service`	904	`$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service`
905	`systemctl daemon-reload`	905	`/usr/bin/systemctl daemon-reload`
906	`} # End of init_db ()`	906	`} # End of init_db ()`
907		907
908	`##########################################################################`	908	`##########################################################################`
909	`## Fonction "radius" ##`	909	`## Fonction "radius" ##`
910	`## - Paramètrage des fichiers de configuration FreeRadius ##`	910	`## - Paramètrage des fichiers de configuration FreeRadius ##`
Line 969...	Line 969...
969	`cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf`	969	`cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf`
970	`chown -R radius:radius /etc/raddb/sql/mysql/*`	970	`chown -R radius:radius /etc/raddb/sql/mysql/*`
971	`# make certain that mysql is up before radius start`	971	`# make certain that mysql is up before radius start`
972	`[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default`	972	`[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default`
973	`$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service`	973	`$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service`
974	`systemctl daemon-reload`	974	`/usr/bin/systemctl daemon-reload`
975	`} # End radius ()`	975	`} # End radius ()`
976		976
977	`##########################################################################`	977	`##########################################################################`
978	`## Function "radius_web" ##`	978	`## Function "radius_web" ##`
979	`## - Import, modification et paramètrage de l'interface "dialupadmin" ##`	979	`## - Import, modification et paramètrage de l'interface "dialupadmin" ##`
Line 1446...	Line 1446...
1446	`WantedBy=multi-user.target`	1446	`WantedBy=multi-user.target`
1447	`EOF`	1447	`EOF`
1448	`# Add the listen port to collect netflow packet (nfcapd)`	1448	`# Add the listen port to collect netflow packet (nfcapd)`
1449	`$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm`	1449	`$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm`
1450	`# expire delay for the profile "live"`	1450	`# expire delay for the profile "live"`
1451	`systemctl start nfsen`	1451	`/usr/bin/systemctl start nfsen`
1452	`/bin/nfsen -m live -e 62d 2>/dev/null`	1452	`/bin/nfsen -m live -e 62d 2>/dev/null`
1453	`# add SURFmap plugin`	1453	`# add SURFmap plugin`
1454	`cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/`	1454	`cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/`
1455	`cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/`	1455	`cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/`
1456	`tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/`	1456	`tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/`
Line 1885...	Line 1885...
1885	`WantedBy=multi-user.target`	1885	`WantedBy=multi-user.target`
1886	`EOF`	1886	`EOF`
1887	`# processes launched at boot time (Systemctl)`	1887	`# processes launched at boot time (Systemctl)`
1888	`for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat`	1888	`for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat`
1889	`do`	1889	`do`
1890	`systemctl -q enable $i.service`	1890	`/usr/bin/systemctl -q enable $i.service`
1891	`done`	1891	`done`
1892		1892
1893	`# disable processes at boot time (Systemctl)`	1893	`# disable processes at boot time (Systemctl)`
1894	`for i in ulogd`	1894	`for i in ulogd`
1895	`do`	1895	`do`
1896	`systemctl -q disable $i.service`	1896	`/usr/bin/systemctl -q disable $i.service`
1897	`done`	1897	`done`
1898		1898
1899	`# Apply French Security Agency (ANSSI) rules`	1899	`# Apply French Security Agency (ANSSI) rules`
1900	`# ignore ICMP broadcast (smurf attack)`	1900	`# ignore ICMP broadcast (smurf attack)`
1901	`echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf`	1901	`echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf`
Line 1929...	Line 1929...
1929	`$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst`	1929	`$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst`
1930	`$SED "/^gfxmenu/d" /boot/grub/menu.lst`	1930	`$SED "/^gfxmenu/d" /boot/grub/menu.lst`
1931	`# Remove unused services and users`	1931	`# Remove unused services and users`
1932	`for svc in sshd`	1932	`for svc in sshd`
1933	`do`	1933	`do`
1934	`/bin/systemctl -q disable $svc.service`	1934	`/usr/bin/systemctl -q disable $svc.service`
1935	`done`	1935	`done`
1936	`# Load and apply the previous conf file`	1936	`# Load and apply the previous conf file`
1937	`if [ "$mode" = "update" ]`	1937	`if [ "$mode" = "update" ]`
1938	`then`	1938	`then`
1939	`$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs`	1939	`$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs`

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1570 → 1574