Subversion Repositories ALCASAR

Rev

Rev 2482 | Rev 2499 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2482 Rev 2488
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 2482 2018-01-17 09:10:56Z lucas.echard $
 2 
#  $Id: alcasar.sh 2488 2018-02-25 14:53:54Z lucas.echard $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6 
# This script is distributed under the Gnu General Public License (GPL)
 6 
# This script is distributed under the Gnu General Public License (GPL)
7 
#  team@alcasar.net
 7 
#  team@alcasar.net
Line 16... Line 16...
16 
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
 16 
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17 
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
 17 
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 18 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 19 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20 
 
 20 
 
21 
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 21 
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22 
 
 22 
 
23 
# Options :
 23 
# Options :
24 
#       -i or --install
 24 
#       -i or --install
25 
#       -u or --uninstall
 25 
#       -u or --uninstall
26 
 
 26 
 
Line 58... Line 58...
58 
DIR_INSTALL=`pwd`				# current directory
 58 
DIR_INSTALL=`pwd`				# current directory
59 
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
 59 
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60 
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
 60 
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61 
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
 61 
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
62 
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
 62 
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
63 
DIR_WEB="/var/www/html"				# directory of APACHE
 63 
DIR_WEB="/var/www/html"				# directory of Lighttpd
64 
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
 64 
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
65 
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
 65 
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
66 
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
 66 
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67 
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
 67 
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68 
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
 68 
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
Line 712... Line 712...
712 
} # End of network ()
 712 
} # End of network ()
713 
 
 713 
 
714 
##################################################################
 714 
##################################################################
715 
##			Function "ACC"				##
 715 
##			Function "ACC"				##
716 
## - installation of then ALCASAR Control Center (ACC)	)	##
 716 
## - installation of then ALCASAR Control Center (ACC)	)	##
717 
## - configuration of the web server (Apache)			##
 717 
## - configuration of the web server (Lighttpd)			##
718 
## - creation of the first ACC admin account 			##
 718 
## - creation of the first ACC admin account 			##
719 
## - secure the access						##
 719 
## - secure the access						##
720 
##################################################################
 720 
##################################################################
721 
ACC ()
 721 
ACC ()
722 
{
 722 
{
Line 762... Line 762...
762 
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
 762 
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
763 
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
 763 
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
764 
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
 764 
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
765 
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
 765 
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
766 
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
 766 
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
767 
# Configuring & sécuring Apache
 767 
# Configuring & securing Lighttpd
768 
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
 768 
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
769 
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
 769 
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
770 
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
 770 
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
771 
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
 771 
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
772 
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
 772 
	[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
773 
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
 773 
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
- 
 
 774 
 
774 
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
 775 
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
775 
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
 776 
	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
- 
 
 777 
 
776 
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
 778 
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
777 
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
 779 
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
778 
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
 780 
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
- 
 
 781 
 
779 
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
 782 
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
780 
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
 783 
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
781 
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
 784 
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
782 
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
 - 
 
783 
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
 785 
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
- 
 
 786 
 
784 
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
 787 
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
785 
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
 - 
 
786 
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
 - 
 
787 
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
 - 
 
788 
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
 788 
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
789 
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
 789 
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
790 
# Error page management
 - 
 
791 
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
 790 
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
792 
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
 - 
 
793 
Alias /error/ "/var/www/html/"
 - 
 
794 
<Directory "/usr/share/httpd/error">
 - 
 
795 
    AllowOverride None
 - 
 
796 
    Options IncludesNoExec
 - 
 
797 
    AddOutputFilter Includes html
 - 
 
798 
    AddHandler type-map var
 - 
 
799 
    Require all granted
 - 
 
800 
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
 - 
 
801 
    ForceLanguagePriority Prefer Fallback
 - 
 
802 
</Directory>
 - 
 
803 
ErrorDocument 400 /error/error.php?error=400
 - 
 
804 
ErrorDocument 401 /error/error.php?error=401
 - 
 
805 
ErrorDocument 403 /error/error.php?error=403
 - 
 
806 
ErrorDocument 404 /error/index.php
 - 
 
807 
ErrorDocument 405 /error/error.php?error=405
 - 
 
808 
ErrorDocument 408 /error/error.php?error=408
 - 
 
809 
ErrorDocument 410 /error/error.php?error=410
 - 
 
810 
ErrorDocument 411 /error/error.php?error=411
 - 
 
811 
ErrorDocument 412 /error/error.php?error=412
 - 
 
812 
ErrorDocument 413 /error/error.php?error=413
 - 
 
813 
ErrorDocument 414 /error/error.php?error=414
 - 
 
814 
ErrorDocument 415 /error/error.php?error=415
 - 
 
815 
ErrorDocument 500 /error/error.php?error=500
 - 
 
816 
ErrorDocument 501 /error/error.php?error=501
 - 
 
817 
ErrorDocument 502 /error/error.php?error=502
 - 
 
818 
ErrorDocument 503 /error/error.php?error=503
 - 
 
819 
ErrorDocument 506 /error/error.php?error=506
 - 
 
820 
EOF
 791 
 
821 
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
 792 
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
822 
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
 793 
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
823 
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
 794 
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
- 
 
 795 
 
824 
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
 796 
	/usr/bin/systemctl start lighttpd
825 
</body>
 - 
 
826 
</html>
 - 
 
827 
EOF
 797 
 
828 
# Définition du premier compte lié au profil 'admin'
 798 
# Définition du premier compte lié au profil 'admin'
829 
	if [ "$mode" = "install" ]
 799 
	if [ "$mode" = "install" ]
830 
		then
 800 
		then
831 
			header_install
 801 
			header_install
832 
			admin_portal=!
 - 
 
833 
			PTN='^[a-zA-Z0-9-]*$'
 - 
 
834 
			until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
 - 
 
835 
				do
 - 
 
836 
				header_install
 - 
 
837 
				if [ $Lang == "fr" ]
 - 
 
838 
				then
 - 
 
839 
					echo ""
 - 
 
840 
					echo "Définissez un premier compte d'administration d'ALCASAR :"
 - 
 
841 
					echo
 - 
 
842 
					echo -n "Nom : "
 - 
 
843 
				else
 - 
 
844 
					echo ""
 - 
 
845 
					echo "Define the first account allow to administrate ALCASAR :"
 - 
 
846 
					echo
 - 
 
847 
					echo -n "Account : "
 - 
 
848 
				fi
 - 
 
849 
				read admin_portal
 - 
 
850 
				if [ "$admin_portal" == "" ]
 - 
 
851 
					then
 - 
 
852 
					admin_portal=!
 - 
 
853 
				fi
 - 
 
854 
				done
 - 
 
855 
# Creation of keys file for the admin account ("admin")
 802 
# Creation of keys file for the admin account ("admin")
856 
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
 803 
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
857 
			mkdir -p $DIR_DEST_ETC/digest
 804 
			mkdir -p $DIR_DEST_ETC/digest
858 
			chmod 755 $DIR_DEST_ETC/digest
 805 
			chmod 755 $DIR_DEST_ETC/digest
859 
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
 806 
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
860 
				do
 807 
			do
861 
					/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
 808 
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
862 
				done
 809 
			done
863 
			$DIR_DEST_BIN/alcasar-profil.sh --list
 - 
 
864 
	fi
 810 
	fi
865 
# ACC partitioning
 - 
 
866 
	rm -f /etc/httpd/conf/webapps.d/alcasar*
 - 
 
867 
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
 - 
 
868 
<Directory $DIR_WEB>
 - 
 
869 
	AllowOverride None
 - 
 
870 
	Order deny,allow
 - 
 
871 
	Deny from all
 - 
 
872 
	Allow from 127.0.0.1
 - 
 
873 
	Allow from $PRIVATE_NETWORK_MASK
 - 
 
874 
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 - 
 
875 
</Directory>
 - 
 
876 
<Directory $DIR_WEB/certs>
 - 
 
877 
	AddType application/x-x509-ca-cert crt
 - 
 
878 
</Directory>
 - 
 
879 
<Directory $DIR_ACC>
 - 
 
880 
	SSLRequireSSL
 - 
 
881 
	AllowOverride None
 - 
 
882 
	Order deny,allow
 - 
 
883 
	Deny from all
 - 
 
884 
	Allow from 127.0.0.1
 - 
 
885 
	Allow from $PRIVATE_NETWORK_MASK
 - 
 
886 
	require valid-user
 - 
 
887 
	AuthType digest
 - 
 
888 
	AuthName "ALCASAR Control Center (ACC)"
 - 
 
889 
	AuthDigestDomain $HOSTNAME.$DOMAIN
 - 
 
890 
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 - 
 
891 
	AuthUserFile $DIR_DEST_ETC/digest/key_all
 - 
 
892 
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 - 
 
893 
</Directory>
 - 
 
894 
<Directory $DIR_ACC/admin>
 - 
 
895 
	SSLRequireSSL
 - 
 
896 
	AllowOverride None
 - 
 
897 
	Order deny,allow
 - 
 
898 
	Deny from all
 - 
 
899 
	Allow from 127.0.0.1
 - 
 
900 
	Allow from $PRIVATE_NETWORK_MASK
 - 
 
901 
	require valid-user
 - 
 
902 
	AuthType digest
 - 
 
903 
	AuthName "ALCASAR Control Center (ACC)"
 - 
 
904 
	AuthDigestDomain $HOSTNAME.$DOMAIN
 - 
 
905 
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 - 
 
906 
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
 - 
 
907 
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 - 
 
908 
</Directory>
 - 
 
909 
<Directory $DIR_ACC/manager>
 - 
 
910 
	SSLRequireSSL
 - 
 
911 
	AllowOverride None
 - 
 
912 
	Order deny,allow
 - 
 
913 
	Deny from all
 - 
 
914 
	Allow from 127.0.0.1
 - 
 
915 
	Allow from $PRIVATE_NETWORK_MASK
 - 
 
916 
	require valid-user
 - 
 
917 
	AuthType digest
 - 
 
918 
	AuthName "ALCASAR Control Center (ACC)"
 - 
 
919 
	AuthDigestDomain $HOSTNAME.$DOMAIN
 - 
 
920 
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 - 
 
921 
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
 - 
 
922 
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 - 
 
923 
</Directory>
 - 
 
924 
<Directory $DIR_ACC/backup>
 - 
 
925 
	SSLRequireSSL
 - 
 
926 
	AllowOverride None
 - 
 
927 
	Order deny,allow
 - 
 
928 
	Deny from all
 - 
 
929 
	Allow from 127.0.0.1
 - 
 
930 
	Allow from $PRIVATE_NETWORK_MASK
 - 
 
931 
	require valid-user
 - 
 
932 
	AuthType digest
 - 
 
933 
	AuthName "ALCASAR Control Center (ACC)"
 - 
 
934 
	AuthDigestDomain $HOSTNAME.$DOMAIN
 - 
 
935 
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 - 
 
936 
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
 - 
 
937 
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 - 
 
938 
</Directory>
 - 
 
939 
Alias /save/ "$DIR_SAVE/"
 - 
 
940 
<Directory $DIR_SAVE>
 - 
 
941 
	SSLRequireSSL
 - 
 
942 
	Options Indexes
 - 
 
943 
	Order deny,allow
 - 
 
944 
	Deny from all
 - 
 
945 
	Allow from 127.0.0.1
 - 
 
946 
	Allow from $PRIVATE_NETWORK_MASK
 - 
 
947 
	require valid-user
 - 
 
948 
	AuthType digest
 - 
 
949 
	AuthName "ALCASAR Control Center (ACC)"
 - 
 
950 
	AuthDigestDomain $HOSTNAME.$DOMAIN
 - 
 
951 
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
 - 
 
952 
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 - 
 
953 
</Directory>
 - 
 
954 
EOF
 811 
 
955 
	# Launch after coova (in order to wait tun0 to be up)
 812 
	# Launch after coova (in order to wait tun0 to be up)
956 
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
 813 
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
957 
	# Log file for ACC access imputability
 814 
	# Log file for ACC access imputability
958 
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
 815 
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
959 
	chown root:apache /var/Save/security/acc_access.log
 816 
	chown root:apache /var/Save/security/acc_access.log
960 
	chmod 664 /var/Save/security/acc_access.log
 817 
	chmod 664 /var/Save/security/acc_access.log
961 
} # End of ACC ()
 818 
} # End of ACC ()
962 
 
 819 
 
963 
##########################################################################
 820 
##########################################################################
964 
##				Fonction "CA"				##
 821 
##				Fonction "CA"				##
965 
## - Creating the CA and the server certificate (apache)	 	##
 822 
## - Creating the CA and the server certificate (lighttpd)	 	##
966 
##########################################################################
 823 
##########################################################################
967 
CA ()
 824 
CA ()
968 
{
 825 
{
969 
	$DIR_DEST_BIN/alcasar-CA.sh
 826 
	$DIR_DEST_BIN/alcasar-CA.sh
970 
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
 - 
 
971 
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
 - 
 
972 
	cat <<EOF > $FIC_VIRTUAL_SSL
 - 
 
973 
# default SSL virtual host, used for all HTTPS requests that do not
 - 
 
974 
# match a ServerName or ServerAlias in any <VirtualHost> block.
 - 
 
975 
 
 827 
 
976 
<VirtualHost _default_:443>
 - 
 
977 
# general configuration
 - 
 
978 
    ServerAdmin root@localhost
 - 
 
979 
    ServerName $HOSTNAME.$DOMAIN
 - 
 
980 
 
 - 
 
981 
# SSL configuration
 - 
 
982 
    SSLEngine on
 - 
 
983 
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
 - 
 
984 
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
 - 
 
985 
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
 - 
 
986 
    CustomLog logs/ssl_request_log \
 - 
 
987 
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
 - 
 
988 
    ErrorLog logs/ssl_error_log
 - 
 
989 
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
 - 
 
990 
</VirtualHost>
 - 
 
991 
EOF
 - 
 
992 
	chown -R root:apache /etc/pki
 828 
	chown -R root:apache /etc/pki
993 
	chmod -R 750 /etc/pki
 829 
	chmod -R 750 /etc/pki
994 
} # End of CA ()
 830 
} # End of CA ()
995 
 
 831 
 
996 
##################################################################
 832 
##################################################################
Line 1933... Line 1769...
1933 
	/usr/bin/touch /var/log/auth.log
 1769 
	/usr/bin/touch /var/log/auth.log
1934 
# fail2ban unit
 1770 
# fail2ban unit
1935 
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
 1771 
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1936 
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
 1772 
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1937 
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
 1773 
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1938 
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
 1774 
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1939 
} # End fail2ban()
 1775 
} # End fail2ban()
1940 
 
 1776 
 
1941 
##################################################################
 1777 
##################################################################
1942 
## 			Fonction "gammu_smsd"			##
 1778 
## 			Fonction "gammu_smsd"			##
1943 
## - Creation de la base de donnée Gammu			##
 1779 
## - Creation de la base de donnée Gammu			##
Line 2144... Line 1980...
2144 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
 1980 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2145 
	chmod 644 /etc/logrotate.d/*
 1981 
	chmod 644 /etc/logrotate.d/*
2146 
# Log compression
 1982 
# Log compression
2147 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
 1983 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2148 
# actualisation des fichiers logs compressés
 1984 
# actualisation des fichiers logs compressés
2149 
	for dir in firewall dansguardian httpd
 1985 
	for dir in firewall dansguardian lighttpd
2150 
	do
 1986 
	do
2151 
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
 1987 
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2152 
	done
 1988 
	done
2153 
# create the alcasar-load_balancing unit
 1989 
# create the alcasar-load_balancing unit
2154 
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
 1990 
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
Line 2174... Line 2010...
2174 
 
 2010 
 
2175 
[Install]
 2011 
[Install]
2176 
WantedBy=multi-user.target
 2012 
WantedBy=multi-user.target
2177 
EOF
 2013 
EOF
2178 
# processes launched at boot time (Systemctl)
 2014 
# processes launched at boot time (Systemctl)
2179 
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
 2015 
	for i in alcasar-load_balancing mysqld lighttpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2180 
	do
 2016 
	do
2181 
		/usr/bin/systemctl -q enable $i.service
 2017 
		/usr/bin/systemctl -q enable $i.service
2182 
	done
 2018 
	done
2183 
 
 2019 
 
2184 
# disable processes at boot time (Systemctl)
 2020 
# disable processes at boot time (Systemctl)