Subversion Repositories ALCASAR

Rev

Rev 2482 | Rev 2499 | Go to most recent revision | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2482 Rev 2488
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2482 2018-01-17 09:10:56Z lucas.echard $
2
#  $Id: alcasar.sh 2488 2018-02-25 14:53:54Z lucas.echard $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC				: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA				: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	dansguardian	: DansGuardian filtering HTTP proxy configuration
37
#	dansguardian	: DansGuardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	dnsmasq			: Name server configuration
42
#	dnsmasq			: Name server configuration
43
#	vnstat			: little network stat daemon
43
#	vnstat			: little network stat daemon
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	cron			: Logs export + watchdog + connexion statistics
45
#	cron			: Logs export + watchdog + connexion statistics
46
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	msec			: Mandriva security package configuration
48
#	msec			: Mandriva security package configuration
49
#	letsencrypt		: Let's Encrypt client
49
#	letsencrypt		: Let's Encrypt client
50
#	post_install	: Security, log rotation, etc.
50
#	post_install	: Security, log rotation, etc.
51
 
51
 
52
DEBUG_ALCASAR=off; export DEBUG_ALCASAR		# Debug mode = wait (hit key) after each function
52
DEBUG_ALCASAR=off; export DEBUG_ALCASAR		# Debug mode = wait (hit key) after each function
53
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
55
Lang=`echo $LANG|cut -c 1-2`
55
Lang=`echo $LANG|cut -c 1-2`
56
mode="install"
56
mode="install"
57
# ******* Files parameters - paramètres fichiers *********
57
# ******* Files parameters - paramètres fichiers *********
58
DIR_INSTALL=`pwd`				# current directory
58
DIR_INSTALL=`pwd`				# current directory
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
62
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
62
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
63
DIR_WEB="/var/www/html"				# directory of APACHE
63
DIR_WEB="/var/www/html"				# directory of Lighttpd
64
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
64
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
65
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
65
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
71
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"				# database name used by FreeRadius server
72
DB_RADIUS="radius"				# database name used by FreeRadius server
73
DB_USER="radius"				# user name allows to request the users database
73
DB_USER="radius"				# user name allows to request the users database
74
DB_GAMMU="gammu"				# database name used by Gammu-smsd
74
DB_GAMMU="gammu"				# database name used by Gammu-smsd
75
# ******* Network parameters - paramètres réseau *******
75
# ******* Network parameters - paramètres réseau *******
76
HOSTNAME="alcasar"				# default hostname
76
HOSTNAME="alcasar"				# default hostname
77
DOMAIN="localdomain"				# default local domain
77
DOMAIN="localdomain"				# default local domain
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
80
MTU="1500"
80
MTU="1500"
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
# ****** Paths - chemin des commandes *******
82
# ****** Paths - chemin des commandes *******
83
SED="/bin/sed -i"
83
SED="/bin/sed -i"
84
# ****************** End of global parameters *********************
84
# ****************** End of global parameters *********************
85
 
85
 
86
license ()
86
license ()
87
{
87
{
88
	if [ $Lang == "fr" ]
88
	if [ $Lang == "fr" ]
89
	then
89
	then
90
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
	else
91
	else
92
		cat $DIR_INSTALL/gpl-warning.txt | more
92
		cat $DIR_INSTALL/gpl-warning.txt | more
93
	fi
93
	fi
94
	response=0
94
	response=0
95
	PTN='^[oOyYnN]$'
95
	PTN='^[oOyYnN]$'
96
	until [[ $(expr $response : $PTN) -gt 0 ]]
96
	until [[ $(expr $response : $PTN) -gt 0 ]]
97
	do
97
	do
98
		if [ $Lang == "fr" ]
98
		if [ $Lang == "fr" ]
99
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
			else echo -n "Do you accept the terms of this license (Y/n)? : "
101
		fi
101
		fi
102
		read response
102
		read response
103
	done
103
	done
104
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	if [ "$response" = "n" ] || [ "$response" = "N" ]
105
	then
105
	then
106
		exit 1
106
		exit 1
107
	fi
107
	fi
108
}
108
}
109
 
109
 
110
header_install ()
110
header_install ()
111
{
111
{
112
	clear
112
	clear
113
	echo "-----------------------------------------------------------------------------"
113
	echo "-----------------------------------------------------------------------------"
114
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "-----------------------------------------------------------------------------"
116
	echo "-----------------------------------------------------------------------------"
117
}
117
}
118
 
118
 
119
##################################################################
119
##################################################################
120
##			Function "testing"			##
120
##			Function "testing"			##
121
## - Test of Mageia version					##
121
## - Test of Mageia version					##
122
## - Test of ALCASAR version (if already installed)		##
122
## - Test of ALCASAR version (if already installed)		##
123
## - Test of free space on /var  (>10G)				##
123
## - Test of free space on /var  (>10G)				##
124
## - Test of Internet access					##
124
## - Test of Internet access					##
125
##################################################################
125
##################################################################
126
testing ()
126
testing ()
127
{
127
{
128
# Test of Mageia version
128
# Test of Mageia version
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
	fic=`cat /etc/product.id`
130
	fic=`cat /etc/product.id`
131
	unknown_os=0
131
	unknown_os=0
132
	old="$IFS"
132
	old="$IFS"
133
	IFS=","
133
	IFS=","
134
	set $fic
134
	set $fic
135
	for i in $*
135
	for i in $*
136
	do
136
	do
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
			then
138
			then
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			unknown_os=`expr $unknown_os + 1`
140
			unknown_os=`expr $unknown_os + 1`
141
		fi
141
		fi
142
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
			then
143
			then
144
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
			unknown_os=`expr $unknown_os + 1`
145
			unknown_os=`expr $unknown_os + 1`
146
		fi
146
		fi
147
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
			then
148
			then
149
			ARCH=`echo $i|cut -d"=" -f2`
149
			ARCH=`echo $i|cut -d"=" -f2`
150
			unknown_os=`expr $unknown_os + 1`
150
			unknown_os=`expr $unknown_os + 1`
151
		fi
151
		fi
152
	done
152
	done
153
	if [ "$ARCH" == "i586" ]
153
	if [ "$ARCH" == "i586" ]
154
		then
154
		then
155
		if [ $Lang == "fr" ]
155
		if [ $Lang == "fr" ]
156
			then echo -n "Votre architecture matérielle doit être en 64bits"
156
			then echo -n "Votre architecture matérielle doit être en 64bits"
157
			else echo -n "You hardware architecture must be 64bits"
157
			else echo -n "You hardware architecture must be 64bits"
158
		fi
158
		fi
159
		exit 1
159
		exit 1
160
	fi
160
	fi
161
	IFS="$old"
161
	IFS="$old"
162
# Test if ALCASAR is already installed
162
# Test if ALCASAR is already installed
163
	if [ -e $CONF_FILE ]
163
	if [ -e $CONF_FILE ]
164
	then
164
	then
165
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
165
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
166
		if [ $Lang == "fr" ]
166
		if [ $Lang == "fr" ]
167
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
167
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
168
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
168
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
169
		fi
169
		fi
170
		response=0
170
		response=0
171
		PTN='^[12]$'
171
		PTN='^[12]$'
172
		until [[ $(expr $response : $PTN) -gt 0 ]]
172
		until [[ $(expr $response : $PTN) -gt 0 ]]
173
		do
173
		do
174
			if [ $Lang == "fr" ]
174
			if [ $Lang == "fr" ]
175
			then
175
			then
176
				echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
176
				echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
177
			else
177
			else
178
				echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
178
				echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
179
			 fi
179
			 fi
180
			read response
180
			read response
181
		done
181
		done
182
		if [ "$response" = "2" ]
182
		if [ "$response" = "2" ]
183
		then
183
		then
184
			rm -f /tmp/alcasar-conf*
184
			rm -f /tmp/alcasar-conf*
185
		else
185
		else
186
# Retrieve former NICname
186
# Retrieve former NICname
187
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
187
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
188
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
188
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
189
# Create the current conf file
189
# Create the current conf file
190
			$DIR_SCRIPTS/alcasar-conf.sh --create
190
			$DIR_SCRIPTS/alcasar-conf.sh --create
191
			mode="update"
191
			mode="update"
192
		fi
192
		fi
193
	fi
193
	fi
194
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
194
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
195
		then
195
		then
196
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
196
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
197
			then
197
			then
198
			echo
198
			echo
199
			if [ $Lang == "fr" ]
199
			if [ $Lang == "fr" ]
200
				then
200
				then
201
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
201
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
202
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
202
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
203
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
203
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
204
				echo "3 - Importez votre base des usagers"
204
				echo "3 - Importez votre base des usagers"
205
			else
205
			else
206
				echo "The automatic update of ALCASAR can't be performed."
206
				echo "The automatic update of ALCASAR can't be performed."
207
				echo "1 - Save your traceability files and the user database"
207
				echo "1 - Save your traceability files and the user database"
208
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
208
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
209
				echo "3 - Import your users database"
209
				echo "3 - Import your users database"
210
			fi
210
			fi
211
		else
211
		else
212
			if [ $Lang == "fr" ]
212
			if [ $Lang == "fr" ]
213
				then
213
				then
214
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
214
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
215
			else
215
			else
216
				echo "The installation of ALCASAR can't be performed."
216
				echo "The installation of ALCASAR can't be performed."
217
			fi
217
			fi
218
		fi
218
		fi
219
		echo
219
		echo
220
		if [ $Lang == "fr" ]
220
		if [ $Lang == "fr" ]
221
			then
221
			then
222
			echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
222
			echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
223
		else
223
		else
224
			echo "The OS must be replaced (Mageia6-64bits)"
224
			echo "The OS must be replaced (Mageia6-64bits)"
225
		fi
225
		fi
226
		exit 0
226
		exit 0
227
	fi
227
	fi
228
	if [ ! -d /var/log/netflow/porttracker ]
228
	if [ ! -d /var/log/netflow/porttracker ]
229
		then
229
		then
230
# Test free space on /var
230
# Test free space on /var
231
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
231
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
232
		if [ $free_space -lt 10 ]
232
		if [ $free_space -lt 10 ]
233
			then
233
			then
234
			if [ $Lang == "fr" ]
234
			if [ $Lang == "fr" ]
235
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
235
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
236
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
236
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
237
			fi
237
			fi
238
		exit 0
238
		exit 0
239
		fi
239
		fi
240
	fi
240
	fi
241
	if [ $Lang == "fr" ]
241
	if [ $Lang == "fr" ]
242
		then echo -n "Tests des paramètres réseau : "
242
		then echo -n "Tests des paramètres réseau : "
243
		else echo -n "Network parameters tests : "
243
		else echo -n "Network parameters tests : "
244
	fi
244
	fi
245
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
245
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
246
	cd /etc/sysconfig/network-scripts/
246
	cd /etc/sysconfig/network-scripts/
247
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
247
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
248
	for i in $IF_INTERFACES
248
	for i in $IF_INTERFACES
249
	do
249
	do
250
		IP_INTERFACE=`/usr/sbin/ip link|grep $i`
250
		IP_INTERFACE=`/usr/sbin/ip link|grep $i`
251
		if [ -z "$IP_INTERFACE" ]
251
		if [ -z "$IP_INTERFACE" ]
252
		then
252
		then
253
			rm -f ifcfg-$i
253
			rm -f ifcfg-$i
254
 
254
 
255
			if [ $Lang == "fr" ]
255
			if [ $Lang == "fr" ]
256
				then echo "Suppression : ifcfg-$i"
256
				then echo "Suppression : ifcfg-$i"
257
				else echo "Deleting : ifcfg-$i"
257
				else echo "Deleting : ifcfg-$i"
258
			fi
258
			fi
259
		fi
259
		fi
260
	done
260
	done
261
	cd $DIR_INSTALL
261
	cd $DIR_INSTALL
262
	echo -n "."
262
	echo -n "."
263
# Test Ethernet NIC links state
263
# Test Ethernet NIC links state
264
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
264
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
265
	for i in $DOWN_IF
265
	for i in $DOWN_IF
266
	do
266
	do
267
		echo $i
267
		echo $i
268
		if [ $Lang == "fr" ]
268
		if [ $Lang == "fr" ]
269
		then
269
		then
270
			echo "Échec"
270
			echo "Échec"
271
			echo "Le lien réseau de la carte $i n'est pas actif."
271
			echo "Le lien réseau de la carte $i n'est pas actif."
272
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
272
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
273
		else
273
		else
274
			echo "Failed"
274
			echo "Failed"
275
			echo "The link state of $i interface is down."
275
			echo "The link state of $i interface is down."
276
			echo "Make sure that this network card is connected to a switch or an A.P."
276
			echo "Make sure that this network card is connected to a switch or an A.P."
277
		fi
277
		fi
278
		exit 0
278
		exit 0
279
	done
279
	done
280
	echo -n "."
280
	echo -n "."
281
# Test EXTIF config files
281
# Test EXTIF config files
282
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
282
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
283
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
283
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
284
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
284
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
285
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
285
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
286
	then
286
	then
287
		if [ $Lang == "fr" ]
287
		if [ $Lang == "fr" ]
288
		then
288
		then
289
			echo "Échec"
289
			echo "Échec"
290
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
290
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
291
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
291
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
292
			echo "Appliquez les changements : 'systemctl restart network'"
292
			echo "Appliquez les changements : 'systemctl restart network'"
293
		else
293
		else
294
			echo "Failed"
294
			echo "Failed"
295
			echo "The Internet connected network card ($EXTIF) isn't well configured."
295
			echo "The Internet connected network card ($EXTIF) isn't well configured."
296
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
296
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
297
			echo "Apply the new configuration 'systemctl restart network'"
297
			echo "Apply the new configuration 'systemctl restart network'"
298
		fi
298
		fi
299
		echo "DEVICE=$EXTIF"
299
		echo "DEVICE=$EXTIF"
300
		echo "IPADDR="
300
		echo "IPADDR="
301
		echo "NETMASK="
301
		echo "NETMASK="
302
		echo "GATEWAY="
302
		echo "GATEWAY="
303
		echo "DNS1="
303
		echo "DNS1="
304
		echo "DNS2="
304
		echo "DNS2="
305
		echo "ONBOOT=yes"
305
		echo "ONBOOT=yes"
306
		exit 0
306
		exit 0
307
	fi
307
	fi
308
	echo -n "."
308
	echo -n "."
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
310
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
310
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
311
		if [ $Lang == "fr" ]
311
		if [ $Lang == "fr" ]
312
		then
312
		then
313
			echo "Échec"
313
			echo "Échec"
314
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
314
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
315
			echo "Réglez ce problème puis relancez ce script."
315
			echo "Réglez ce problème puis relancez ce script."
316
		else
316
		else
317
			echo "Failed"
317
			echo "Failed"
318
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
318
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
319
			echo "Resolv this problem, then restart this script."
319
			echo "Resolv this problem, then restart this script."
320
		fi
320
		fi
321
		exit 0
321
		exit 0
322
	fi
322
	fi
323
	echo -n "."
323
	echo -n "."
324
# Test if default GW is alive
324
# Test if default GW is alive
325
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
325
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
326
	if [ $(expr $arp_reply) -eq 0 ]
326
	if [ $(expr $arp_reply) -eq 0 ]
327
		then
327
		then
328
		if [ $Lang == "fr" ]
328
		if [ $Lang == "fr" ]
329
		then
329
		then
330
			echo "Échec"
330
			echo "Échec"
331
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
331
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
332
			echo "Réglez ce problème puis relancez ce script."
332
			echo "Réglez ce problème puis relancez ce script."
333
		else
333
		else
334
			echo "Failed"
334
			echo "Failed"
335
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
335
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
336
			echo "Resolv this problem, then restart this script."
336
			echo "Resolv this problem, then restart this script."
337
		fi
337
		fi
338
		exit 0
338
		exit 0
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test Internet connectivity
341
# Test Internet connectivity
342
	rm -rf /tmp/con_ok.html
342
	rm -rf /tmp/con_ok.html
343
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
343
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
344
	if [ ! -e /tmp/con_ok.html ]
344
	if [ ! -e /tmp/con_ok.html ]
345
	then
345
	then
346
		if [ $Lang == "fr" ]
346
		if [ $Lang == "fr" ]
347
		then
347
		then
348
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
348
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
349
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
349
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
350
			echo "Vérifiez la validité des adresses IP des DNS."
350
			echo "Vérifiez la validité des adresses IP des DNS."
351
		else
351
		else
352
			echo "The Internet connection try failed (google.fr)."
352
			echo "The Internet connection try failed (google.fr)."
353
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
353
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
354
			echo "Verify the DNS IP addresses"
354
			echo "Verify the DNS IP addresses"
355
		fi
355
		fi
356
		exit 0
356
		exit 0
357
	fi
357
	fi
358
	rm -rf /tmp/con_ok.html
358
	rm -rf /tmp/con_ok.html
359
	echo ". : ok"
359
	echo ". : ok"
360
} # end of testing ()
360
} # end of testing ()
361
 
361
 
362
##################################################################
362
##################################################################
363
##			Function "init"				##
363
##			Function "init"				##
364
## - Création du fichier "/root/ALCASAR_parametres.tx		##
364
## - Création du fichier "/root/ALCASAR_parametres.tx		##
365
## - Installation et modification des scripts du portail	##
365
## - Installation et modification des scripts du portail	##
366
##################################################################
366
##################################################################
367
init ()
367
init ()
368
{
368
{
369
	if [ "$mode" != "update" ]
369
	if [ "$mode" != "update" ]
370
	then
370
	then
371
# On affecte le nom d'organisme
371
# On affecte le nom d'organisme
372
		header_install
372
		header_install
373
		ORGANISME=!
373
		ORGANISME=!
374
		PTN='^[a-zA-Z0-9-]*$'
374
		PTN='^[a-zA-Z0-9-]*$'
375
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
375
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
376
		do
376
		do
377
			if [ $Lang == "fr" ]
377
			if [ $Lang == "fr" ]
378
				then echo -n "Entrez le nom de votre organisme : "
378
				then echo -n "Entrez le nom de votre organisme : "
379
				else echo -n "Enter the name of your organism : "
379
				else echo -n "Enter the name of your organism : "
380
			fi
380
			fi
381
			read ORGANISME
381
			read ORGANISME
382
			if [ "$ORGANISME" == "" ]
382
			if [ "$ORGANISME" == "" ]
383
				then
383
				then
384
				ORGANISME=!
384
				ORGANISME=!
385
			fi
385
			fi
386
		done
386
		done
387
	fi
387
	fi
388
# On crée aléatoirement les mots de passe et les secrets partagés
388
# On crée aléatoirement les mots de passe et les secrets partagés
389
# We create random passwords and shared secrets
389
# We create random passwords and shared secrets
390
	rm -f $PASSWD_FILE
390
	rm -f $PASSWD_FILE
391
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
391
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
392
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
392
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
393
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
393
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
394
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
394
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
395
		grep -v '[eE]nter password:' | \
395
		grep -v '[eE]nter password:' | \
396
		sed -e "s/PBKDF2 hash of your password is //"`
396
		sed -e "s/PBKDF2 hash of your password is //"`
397
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
397
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
398
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
398
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
399
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
399
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
400
	chmod 0600 /boot/grub2/user.cfg
400
	chmod 0600 /boot/grub2/user.cfg
401
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
401
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
402
	echo "GRUB2_user=root" >> $PASSWD_FILE
402
	echo "GRUB2_user=root" >> $PASSWD_FILE
403
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
403
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
404
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
404
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
405
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
405
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
406
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
406
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
407
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
407
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
408
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
408
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
409
	echo "db_user=$DB_USER" >> $PASSWD_FILE
409
	echo "db_user=$DB_USER" >> $PASSWD_FILE
410
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
410
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
411
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
411
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
412
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
412
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
413
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
413
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
414
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
414
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
415
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
415
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
416
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
416
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
417
	chmod 640 $PASSWD_FILE
417
	chmod 640 $PASSWD_FILE
418
#  copy scripts in in /usr/local/bin
418
#  copy scripts in in /usr/local/bin
419
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
419
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
420
#  copy conf files in /usr/local/etc
420
#  copy conf files in /usr/local/etc
421
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
421
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
422
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
422
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
423
# generate central conf file
423
# generate central conf file
424
	cat <<EOF > $CONF_FILE
424
	cat <<EOF > $CONF_FILE
425
##########################################
425
##########################################
426
##                                      ##
426
##                                      ##
427
##          ALCASAR Parameters          ##
427
##          ALCASAR Parameters          ##
428
##                                      ##
428
##                                      ##
429
##########################################
429
##########################################
430
 
430
 
431
INSTALL_DATE=$DATE
431
INSTALL_DATE=$DATE
432
VERSION=$VERSION
432
VERSION=$VERSION
433
ORGANISM=$ORGANISME
433
ORGANISM=$ORGANISME
434
HOSTNAME=$HOSTNAME
434
HOSTNAME=$HOSTNAME
435
DOMAIN=$DOMAIN
435
DOMAIN=$DOMAIN
436
EOF
436
EOF
437
	chmod o-rwx $CONF_FILE
437
	chmod o-rwx $CONF_FILE
438
} # End of init ()
438
} # End of init ()
439
 
439
 
440
##################################################################
440
##################################################################
441
##			Function "network"			##
441
##			Function "network"			##
442
## - Définition du plan d'adressage du réseau de consultation	##
442
## - Définition du plan d'adressage du réseau de consultation	##
443
## - Nommage DNS du système 					##
443
## - Nommage DNS du système 					##
444
## - Configuration de l'interface INTIF (réseau de consultation)##
444
## - Configuration de l'interface INTIF (réseau de consultation)##
445
## - Modification du fichier /etc/hosts				##
445
## - Modification du fichier /etc/hosts				##
446
## - Renseignement des fichiers hosts.allow et hosts.deny	##
446
## - Renseignement des fichiers hosts.allow et hosts.deny	##
447
##################################################################
447
##################################################################
448
network ()
448
network ()
449
{
449
{
450
	header_install
450
	header_install
451
	if [ "$mode" != "update" ]
451
	if [ "$mode" != "update" ]
452
		then
452
		then
453
		if [ $Lang == "fr" ]
453
		if [ $Lang == "fr" ]
454
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
454
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
455
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
455
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
456
		fi
456
		fi
457
		response=0
457
		response=0
458
		PTN='^[oOyYnN]$'
458
		PTN='^[oOyYnN]$'
459
		until [[ $(expr $response : $PTN) -gt 0 ]]
459
		until [[ $(expr $response : $PTN) -gt 0 ]]
460
		do
460
		do
461
			if [ $Lang == "fr" ]
461
			if [ $Lang == "fr" ]
462
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
462
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
463
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
463
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
464
			fi
464
			fi
465
			read response
465
			read response
466
		done
466
		done
467
		if [ "$response" = "n" ] || [ "$response" = "N" ]
467
		if [ "$response" = "n" ] || [ "$response" = "N" ]
468
		then
468
		then
469
			PRIVATE_IP_MASK="0"
469
			PRIVATE_IP_MASK="0"
470
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
470
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
471
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
471
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
472
			do
472
			do
473
				if [ $Lang == "fr" ]
473
				if [ $Lang == "fr" ]
474
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
474
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
475
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
475
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
476
				fi
476
				fi
477
				read PRIVATE_IP_MASK
477
				read PRIVATE_IP_MASK
478
			done
478
			done
479
		else
479
		else
480
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
480
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
481
		fi
481
		fi
482
	else
482
	else
483
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
483
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
484
		rm -rf conf/etc/alcasar.conf
484
		rm -rf conf/etc/alcasar.conf
485
	fi
485
	fi
486
# Define LAN side global parameters
486
# Define LAN side global parameters
487
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
487
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
488
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
488
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
489
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
489
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
490
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
490
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
491
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
491
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
492
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
492
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
493
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
493
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
494
		then
494
		then
495
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
495
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
496
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
496
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
497
	fi
497
	fi
498
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
498
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
499
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
499
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
500
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
500
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
501
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
501
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
502
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
502
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
503
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
503
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
504
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
504
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
505
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
505
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
506
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
506
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
507
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
507
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
508
# Define Internet parameters
508
# Define Internet parameters
509
	if [ "$mode" != "update" ]
509
	if [ "$mode" != "update" ]
510
	then
510
	then
511
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
511
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
512
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
512
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
513
	else
513
	else
514
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
514
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
515
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
515
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
516
	fi
516
	fi
517
	if [ "$DNS1" == "" ]
517
	if [ "$DNS1" == "" ]
518
	then
518
	then
519
		if [ $Lang == "fr" ]
519
		if [ $Lang == "fr" ]
520
		then
520
		then
521
			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
521
			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
522
			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
522
			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
523
		else
523
		else
524
			echo "The IP address of DNS servers are not set correctly"
524
			echo "The IP address of DNS servers are not set correctly"
525
			echo "Check the extern network card configuration ($EXTIF)"
525
			echo "Check the extern network card configuration ($EXTIF)"
526
		fi
526
		fi
527
		exit 0
527
		exit 0
528
	fi
528
	fi
529
	DNS1=${DNS1:=208.67.220.220}
529
	DNS1=${DNS1:=208.67.220.220}
530
	DNS2=${DNS2:=208.67.222.222}
530
	DNS2=${DNS2:=208.67.222.222}
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
534
# Wrtie the conf file
534
# Wrtie the conf file
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
539
 
539
 
540
	for i in $INTERFACES
540
	for i in $INTERFACES
541
	do
541
	do
542
		SUB=`echo ${i:0:2}`
542
		SUB=`echo ${i:0:2}`
543
		if [ $SUB = "wl" ]
543
		if [ $SUB = "wl" ]
544
			then WIFIF=$i
544
			then WIFIF=$i
545
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
545
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
546
			then LANIF=$i
546
			then LANIF=$i
547
		fi
547
		fi
548
	done
548
	done
549
 
549
 
550
	if [ -n "$WIFIF" ]
550
	if [ -n "$WIFIF" ]
551
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
551
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
552
	elif [ -n "$LANIF" ]
552
	elif [ -n "$LANIF" ]
553
		then echo "LANIF=$LANIF" >> $CONF_FILE
553
		then echo "LANIF=$LANIF" >> $CONF_FILE
554
	fi
554
	fi
555
	#########################################################################################################
555
	#########################################################################################################
556
 
556
 
557
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
557
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
558
	if [ $IP_SETTING == "dhcp" ]
558
	if [ $IP_SETTING == "dhcp" ]
559
		then
559
		then
560
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
560
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
561
		echo "GW=dhcp" >> $CONF_FILE
561
		echo "GW=dhcp" >> $CONF_FILE
562
	else
562
	else
563
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
563
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
564
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
564
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
565
	fi
565
	fi
566
	echo "DNS1=$DNS1" >> $CONF_FILE
566
	echo "DNS1=$DNS1" >> $CONF_FILE
567
	echo "DNS2=$DNS2" >> $CONF_FILE
567
	echo "DNS2=$DNS2" >> $CONF_FILE
568
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
568
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
569
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
569
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
570
	echo "DHCP=on" >> $CONF_FILE
570
	echo "DHCP=on" >> $CONF_FILE
571
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
571
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
572
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
572
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
573
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
573
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
574
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
574
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
575
	echo "INT_DNS_IP=none" >> $CONF_FILE
575
	echo "INT_DNS_IP=none" >> $CONF_FILE
576
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
576
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
577
# network default
577
# network default
578
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
578
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
579
	cat <<EOF > /etc/sysconfig/network
579
	cat <<EOF > /etc/sysconfig/network
580
NETWORKING=yes
580
NETWORKING=yes
581
FORWARD_IPV4=true
581
FORWARD_IPV4=true
582
EOF
582
EOF
583
# /etc/hosts config
583
# /etc/hosts config
584
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
584
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
585
	cat <<EOF > /etc/hosts
585
	cat <<EOF > /etc/hosts
586
127.0.0.1	localhost
586
127.0.0.1	localhost
587
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
587
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
588
EOF
588
EOF
589
# EXTIF (Internet) config
589
# EXTIF (Internet) config
590
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
590
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
591
	if [ $IP_SETTING == "dhcp" ]
591
	if [ $IP_SETTING == "dhcp" ]
592
		then
592
		then
593
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
593
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
594
DEVICE=$EXTIF
594
DEVICE=$EXTIF
595
BOOTPROTO=dhcp
595
BOOTPROTO=dhcp
596
DNS1=127.0.0.1
596
DNS1=127.0.0.1
597
PEERDNS=no
597
PEERDNS=no
598
RESOLV_MODS=yes
598
RESOLV_MODS=yes
599
ONBOOT=yes
599
ONBOOT=yes
600
NOZEROCONF=yes
600
NOZEROCONF=yes
601
METRIC=10
601
METRIC=10
602
MII_NOT_SUPPORTED=yes
602
MII_NOT_SUPPORTED=yes
603
IPV6INIT=no
603
IPV6INIT=no
604
IPV6TO4INIT=no
604
IPV6TO4INIT=no
605
ACCOUNTING=no
605
ACCOUNTING=no
606
USERCTL=no
606
USERCTL=no
607
MTU=$MTU
607
MTU=$MTU
608
EOF
608
EOF
609
		else
609
		else
610
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
610
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
611
DEVICE=$EXTIF
611
DEVICE=$EXTIF
612
BOOTPROTO=static
612
BOOTPROTO=static
613
IPADDR=$PUBLIC_IP
613
IPADDR=$PUBLIC_IP
614
NETMASK=$PUBLIC_NETMASK
614
NETMASK=$PUBLIC_NETMASK
615
GATEWAY=$PUBLIC_GATEWAY
615
GATEWAY=$PUBLIC_GATEWAY
616
DNS1=127.0.0.1
616
DNS1=127.0.0.1
617
RESOLV_MODS=yes
617
RESOLV_MODS=yes
618
ONBOOT=yes
618
ONBOOT=yes
619
METRIC=10
619
METRIC=10
620
NOZEROCONF=yes
620
NOZEROCONF=yes
621
MII_NOT_SUPPORTED=yes
621
MII_NOT_SUPPORTED=yes
622
IPV6INIT=no
622
IPV6INIT=no
623
IPV6TO4INIT=no
623
IPV6TO4INIT=no
624
ACCOUNTING=no
624
ACCOUNTING=no
625
USERCTL=no
625
USERCTL=no
626
MTU=$MTU
626
MTU=$MTU
627
EOF
627
EOF
628
	fi
628
	fi
629
# Config INTIF (consultation LAN) in normal mode
629
# Config INTIF (consultation LAN) in normal mode
630
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
630
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
631
DEVICE=$INTIF
631
DEVICE=$INTIF
632
BOOTPROTO=static
632
BOOTPROTO=static
633
ONBOOT=yes
633
ONBOOT=yes
634
NOZEROCONF=yes
634
NOZEROCONF=yes
635
MII_NOT_SUPPORTED=yes
635
MII_NOT_SUPPORTED=yes
636
IPV6INIT=no
636
IPV6INIT=no
637
IPV6TO4INIT=no
637
IPV6TO4INIT=no
638
ACCOUNTING=no
638
ACCOUNTING=no
639
USERCTL=no
639
USERCTL=no
640
EOF
640
EOF
641
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
641
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
642
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
642
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
643
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
643
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
644
DEVICE=$INTIF
644
DEVICE=$INTIF
645
BOOTPROTO=static
645
BOOTPROTO=static
646
IPADDR=$PRIVATE_IP
646
IPADDR=$PRIVATE_IP
647
NETMASK=$PRIVATE_NETMASK
647
NETMASK=$PRIVATE_NETMASK
648
ONBOOT=yes
648
ONBOOT=yes
649
METRIC=10
649
METRIC=10
650
NOZEROCONF=yes
650
NOZEROCONF=yes
651
MII_NOT_SUPPORTED=yes
651
MII_NOT_SUPPORTED=yes
652
IPV6INIT=no
652
IPV6INIT=no
653
IPV6TO4INIT=no
653
IPV6TO4INIT=no
654
ACCOUNTING=no
654
ACCOUNTING=no
655
USERCTL=no
655
USERCTL=no
656
EOF
656
EOF
657
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
657
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
658
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
658
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
659
	then
659
	then
660
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
660
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
661
DEVICE=$WIFIF
661
DEVICE=$WIFIF
662
BOOTPROTO=static
662
BOOTPROTO=static
663
ONBOOT=yes
663
ONBOOT=yes
664
NOZEROCONF=yes
664
NOZEROCONF=yes
665
MII_NOT_SUPPORTED=yes
665
MII_NOT_SUPPORTED=yes
666
IPV6INIT=no
666
IPV6INIT=no
667
IPV6TO4INIT=no
667
IPV6TO4INIT=no
668
ACCOUNTING=no
668
ACCOUNTING=no
669
USERCTL=no
669
USERCTL=no
670
EOF
670
EOF
671
	elif [ -n "$LANIF" ]
671
	elif [ -n "$LANIF" ]
672
	then
672
	then
673
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
673
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
674
DEVICE=$LANIF
674
DEVICE=$LANIF
675
BOOTPROTO=static
675
BOOTPROTO=static
676
ONBOOT=yes
676
ONBOOT=yes
677
NOZEROCONF=yes
677
NOZEROCONF=yes
678
MII_NOT_SUPPORTED=yes
678
MII_NOT_SUPPORTED=yes
679
IPV6INIT=no
679
IPV6INIT=no
680
IPV6TO4INIT=no
680
IPV6TO4INIT=no
681
ACCOUNTING=no
681
ACCOUNTING=no
682
USERCTL=no
682
USERCTL=no
683
EOF
683
EOF
684
	fi
684
	fi
685
	#########################################################################################################
685
	#########################################################################################################
686
# Renseignement des fichiers hosts.allow et hosts.deny
686
# Renseignement des fichiers hosts.allow et hosts.deny
687
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
687
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
688
	cat <<EOF > /etc/hosts.allow
688
	cat <<EOF > /etc/hosts.allow
689
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
689
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
690
sshd: ALL
690
sshd: ALL
691
ntpd: $PRIVATE_NETWORK_SHORT
691
ntpd: $PRIVATE_NETWORK_SHORT
692
EOF
692
EOF
693
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
693
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
694
	cat <<EOF > /etc/hosts.deny
694
	cat <<EOF > /etc/hosts.deny
695
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
695
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
696
EOF
696
EOF
697
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
697
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
698
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
698
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
699
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
699
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
700
# load conntrack ftp module
700
# load conntrack ftp module
701
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
701
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
702
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
702
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
703
# load ipt_NETFLOW module
703
# load ipt_NETFLOW module
704
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
704
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
705
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
705
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
706
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
706
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
707
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
707
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
708
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
708
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
709
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
709
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
710
#
710
#
711
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
711
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
712
} # End of network ()
712
} # End of network ()
713
 
713
 
714
##################################################################
714
##################################################################
715
##			Function "ACC"				##
715
##			Function "ACC"				##
716
## - installation of then ALCASAR Control Center (ACC)	)	##
716
## - installation of then ALCASAR Control Center (ACC)	)	##
717
## - configuration of the web server (Apache)			##
717
## - configuration of the web server (Lighttpd)			##
718
## - creation of the first ACC admin account 			##
718
## - creation of the first ACC admin account 			##
719
## - secure the access						##
719
## - secure the access						##
720
##################################################################
720
##################################################################
721
ACC ()
721
ACC ()
722
{
722
{
723
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
723
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
724
	mkdir $DIR_WEB
724
	mkdir $DIR_WEB
725
# Copy & adapt ACC files
725
# Copy & adapt ACC files
726
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
726
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
727
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
727
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
728
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
728
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
729
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
729
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
730
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
730
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
731
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
731
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
732
	chown -R apache:apache $DIR_WEB/*
732
	chown -R apache:apache $DIR_WEB/*
733
# copy & adapt "freeradius-web" files
733
# copy & adapt "freeradius-web" files
734
	cp -rf $DIR_CONF/freeradius-web/ /etc/
734
	cp -rf $DIR_CONF/freeradius-web/ /etc/
735
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
735
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
736
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
736
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
737
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
737
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
738
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
738
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
739
	cat <<EOF > /etc/freeradius-web/naslist.conf
739
	cat <<EOF > /etc/freeradius-web/naslist.conf
740
nas1_name: alcasar-$ORGANISME
740
nas1_name: alcasar-$ORGANISME
741
nas1_model: Network Access Controler
741
nas1_model: Network Access Controler
742
nas1_ip: $PRIVATE_IP
742
nas1_ip: $PRIVATE_IP
743
nas1_port_num: 0
743
nas1_port_num: 0
744
nas1_community: public
744
nas1_community: public
745
EOF
745
EOF
746
	chown -R apache:apache /etc/freeradius-web/
746
	chown -R apache:apache /etc/freeradius-web/
747
# create the log & backup structure :
747
# create the log & backup structure :
748
# - base = users database
748
# - base = users database
749
# - archive = tarball of "base + http firewall + netflow"
749
# - archive = tarball of "base + http firewall + netflow"
750
# - security = watchdog log
750
# - security = watchdog log
751
	for i in base archive security activity_report;
751
	for i in base archive security activity_report;
752
	do
752
	do
753
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
753
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
754
	done
754
	done
755
	chown -R root:apache $DIR_SAVE
755
	chown -R root:apache $DIR_SAVE
756
# Configuring & securing php
756
# Configuring & securing php
757
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
757
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
758
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
758
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
759
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
759
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
760
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
760
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
761
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
761
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
762
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
762
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
763
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
763
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
764
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
764
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
765
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
765
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
766
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
766
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
767
# Configuring & sécuring Apache
767
# Configuring & securing Lighttpd
768
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
768
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
769
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
769
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
770
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
770
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
771
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
771
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
772
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
772
	[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
773
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
773
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
-
 
774
 
774
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
775
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
775
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
776
	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
-
 
777
 
776
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
778
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
777
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
779
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
778
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
780
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
-
 
781
 
779
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
782
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
780
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
783
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
781
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
784
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
782
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
-
 
783
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
785
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
-
 
786
 
784
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
787
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
785
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
-
 
786
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
-
 
787
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
-
 
788
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
788
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
789
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
789
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
790
# Error page management
-
 
791
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
790
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
792
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
-
 
793
Alias /error/ "/var/www/html/"
-
 
794
<Directory "/usr/share/httpd/error">
-
 
795
    AllowOverride None
-
 
796
    Options IncludesNoExec
-
 
797
    AddOutputFilter Includes html
-
 
798
    AddHandler type-map var
-
 
799
    Require all granted
-
 
800
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
-
 
801
    ForceLanguagePriority Prefer Fallback
-
 
802
</Directory>
-
 
803
ErrorDocument 400 /error/error.php?error=400
-
 
804
ErrorDocument 401 /error/error.php?error=401
-
 
805
ErrorDocument 403 /error/error.php?error=403
-
 
806
ErrorDocument 404 /error/index.php
-
 
807
ErrorDocument 405 /error/error.php?error=405
-
 
808
ErrorDocument 408 /error/error.php?error=408
-
 
809
ErrorDocument 410 /error/error.php?error=410
-
 
810
ErrorDocument 411 /error/error.php?error=411
-
 
811
ErrorDocument 412 /error/error.php?error=412
-
 
812
ErrorDocument 413 /error/error.php?error=413
-
 
813
ErrorDocument 414 /error/error.php?error=414
-
 
814
ErrorDocument 415 /error/error.php?error=415
-
 
815
ErrorDocument 500 /error/error.php?error=500
-
 
816
ErrorDocument 501 /error/error.php?error=501
-
 
817
ErrorDocument 502 /error/error.php?error=502
-
 
818
ErrorDocument 503 /error/error.php?error=503
-
 
819
ErrorDocument 506 /error/error.php?error=506
-
 
820
EOF
791
 
821
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
792
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
793
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
823
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
794
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
-
 
795
 
824
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
796
	/usr/bin/systemctl start lighttpd
825
</body>
-
 
826
</html>
-
 
827
EOF
797
 
828
# Définition du premier compte lié au profil 'admin'
798
# Définition du premier compte lié au profil 'admin'
829
	if [ "$mode" = "install" ]
799
	if [ "$mode" = "install" ]
830
		then
800
		then
831
			header_install
801
			header_install
832
			admin_portal=!
-
 
833
			PTN='^[a-zA-Z0-9-]*$'
-
 
834
			until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
-
 
835
				do
-
 
836
				header_install
-
 
837
				if [ $Lang == "fr" ]
-
 
838
				then
-
 
839
					echo ""
-
 
840
					echo "Définissez un premier compte d'administration d'ALCASAR :"
-
 
841
					echo
-
 
842
					echo -n "Nom : "
-
 
843
				else
-
 
844
					echo ""
-
 
845
					echo "Define the first account allow to administrate ALCASAR :"
-
 
846
					echo
-
 
847
					echo -n "Account : "
-
 
848
				fi
-
 
849
				read admin_portal
-
 
850
				if [ "$admin_portal" == "" ]
-
 
851
					then
-
 
852
					admin_portal=!
-
 
853
				fi
-
 
854
				done
-
 
855
# Creation of keys file for the admin account ("admin")
802
# Creation of keys file for the admin account ("admin")
856
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
803
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
857
			mkdir -p $DIR_DEST_ETC/digest
804
			mkdir -p $DIR_DEST_ETC/digest
858
			chmod 755 $DIR_DEST_ETC/digest
805
			chmod 755 $DIR_DEST_ETC/digest
859
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
806
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
860
				do
807
			do
861
					/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
808
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
862
				done
809
			done
863
			$DIR_DEST_BIN/alcasar-profil.sh --list
-
 
864
	fi
810
	fi
865
# ACC partitioning
-
 
866
	rm -f /etc/httpd/conf/webapps.d/alcasar*
-
 
867
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
-
 
868
<Directory $DIR_WEB>
-
 
869
	AllowOverride None
-
 
870
	Order deny,allow
-
 
871
	Deny from all
-
 
872
	Allow from 127.0.0.1
-
 
873
	Allow from $PRIVATE_NETWORK_MASK
-
 
874
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
875
</Directory>
-
 
876
<Directory $DIR_WEB/certs>
-
 
877
	AddType application/x-x509-ca-cert crt
-
 
878
</Directory>
-
 
879
<Directory $DIR_ACC>
-
 
880
	SSLRequireSSL
-
 
881
	AllowOverride None
-
 
882
	Order deny,allow
-
 
883
	Deny from all
-
 
884
	Allow from 127.0.0.1
-
 
885
	Allow from $PRIVATE_NETWORK_MASK
-
 
886
	require valid-user
-
 
887
	AuthType digest
-
 
888
	AuthName "ALCASAR Control Center (ACC)"
-
 
889
	AuthDigestDomain $HOSTNAME.$DOMAIN
-
 
890
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
891
	AuthUserFile $DIR_DEST_ETC/digest/key_all
-
 
892
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
893
</Directory>
-
 
894
<Directory $DIR_ACC/admin>
-
 
895
	SSLRequireSSL
-
 
896
	AllowOverride None
-
 
897
	Order deny,allow
-
 
898
	Deny from all
-
 
899
	Allow from 127.0.0.1
-
 
900
	Allow from $PRIVATE_NETWORK_MASK
-
 
901
	require valid-user
-
 
902
	AuthType digest
-
 
903
	AuthName "ALCASAR Control Center (ACC)"
-
 
904
	AuthDigestDomain $HOSTNAME.$DOMAIN
-
 
905
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
906
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
-
 
907
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
908
</Directory>
-
 
909
<Directory $DIR_ACC/manager>
-
 
910
	SSLRequireSSL
-
 
911
	AllowOverride None
-
 
912
	Order deny,allow
-
 
913
	Deny from all
-
 
914
	Allow from 127.0.0.1
-
 
915
	Allow from $PRIVATE_NETWORK_MASK
-
 
916
	require valid-user
-
 
917
	AuthType digest
-
 
918
	AuthName "ALCASAR Control Center (ACC)"
-
 
919
	AuthDigestDomain $HOSTNAME.$DOMAIN
-
 
920
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
921
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
-
 
922
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
923
</Directory>
-
 
924
<Directory $DIR_ACC/backup>
-
 
925
	SSLRequireSSL
-
 
926
	AllowOverride None
-
 
927
	Order deny,allow
-
 
928
	Deny from all
-
 
929
	Allow from 127.0.0.1
-
 
930
	Allow from $PRIVATE_NETWORK_MASK
-
 
931
	require valid-user
-
 
932
	AuthType digest
-
 
933
	AuthName "ALCASAR Control Center (ACC)"
-
 
934
	AuthDigestDomain $HOSTNAME.$DOMAIN
-
 
935
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
936
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
-
 
937
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
938
</Directory>
-
 
939
Alias /save/ "$DIR_SAVE/"
-
 
940
<Directory $DIR_SAVE>
-
 
941
	SSLRequireSSL
-
 
942
	Options Indexes
-
 
943
	Order deny,allow
-
 
944
	Deny from all
-
 
945
	Allow from 127.0.0.1
-
 
946
	Allow from $PRIVATE_NETWORK_MASK
-
 
947
	require valid-user
-
 
948
	AuthType digest
-
 
949
	AuthName "ALCASAR Control Center (ACC)"
-
 
950
	AuthDigestDomain $HOSTNAME.$DOMAIN
-
 
951
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
-
 
952
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
953
</Directory>
-
 
954
EOF
811
 
955
	# Launch after coova (in order to wait tun0 to be up)
812
	# Launch after coova (in order to wait tun0 to be up)
956
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
813
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
957
	# Log file for ACC access imputability
814
	# Log file for ACC access imputability
958
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
815
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
959
	chown root:apache /var/Save/security/acc_access.log
816
	chown root:apache /var/Save/security/acc_access.log
960
	chmod 664 /var/Save/security/acc_access.log
817
	chmod 664 /var/Save/security/acc_access.log
961
} # End of ACC ()
818
} # End of ACC ()
962
 
819
 
963
##########################################################################
820
##########################################################################
964
##				Fonction "CA"				##
821
##				Fonction "CA"				##
965
## - Creating the CA and the server certificate (apache)	 	##
822
## - Creating the CA and the server certificate (lighttpd)	 	##
966
##########################################################################
823
##########################################################################
967
CA ()
824
CA ()
968
{
825
{
969
	$DIR_DEST_BIN/alcasar-CA.sh
826
	$DIR_DEST_BIN/alcasar-CA.sh
970
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
-
 
971
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
-
 
972
	cat <<EOF > $FIC_VIRTUAL_SSL
-
 
973
# default SSL virtual host, used for all HTTPS requests that do not
-
 
974
# match a ServerName or ServerAlias in any <VirtualHost> block.
-
 
975
 
827
 
976
<VirtualHost _default_:443>
-
 
977
# general configuration
-
 
978
    ServerAdmin root@localhost
-
 
979
    ServerName $HOSTNAME.$DOMAIN
-
 
980
 
-
 
981
# SSL configuration
-
 
982
    SSLEngine on
-
 
983
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
-
 
984
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
-
 
985
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
 
986
    CustomLog logs/ssl_request_log \
-
 
987
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
-
 
988
    ErrorLog logs/ssl_error_log
-
 
989
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
-
 
990
</VirtualHost>
-
 
991
EOF
-
 
992
	chown -R root:apache /etc/pki
828
	chown -R root:apache /etc/pki
993
	chmod -R 750 /etc/pki
829
	chmod -R 750 /etc/pki
994
} # End of CA ()
830
} # End of CA ()
995
 
831
 
996
##################################################################
832
##################################################################
997
##			Function "time_server"			##
833
##			Function "time_server"			##
998
## - Configuring NTP server					##
834
## - Configuring NTP server					##
999
##################################################################
835
##################################################################
1000
time_server ()
836
time_server ()
1001
{
837
{
1002
# Set the Internet time server
838
# Set the Internet time server
1003
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
839
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
1004
	cat <<EOF > /etc/ntp/step-tickers
840
	cat <<EOF > /etc/ntp/step-tickers
1005
0.fr.pool.ntp.org	# adapt to your country
841
0.fr.pool.ntp.org	# adapt to your country
1006
1.fr.pool.ntp.org
842
1.fr.pool.ntp.org
1007
2.fr.pool.ntp.org
843
2.fr.pool.ntp.org
1008
EOF
844
EOF
1009
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
845
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
1010
	cat <<EOF > /etc/ntp.conf
846
	cat <<EOF > /etc/ntp.conf
1011
server 0.fr.pool.ntp.org	# adapt to your country
847
server 0.fr.pool.ntp.org	# adapt to your country
1012
server 1.fr.pool.ntp.org
848
server 1.fr.pool.ntp.org
1013
server 2.fr.pool.ntp.org
849
server 2.fr.pool.ntp.org
1014
server 127.127.1.0   		# local clock si NTP internet indisponible ...
850
server 127.127.1.0   		# local clock si NTP internet indisponible ...
1015
fudge 127.127.1.0 stratum 10
851
fudge 127.127.1.0 stratum 10
1016
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
852
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1017
restrict 127.0.0.1
853
restrict 127.0.0.1
1018
driftfile /var/lib/ntp/drift
854
driftfile /var/lib/ntp/drift
1019
logfile /var/log/ntp.log
855
logfile /var/log/ntp.log
1020
disable monitor
856
disable monitor
1021
EOF
857
EOF
1022
	chown -R ntp:ntp /var/lib/ntp
858
	chown -R ntp:ntp /var/lib/ntp
1023
# Synchronize now
859
# Synchronize now
1024
	ntpd -q -g &
860
	ntpd -q -g &
1025
} # End of time_server ()
861
} # End of time_server ()
1026
 
862
 
1027
##########################################################################################
863
##########################################################################################
1028
##			Fonction "init_db"						##
864
##			Fonction "init_db"						##
1029
## - Initialisation de la base Mysql							##
865
## - Initialisation de la base Mysql							##
1030
## - Affectation du mot de passe de l'administrateur (root)				##
866
## - Affectation du mot de passe de l'administrateur (root)				##
1031
## - Suppression des bases et des utilisateurs superflus				##
867
## - Suppression des bases et des utilisateurs superflus				##
1032
## - Création de la base 'radius'							##
868
## - Création de la base 'radius'							##
1033
## - Installation du schéma de cette base						##
869
## - Installation du schéma de cette base						##
1034
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
870
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
1035
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
871
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
1036
##########################################################################################
872
##########################################################################################
1037
init_db ()
873
init_db ()
1038
{
874
{
1039
	if [ `systemctl is-active mysqld` == "active" ]
875
	if [ `systemctl is-active mysqld` == "active" ]
1040
	then
876
	then
1041
		systemctl stop mysqld
877
		systemctl stop mysqld
1042
	fi
878
	fi
1043
	rm -rf /var/lib/mysql # to be sure that there is no former installation
879
	rm -rf /var/lib/mysql # to be sure that there is no former installation
1044
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
880
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
1045
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
881
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1046
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
882
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
1047
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
883
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
1048
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
884
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
1049
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
885
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
1050
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
886
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
1051
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
887
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
1052
	/usr/bin/systemctl start mysqld
888
	/usr/bin/systemctl start mysqld
1053
	nb_round=1
889
	nb_round=1
1054
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
890
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
1055
	do
891
	do
1056
		nb_round=`expr $nb_round + 1`
892
		nb_round=`expr $nb_round + 1`
1057
		sleep 2
893
		sleep 2
1058
	done
894
	done
1059
	if [ ! -S /var/lib/mysql/mysql.sock ]
895
	if [ ! -S /var/lib/mysql/mysql.sock ]
1060
	then
896
	then
1061
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
897
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
1062
		exit
898
		exit
1063
	fi
899
	fi
1064
	MYSQL="/usr/bin/mysql --execute"
900
	MYSQL="/usr/bin/mysql --execute"
1065
# Secure the server
901
# Secure the server
1066
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
902
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
1067
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
903
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1068
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
904
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
1069
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
905
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
1070
# Create 'radius' database
906
# Create 'radius' database
1071
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
907
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
1072
# Add an empty radius database structure
908
# Add an empty radius database structure
1073
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
909
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
1074
# modify the start script in order to close accounting connexion when the system is comming down or up
910
# modify the start script in order to close accounting connexion when the system is comming down or up
1075
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
911
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1076
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
912
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
1077
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
913
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1078
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
914
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
1079
	/usr/bin/systemctl daemon-reload
915
	/usr/bin/systemctl daemon-reload
1080
} # End of init_db ()
916
} # End of init_db ()
1081
 
917
 
1082
###################################################################
918
###################################################################
1083
##                       Function "freeradius"                   ##
919
##                       Function "freeradius"                   ##
1084
## - Set the configuration files                                 ##
920
## - Set the configuration files                                 ##
1085
## - Set the shared secret between coova-chilli and freeradius   ##
921
## - Set the shared secret between coova-chilli and freeradius   ##
1086
## - Adapt the Mysql conf file and counters                      ##
922
## - Adapt the Mysql conf file and counters                      ##
1087
###################################################################
923
###################################################################
1088
freeradius ()
924
freeradius ()
1089
{
925
{
1090
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
926
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1091
	chown -R radius:radius /etc/raddb
927
	chown -R radius:radius /etc/raddb
1092
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
928
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1093
# Set radius global parameters (radius.conf)
929
# Set radius global parameters (radius.conf)
1094
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
930
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1095
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
931
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1096
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
932
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1097
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
933
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
1098
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
934
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
1099
 
935
 
1100
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
936
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1101
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
937
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1102
	cat << EOF > /etc/raddb/clients.conf
938
	cat << EOF > /etc/raddb/clients.conf
1103
client localhost {
939
client localhost {
1104
	ipaddr = 127.0.0.1
940
	ipaddr = 127.0.0.1
1105
	secret = $secretradius
941
	secret = $secretradius
1106
	shortname = chilli
942
	shortname = chilli
1107
	nas_type = other
943
	nas_type = other
1108
}
944
}
1109
EOF
945
EOF
1110
# Set Virtual server (remvove all except "alcasar virtual site")
946
# Set Virtual server (remvove all except "alcasar virtual site")
1111
	rm -f /etc/raddb/sites-enabled/*
947
	rm -f /etc/raddb/sites-enabled/*
1112
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
948
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1113
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
949
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1114
	chown radius:apache /etc/raddb/sites-available/alcasar*
950
	chown radius:apache /etc/raddb/sites-available/alcasar*
1115
	chmod 660 /etc/raddb/sites-available/alcasar*
951
	chmod 660 /etc/raddb/sites-available/alcasar*
1116
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
952
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1117
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
953
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
1118
 
954
 
1119
# Set modules
955
# Set modules
1120
# Add custom LDAP "available module"
956
# Add custom LDAP "available module"
1121
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
957
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1122
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
958
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1123
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
959
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
1124
	rm -rf  /etc/raddb/mods-enabled/*
960
	rm -rf  /etc/raddb/mods-enabled/*
1125
	for mods in sql sqlcounter attr_filter expiration logintime pap expr
961
	for mods in sql sqlcounter attr_filter expiration logintime pap expr
1126
	do
962
	do
1127
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
963
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1128
	done
964
	done
1129
# Configure SQL mod
965
# Configure SQL mod
1130
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
966
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1131
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
967
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1132
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
968
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1133
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
969
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1134
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
970
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1135
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
971
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1136
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
972
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1137
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
973
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1138
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
974
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1139
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
975
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1140
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
976
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1141
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
977
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1142
# sqlcounter modifications
978
# sqlcounter modifications
1143
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
979
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1144
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
980
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1145
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
981
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1146
	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
982
	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
1147
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
983
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
1148
query = "\
984
query = "\
1149
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
985
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
1150
    FROM radacct \
986
    FROM radacct \
1151
    WHERE username = '%{\${key}}' \
987
    WHERE username = '%{\${key}}' \
1152
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
988
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
1153
EOF
989
EOF
1154
	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
990
	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
1155
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
991
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
1156
query = "\
992
query = "\
1157
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
993
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
1158
    FROM radacct \
994
    FROM radacct \
1159
    WHERE username='%{\${key}}' \
995
    WHERE username='%{\${key}}' \
1160
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
996
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
1161
EOF
997
EOF
1162
	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
998
	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1163
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
999
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1164
# This query was modified for ALCASAR needs (amount of time the voucher is enabled --> rename it in the future : 'Expire_on_login')
1000
# This query was modified for ALCASAR needs (amount of time the voucher is enabled --> rename it in the future : 'Expire_on_login')
1165
query = "\
1001
query = "\
1166
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1002
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1167
    FROM radacct \
1003
    FROM radacct \
1168
    WHERE UserName='%{\${key}}' \
1004
    WHERE UserName='%{\${key}}' \
1169
    ORDER BY acctstarttime \
1005
    ORDER BY acctstarttime \
1170
    LIMIT 1),0)"
1006
    LIMIT 1),0)"
1171
EOF
1007
EOF
1172
# make certain that mysql is up before freeradius start
1008
# make certain that mysql is up before freeradius start
1173
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1009
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1174
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1010
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1175
	/usr/bin/systemctl daemon-reload
1011
	/usr/bin/systemctl daemon-reload
1176
 # Allow apache to change some conf files (ie : ldap on/off)
1012
 # Allow apache to change some conf files (ie : ldap on/off)
1177
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1013
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1178
 
1014
 
1179
} # End freeradius ()
1015
} # End freeradius ()
1180
 
1016
 
1181
#############################################################################
1017
#############################################################################
1182
##                              Fonction "chilli"                          ##
1018
##                              Fonction "chilli"                          ##
1183
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1019
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1184
## - Adapt the authentication web page (intercept.php)                     ##
1020
## - Adapt the authentication web page (intercept.php)                     ##
1185
#############################################################################
1021
#############################################################################
1186
chilli ()
1022
chilli ()
1187
{
1023
{
1188
# chilli unit for systemd
1024
# chilli unit for systemd
1189
	cat << EOF > /lib/systemd/system/chilli.service
1025
	cat << EOF > /lib/systemd/system/chilli.service
1190
#  This file is part of systemd.
1026
#  This file is part of systemd.
1191
#
1027
#
1192
#  systemd is free software; you can redistribute it and/or modify it
1028
#  systemd is free software; you can redistribute it and/or modify it
1193
#  under the terms of the GNU General Public License as published by
1029
#  under the terms of the GNU General Public License as published by
1194
#  the Free Software Foundation; either version 2 of the License, or
1030
#  the Free Software Foundation; either version 2 of the License, or
1195
#  (at your option) any later version.
1031
#  (at your option) any later version.
1196
[Unit]
1032
[Unit]
1197
Description=chilli is a captive portal daemon
1033
Description=chilli is a captive portal daemon
1198
After=network.target
1034
After=network.target
1199
 
1035
 
1200
[Service]
1036
[Service]
1201
Type=forking
1037
Type=forking
1202
ExecStart=/usr/libexec/chilli start
1038
ExecStart=/usr/libexec/chilli start
1203
ExecStop=/usr/libexec/chilli stop
1039
ExecStop=/usr/libexec/chilli stop
1204
ExecReload=/usr/libexec/chilli reload
1040
ExecReload=/usr/libexec/chilli reload
1205
PIDFile=/var/run/chilli.pid
1041
PIDFile=/var/run/chilli.pid
1206
 
1042
 
1207
[Install]
1043
[Install]
1208
WantedBy=multi-user.target
1044
WantedBy=multi-user.target
1209
EOF
1045
EOF
1210
# init file creation
1046
# init file creation
1211
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1047
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1212
	cat <<EOF > /etc/init.d/chilli
1048
	cat <<EOF > /etc/init.d/chilli
1213
#!/bin/sh
1049
#!/bin/sh
1214
#
1050
#
1215
# chilli CoovaChilli init
1051
# chilli CoovaChilli init
1216
#
1052
#
1217
# chkconfig: 2345 65 35
1053
# chkconfig: 2345 65 35
1218
# description: CoovaChilli
1054
# description: CoovaChilli
1219
### BEGIN INIT INFO
1055
### BEGIN INIT INFO
1220
# Provides:       chilli
1056
# Provides:       chilli
1221
# Required-Start: network
1057
# Required-Start: network
1222
# Should-Start:
1058
# Should-Start:
1223
# Required-Stop:  network
1059
# Required-Stop:  network
1224
# Should-Stop:
1060
# Should-Stop:
1225
# Default-Start:  2 3 5
1061
# Default-Start:  2 3 5
1226
# Default-Stop:
1062
# Default-Stop:
1227
# Description:    CoovaChilli access controller
1063
# Description:    CoovaChilli access controller
1228
### END INIT INFO
1064
### END INIT INFO
1229
 
1065
 
1230
[ -f /usr/sbin/chilli ] || exit 0
1066
[ -f /usr/sbin/chilli ] || exit 0
1231
. /etc/init.d/functions
1067
. /etc/init.d/functions
1232
CONFIG=/etc/chilli.conf
1068
CONFIG=/etc/chilli.conf
1233
pidfile=/var/run/chilli.pid
1069
pidfile=/var/run/chilli.pid
1234
[ -f \$CONFIG ] || {
1070
[ -f \$CONFIG ] || {
1235
	echo "\$CONFIG Not found"
1071
	echo "\$CONFIG Not found"
1236
	exit 0
1072
	exit 0
1237
}
1073
}
1238
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1074
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1239
RETVAL=0
1075
RETVAL=0
1240
prog="chilli"
1076
prog="chilli"
1241
case \$1 in
1077
case \$1 in
1242
	start)
1078
	start)
1243
		if [ -f \$pidfile ] ; then
1079
		if [ -f \$pidfile ] ; then
1244
			gprintf "chilli is already running"
1080
			gprintf "chilli is already running"
1245
		else
1081
		else
1246
			gprintf "Starting \$prog: "
1082
			gprintf "Starting \$prog: "
1247
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1083
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1248
			rm -f /var/run/chilli* # cleaning
1084
			rm -f /var/run/chilli* # cleaning
1249
			/usr/sbin/modprobe tun >/dev/null 2>&1
1085
			/usr/sbin/modprobe tun >/dev/null 2>&1
1250
			echo 1 > /proc/sys/net/ipv4/ip_forward
1086
			echo 1 > /proc/sys/net/ipv4/ip_forward
1251
			[ -e /dev/net/tun ] || {
1087
			[ -e /dev/net/tun ] || {
1252
				(cd /dev;
1088
				(cd /dev;
1253
				mkdir net;
1089
				mkdir net;
1254
				cd net;
1090
				cd net;
1255
				mknod tun c 10 200)
1091
				mknod tun c 10 200)
1256
			}
1092
			}
1257
			ifconfig $INTIF 0.0.0.0
1093
			ifconfig $INTIF 0.0.0.0
1258
			/usr/sbin/ethtool -K $INTIF gro off
1094
			/usr/sbin/ethtool -K $INTIF gro off
1259
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1095
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1260
			RETVAL=\$?
1096
			RETVAL=\$?
1261
		fi
1097
		fi
1262
		;;
1098
		;;
1263
 
1099
 
1264
	reload)
1100
	reload)
1265
		killall -HUP chilli
1101
		killall -HUP chilli
1266
		;;
1102
		;;
1267
 
1103
 
1268
	restart)
1104
	restart)
1269
		\$0 stop
1105
		\$0 stop
1270
		sleep 2
1106
		sleep 2
1271
		\$0 start
1107
		\$0 start
1272
		;;
1108
		;;
1273
 
1109
 
1274
	status)
1110
	status)
1275
		status chilli
1111
		status chilli
1276
		RETVAL=0
1112
		RETVAL=0
1277
		;;
1113
		;;
1278
 
1114
 
1279
	stop)
1115
	stop)
1280
		if [ -f \$pidfile ] ; then
1116
		if [ -f \$pidfile ] ; then
1281
			gprintf "Shutting down \$prog: "
1117
			gprintf "Shutting down \$prog: "
1282
			killproc /usr/sbin/chilli
1118
			killproc /usr/sbin/chilli
1283
			RETVAL=\$?
1119
			RETVAL=\$?
1284
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1120
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1285
			[ -e \$current_users_file ] && rm -f \$current_users_file
1121
			[ -e \$current_users_file ] && rm -f \$current_users_file
1286
		else
1122
		else
1287
			gprintf "chilli is not running"
1123
			gprintf "chilli is not running"
1288
		fi
1124
		fi
1289
		;;
1125
		;;
1290
 
1126
 
1291
	*)
1127
	*)
1292
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1128
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1293
		exit 1
1129
		exit 1
1294
esac
1130
esac
1295
echo
1131
echo
1296
EOF
1132
EOF
1297
	chmod a+x /etc/init.d/chilli
1133
	chmod a+x /etc/init.d/chilli
1298
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1134
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1299
# conf file creation
1135
# conf file creation
1300
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1136
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1301
	#NTP Option configuration for DHCP
1137
	#NTP Option configuration for DHCP
1302
	#DHCP Options : rfc2132
1138
	#DHCP Options : rfc2132
1303
		#dhcp option value will be convert in hexa.
1139
		#dhcp option value will be convert in hexa.
1304
		#NTP option (or 'option 42') is like :
1140
		#NTP option (or 'option 42') is like :
1305
		#
1141
		#
1306
		#    Code   Len         Address 1               Address 2
1142
		#    Code   Len         Address 1               Address 2
1307
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1143
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1308
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1144
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1309
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1145
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1310
		#
1146
		#
1311
		#Code : 42 => 2a
1147
		#Code : 42 => 2a
1312
		#Len : 4 => 04
1148
		#Len : 4 => 04
1313
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1149
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1314
	cat <<EOF > /etc/chilli.conf
1150
	cat <<EOF > /etc/chilli.conf
1315
# coova config for ALCASAR
1151
# coova config for ALCASAR
1316
cmdsocket	/var/run/chilli.sock
1152
cmdsocket	/var/run/chilli.sock
1317
unixipc		chilli.$INTIF.ipc
1153
unixipc		chilli.$INTIF.ipc
1318
pidfile		/var/run/chilli.pid
1154
pidfile		/var/run/chilli.pid
1319
net		$PRIVATE_NETWORK_MASK
1155
net		$PRIVATE_NETWORK_MASK
1320
dhcpif		$INTIF
1156
dhcpif		$INTIF
1321
ethers		$DIR_DEST_ETC/alcasar-ethers
1157
ethers		$DIR_DEST_ETC/alcasar-ethers
1322
#nodynip
1158
#nodynip
1323
#statip
1159
#statip
1324
dynip		$PRIVATE_NETWORK_MASK
1160
dynip		$PRIVATE_NETWORK_MASK
1325
domain		$DOMAIN
1161
domain		$DOMAIN
1326
dns1		$PRIVATE_IP
1162
dns1		$PRIVATE_IP
1327
dns2		$PRIVATE_IP
1163
dns2		$PRIVATE_IP
1328
uamlisten	$PRIVATE_IP
1164
uamlisten	$PRIVATE_IP
1329
uamport		3990
1165
uamport		3990
1330
uamuiport	3991
1166
uamuiport	3991
1331
macauth
1167
macauth
1332
macpasswd	password
1168
macpasswd	password
1333
strictmacauth
1169
strictmacauth
1334
locationname	$HOSTNAME.$DOMAIN
1170
locationname	$HOSTNAME.$DOMAIN
1335
radiusserver1	127.0.0.1
1171
radiusserver1	127.0.0.1
1336
radiusserver2	127.0.0.1
1172
radiusserver2	127.0.0.1
1337
radiussecret	$secretradius
1173
radiussecret	$secretradius
1338
radiusauthport	1812
1174
radiusauthport	1812
1339
radiusacctport	1813
1175
radiusacctport	1813
1340
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1176
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1341
redirurl
1177
redirurl
1342
radiusnasid	$HOSTNAME.$DOMAIN
1178
radiusnasid	$HOSTNAME.$DOMAIN
1343
uamsecret	$secretuam
1179
uamsecret	$secretuam
1344
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1180
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1345
coaport		3799
1181
coaport		3799
1346
conup		$DIR_DEST_BIN/alcasar-conup.sh
1182
conup		$DIR_DEST_BIN/alcasar-conup.sh
1347
condown		$DIR_DEST_BIN/alcasar-condown.sh
1183
condown		$DIR_DEST_BIN/alcasar-condown.sh
1348
include		$DIR_DEST_ETC/alcasar-uamallowed
1184
include		$DIR_DEST_ETC/alcasar-uamallowed
1349
include		$DIR_DEST_ETC/alcasar-uamdomain
1185
include		$DIR_DEST_ETC/alcasar-uamdomain
1350
dhcpopt		2a04$PRIVATE_IP_HEXA
1186
dhcpopt		2a04$PRIVATE_IP_HEXA
1351
#dhcpgateway		none
1187
#dhcpgateway		none
1352
#dhcprelayagent		none
1188
#dhcprelayagent		none
1353
#dhcpgatewayport	none
1189
#dhcpgatewayport	none
1354
sslkeyfile	/etc/pki/tls/private/alcasar.key
1190
sslkeyfile	/etc/pki/tls/private/alcasar.key
1355
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1191
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1356
redirssl
1192
redirssl
1357
uamuissl
1193
uamuissl
1358
EOF
1194
EOF
1359
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1195
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1360
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1196
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1361
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1197
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1362
# create files for trusted domains and urls
1198
# create files for trusted domains and urls
1363
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1199
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1364
	chown root:apache $DIR_DEST_ETC/alcasar-*
1200
	chown root:apache $DIR_DEST_ETC/alcasar-*
1365
	chmod 660 $DIR_DEST_ETC/alcasar-*
1201
	chmod 660 $DIR_DEST_ETC/alcasar-*
1366
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1202
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1367
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1203
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1368
# user 'chilli' creation (in order to run conup/off and up/down scripts
1204
# user 'chilli' creation (in order to run conup/off and up/down scripts
1369
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1205
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1370
	if [ "$chilli_exist" == "1" ]
1206
	if [ "$chilli_exist" == "1" ]
1371
	then
1207
	then
1372
		userdel -r chilli 2>/dev/null
1208
		userdel -r chilli 2>/dev/null
1373
	fi
1209
	fi
1374
	groupadd -f chilli
1210
	groupadd -f chilli
1375
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1211
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1376
}  # End of chilli ()
1212
}  # End of chilli ()
1377
 
1213
 
1378
##################################################################
1214
##################################################################
1379
##		Fonction "dansguardian"				##
1215
##		Fonction "dansguardian"				##
1380
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1216
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1381
##################################################################
1217
##################################################################
1382
dansguardian ()
1218
dansguardian ()
1383
{
1219
{
1384
	mkdir -p /var/dansguardian /var/log/dansguardian
1220
	mkdir -p /var/dansguardian /var/log/dansguardian
1385
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1221
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1386
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1222
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1387
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1223
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1388
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1224
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1389
# By default the filter is off
1225
# By default the filter is off
1390
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1226
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1391
# French deny HTML page
1227
# French deny HTML page
1392
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1228
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1393
# Listen only on LAN side
1229
# Listen only on LAN side
1394
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1230
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1395
# DG send its flow to HAVP
1231
# DG send its flow to HAVP
1396
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1232
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1397
# replace the default deny HTML page
1233
# replace the default deny HTML page
1398
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1234
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1399
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1235
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1400
# Don't log
1236
# Don't log
1401
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1237
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1402
# on désactive par défaut le controle de contenu des pages html
1238
# on désactive par défaut le controle de contenu des pages html
1403
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1239
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1404
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1240
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1405
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1241
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1406
# on désactive par défaut le contrôle d'URL par expressions régulières
1242
# on désactive par défaut le contrôle d'URL par expressions régulières
1407
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1243
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1408
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1244
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1409
 
1245
 
1410
# Configure Dansguardian for large site
1246
# Configure Dansguardian for large site
1411
# Minimum number of processus to handle connections
1247
# Minimum number of processus to handle connections
1412
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1248
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1413
# Maximum number of processus to handle connections
1249
# Maximum number of processus to handle connections
1414
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1250
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1415
# Run at least 8 daemons
1251
# Run at least 8 daemons
1416
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1252
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1417
# minimum number of processes to spawn
1253
# minimum number of processes to spawn
1418
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1254
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1419
# maximum age of a child process before it croaks it
1255
# maximum age of a child process before it croaks it
1420
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1256
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1421
 
1257
 
1422
# on désactive par défaut le contrôle de téléchargement de fichiers
1258
# on désactive par défaut le contrôle de téléchargement de fichiers
1423
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1259
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1424
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1260
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1425
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1261
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1426
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1262
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1427
	touch $DIR_DG/lists/bannedextensionlist
1263
	touch $DIR_DG/lists/bannedextensionlist
1428
	touch $DIR_DG/lists/bannedmimetypelist
1264
	touch $DIR_DG/lists/bannedmimetypelist
1429
# 'Safesearch' regex actualisation
1265
# 'Safesearch' regex actualisation
1430
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1266
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1431
# empty LAN IP list that won't be WEB filtered
1267
# empty LAN IP list that won't be WEB filtered
1432
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1268
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1433
	touch $DIR_DG/lists/exceptioniplist
1269
	touch $DIR_DG/lists/exceptioniplist
1434
# Keep a copy of URL & domain filter configuration files
1270
# Keep a copy of URL & domain filter configuration files
1435
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1271
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1436
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1272
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1437
} # End of dansguardian ()
1273
} # End of dansguardian ()
1438
 
1274
 
1439
##################################################################
1275
##################################################################
1440
##			Fonction "antivirus"			##
1276
##			Fonction "antivirus"			##
1441
## - configuration of havp, libclamav and freshclam		##
1277
## - configuration of havp, libclamav and freshclam		##
1442
##################################################################
1278
##################################################################
1443
antivirus ()
1279
antivirus ()
1444
{
1280
{
1445
# create 'havp' user
1281
# create 'havp' user
1446
	havp_exist=`grep -c ^havp: /etc/passwd`
1282
	havp_exist=`grep -c ^havp: /etc/passwd`
1447
	if [ "$havp_exist" == "1" ]
1283
	if [ "$havp_exist" == "1" ]
1448
	then
1284
	then
1449
		userdel -r havp 2>/dev/null
1285
		userdel -r havp 2>/dev/null
1450
		groupdel havp 2>/dev/null
1286
		groupdel havp 2>/dev/null
1451
	fi
1287
	fi
1452
	groupadd -f havp
1288
	groupadd -f havp
1453
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1289
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1454
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1290
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1455
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1291
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1456
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1292
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1457
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1293
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1458
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1294
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1459
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1295
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1460
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1296
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1461
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1297
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1462
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1298
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1463
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1299
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1464
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1300
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1465
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1301
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1466
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1302
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1467
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1303
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1468
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1304
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1469
# skip checking of youtube flow (too heavy load / risk too low)
1305
# skip checking of youtube flow (too heavy load / risk too low)
1470
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1306
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1471
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1307
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1472
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1308
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1473
# adapt init script and systemd unit
1309
# adapt init script and systemd unit
1474
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1310
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1475
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1311
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1476
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1312
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1477
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1313
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1478
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1314
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1479
# replace of the intercept page (template)
1315
# replace of the intercept page (template)
1480
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1316
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1481
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1317
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1482
# update virus database every 4 hours (24h/6)
1318
# update virus database every 4 hours (24h/6)
1483
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1319
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1484
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1320
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1485
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1321
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1486
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1322
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1487
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1323
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1488
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1324
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1489
# update now
1325
# update now
1490
	/usr/bin/freshclam --no-warnings
1326
	/usr/bin/freshclam --no-warnings
1491
} # End of antivirus ()
1327
} # End of antivirus ()
1492
 
1328
 
1493
##########################################################################
1329
##########################################################################
1494
##			Fonction "tinyproxy"				##
1330
##			Fonction "tinyproxy"				##
1495
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1331
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1496
##########################################################################
1332
##########################################################################
1497
tinyproxy ()
1333
tinyproxy ()
1498
{
1334
{
1499
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1335
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1500
	if [ "$tinyproxy_exist" == "1" ]
1336
	if [ "$tinyproxy_exist" == "1" ]
1501
	then
1337
	then
1502
		userdel -r tinyproxy 2>/dev/null
1338
		userdel -r tinyproxy 2>/dev/null
1503
		groupdel tinyproxy 2>/dev/null
1339
		groupdel tinyproxy 2>/dev/null
1504
	fi
1340
	fi
1505
	groupadd -f tinyproxy
1341
	groupadd -f tinyproxy
1506
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1342
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1507
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1343
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1508
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1344
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1509
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1345
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1510
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1346
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1511
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1347
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1512
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1348
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1513
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1349
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1514
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1350
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1515
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1351
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1516
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1352
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1517
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1353
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1518
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1354
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1519
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1355
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1520
# Create the systemd unit
1356
# Create the systemd unit
1521
cat << EOF > /lib/systemd/system/tinyproxy.service
1357
cat << EOF > /lib/systemd/system/tinyproxy.service
1522
#  This file is part of systemd.
1358
#  This file is part of systemd.
1523
#
1359
#
1524
#  systemd is free software; you can redistribute it and/or modify it
1360
#  systemd is free software; you can redistribute it and/or modify it
1525
#  under the terms of the GNU General Public License as published by
1361
#  under the terms of the GNU General Public License as published by
1526
#  the Free Software Foundation; either version 2 of the License, or
1362
#  the Free Software Foundation; either version 2 of the License, or
1527
#  (at your option) any later version.
1363
#  (at your option) any later version.
1528
 
1364
 
1529
# This unit launches tinyproxy (a very light proxy).
1365
# This unit launches tinyproxy (a very light proxy).
1530
# The "sleep 2" is needed because the pid file isn't ready for systemd
1366
# The "sleep 2" is needed because the pid file isn't ready for systemd
1531
[Unit]
1367
[Unit]
1532
Description=Tinyproxy Web Proxy Server
1368
Description=Tinyproxy Web Proxy Server
1533
After=network.target iptables.service
1369
After=network.target iptables.service
1534
 
1370
 
1535
[Service]
1371
[Service]
1536
Type=forking
1372
Type=forking
1537
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1373
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1538
ExecStartPre=/bin/sleep 2
1374
ExecStartPre=/bin/sleep 2
1539
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1375
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1540
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1376
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1541
 
1377
 
1542
[Install]
1378
[Install]
1543
WantedBy=multi-user.target
1379
WantedBy=multi-user.target
1544
EOF
1380
EOF
1545
 
1381
 
1546
} # end of tinyproxy
1382
} # end of tinyproxy
1547
##################################################################################
1383
##################################################################################
1548
##			function "ulogd"					##
1384
##			function "ulogd"					##
1549
## - Ulog config for multi-log files 						##
1385
## - Ulog config for multi-log files 						##
1550
##################################################################################
1386
##################################################################################
1551
ulogd ()
1387
ulogd ()
1552
{
1388
{
1553
# Three instances of ulogd (three different logfiles)
1389
# Three instances of ulogd (three different logfiles)
1554
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1390
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1555
	nl=1
1391
	nl=1
1556
	for log_type in traceability ssh ext-access
1392
	for log_type in traceability ssh ext-access
1557
	do
1393
	do
1558
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1394
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1559
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1395
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1560
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1396
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1561
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1397
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1562
		cat << EOF >> /etc/ulogd-$log_type.conf
1398
		cat << EOF >> /etc/ulogd-$log_type.conf
1563
[emu1]
1399
[emu1]
1564
file="/var/log/firewall/$log_type.log"
1400
file="/var/log/firewall/$log_type.log"
1565
sync=1
1401
sync=1
1566
EOF
1402
EOF
1567
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1403
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1568
		nl=`expr $nl + 1`
1404
		nl=`expr $nl + 1`
1569
	done
1405
	done
1570
	chown -R root:apache /var/log/firewall
1406
	chown -R root:apache /var/log/firewall
1571
	chmod 750 /var/log/firewall
1407
	chmod 750 /var/log/firewall
1572
	chmod 640 /var/log/firewall/*
1408
	chmod 640 /var/log/firewall/*
1573
}  # End of ulogd ()
1409
}  # End of ulogd ()
1574
 
1410
 
1575
 
1411
 
1576
##########################################################
1412
##########################################################
1577
##              Function "nfsen"			##
1413
##              Function "nfsen"			##
1578
## - install the nfsen grapher				##
1414
## - install the nfsen grapher				##
1579
## - install the two plugins porttracker & surfmap	##
1415
## - install the two plugins porttracker & surfmap	##
1580
##########################################################
1416
##########################################################
1581
nfsen()
1417
nfsen()
1582
{
1418
{
1583
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1419
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1584
# Add PortTracker plugin
1420
# Add PortTracker plugin
1585
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1421
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1586
	do
1422
	do
1587
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1423
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1588
	done
1424
	done
1589
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1425
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1590
# use of our conf file and init unit
1426
# use of our conf file and init unit
1591
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1427
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1592
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1428
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1593
	DirTmp=$(pwd)
1429
	DirTmp=$(pwd)
1594
	cd /tmp/nfsen-*/
1430
	cd /tmp/nfsen-*/
1595
	/usr/bin/perl install.pl etc/nfsen.conf
1431
	/usr/bin/perl install.pl etc/nfsen.conf
1596
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1432
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1597
# Create RRD DB for porttracker (only in it still doesn't exist)
1433
# Create RRD DB for porttracker (only in it still doesn't exist)
1598
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1434
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1599
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1435
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1600
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1436
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1601
	chmod -R 770 /var/log/netflow/porttracker
1437
	chmod -R 770 /var/log/netflow/porttracker
1602
# nfsen unit for systemd
1438
# nfsen unit for systemd
1603
	cat << EOF > /lib/systemd/system/nfsen.service
1439
	cat << EOF > /lib/systemd/system/nfsen.service
1604
#  This file is part of systemd.
1440
#  This file is part of systemd.
1605
#
1441
#
1606
#  systemd is free software; you can redistribute it and/or modify it
1442
#  systemd is free software; you can redistribute it and/or modify it
1607
#  under the terms of the GNU General Public License as published by
1443
#  under the terms of the GNU General Public License as published by
1608
#  the Free Software Foundation; either version 2 of the License, or
1444
#  the Free Software Foundation; either version 2 of the License, or
1609
#  (at your option) any later version.
1445
#  (at your option) any later version.
1610
 
1446
 
1611
# This unit launches nfsen (a Netflow grapher).
1447
# This unit launches nfsen (a Netflow grapher).
1612
[Unit]
1448
[Unit]
1613
Description= NfSen init script
1449
Description= NfSen init script
1614
After=network.target iptables.service
1450
After=network.target iptables.service
1615
 
1451
 
1616
[Service]
1452
[Service]
1617
Type=oneshot
1453
Type=oneshot
1618
RemainAfterExit=yes
1454
RemainAfterExit=yes
1619
PIDFile=/var/run/nfsen/nfsen.pid
1455
PIDFile=/var/run/nfsen/nfsen.pid
1620
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1456
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1621
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1457
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1622
ExecStart=/usr/bin/nfsen start
1458
ExecStart=/usr/bin/nfsen start
1623
ExecStop=/usr/bin/nfsen stop
1459
ExecStop=/usr/bin/nfsen stop
1624
ExecReload=/usr/bin/nfsen restart
1460
ExecReload=/usr/bin/nfsen restart
1625
TimeoutSec=0
1461
TimeoutSec=0
1626
 
1462
 
1627
[Install]
1463
[Install]
1628
WantedBy=multi-user.target
1464
WantedBy=multi-user.target
1629
EOF
1465
EOF
1630
# Add the listen port to collect netflow packet (nfcapd)
1466
# Add the listen port to collect netflow packet (nfcapd)
1631
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1467
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1632
# expire delay for the profile "live"
1468
# expire delay for the profile "live"
1633
	/usr/bin/systemctl start nfsen
1469
	/usr/bin/systemctl start nfsen
1634
	/bin/nfsen -m live -e 62d 2>/dev/null
1470
	/bin/nfsen -m live -e 62d 2>/dev/null
1635
# add SURFmap plugin
1471
# add SURFmap plugin
1636
	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1472
	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1637
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1473
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1638
	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1474
	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1639
	cd /tmp/
1475
	cd /tmp/
1640
	/usr/bin/sh SURFmap/install.sh
1476
	/usr/bin/sh SURFmap/install.sh
1641
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1477
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1642
# clear the installation
1478
# clear the installation
1643
	cd $DirTmp
1479
	cd $DirTmp
1644
	rm -rf /tmp/nfsen-*
1480
	rm -rf /tmp/nfsen-*
1645
	rm -rf /tmp/SURFmap*
1481
	rm -rf /tmp/SURFmap*
1646
} # End of nfsen ()
1482
} # End of nfsen ()
1647
 
1483
 
1648
##################################################
1484
##################################################
1649
##		Function "vnstat"		##
1485
##		Function "vnstat"		##
1650
## Initialization of Vnstat and vnstat phpFE    ##
1486
## Initialization of Vnstat and vnstat phpFE    ##
1651
##################################################
1487
##################################################
1652
vnstat ()
1488
vnstat ()
1653
{
1489
{
1654
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1490
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1655
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1491
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1656
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1492
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1657
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1493
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1658
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1494
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1659
	/usr/bin/vnstat -u -i $EXTIF
1495
	/usr/bin/vnstat -u -i $EXTIF
1660
} # End of vnstat
1496
} # End of vnstat
1661
 
1497
 
1662
##################################################
1498
##################################################
1663
##		Function "dnsmasq"		##
1499
##		Function "dnsmasq"		##
1664
##################################################
1500
##################################################
1665
dnsmasq ()
1501
dnsmasq ()
1666
{
1502
{
1667
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1503
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1668
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1504
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1669
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1505
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1670
	cat << EOF > /etc/dnsmasq.conf
1506
	cat << EOF > /etc/dnsmasq.conf
1671
# Configuration file for "dnsmasq in forward mode"
1507
# Configuration file for "dnsmasq in forward mode"
1672
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1508
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1673
listen-address=$PRIVATE_IP
1509
listen-address=$PRIVATE_IP
1674
pid-file=/var/run/dnsmasq.pid
1510
pid-file=/var/run/dnsmasq.pid
1675
listen-address=127.0.0.1
1511
listen-address=127.0.0.1
1676
no-dhcp-interface=$INTIF
1512
no-dhcp-interface=$INTIF
1677
no-dhcp-interface=tun0
1513
no-dhcp-interface=tun0
1678
no-dhcp-interface=lo
1514
no-dhcp-interface=lo
1679
bind-interfaces
1515
bind-interfaces
1680
cache-size=2048
1516
cache-size=2048
1681
domain-needed
1517
domain-needed
1682
expand-hosts
1518
expand-hosts
1683
bogus-priv
1519
bogus-priv
1684
filterwin2k
1520
filterwin2k
1685
server=$DNS1
1521
server=$DNS1
1686
server=$DNS2
1522
server=$DNS2
1687
# DHCP service is configured. It will be enabled in "bypass" mode
1523
# DHCP service is configured. It will be enabled in "bypass" mode
1688
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1524
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1689
#dhcp-option=option:router,$PRIVATE_IP
1525
#dhcp-option=option:router,$PRIVATE_IP
1690
#dhcp-option=option:ntp-server,$PRIVATE_IP
1526
#dhcp-option=option:ntp-server,$PRIVATE_IP
1691
#domain=$DOMAIN
1527
#domain=$DOMAIN
1692
 
1528
 
1693
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1529
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1694
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1530
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1695
EOF
1531
EOF
1696
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1532
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1697
	cat << EOF > /etc/dnsmasq-blacklist.conf
1533
	cat << EOF > /etc/dnsmasq-blacklist.conf
1698
# Configuration file for "dnsmasq with blacklist"
1534
# Configuration file for "dnsmasq with blacklist"
1699
# Add Toulouse University blacklist domains
1535
# Add Toulouse University blacklist domains
1700
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1536
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1701
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1537
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1702
pid-file=/var/run/dnsmasq-blacklist.pid
1538
pid-file=/var/run/dnsmasq-blacklist.pid
1703
listen-address=$PRIVATE_IP
1539
listen-address=$PRIVATE_IP
1704
port=54
1540
port=54
1705
no-dhcp-interface=$INTIF
1541
no-dhcp-interface=$INTIF
1706
no-dhcp-interface=tun0
1542
no-dhcp-interface=tun0
1707
no-dhcp-interface=lo
1543
no-dhcp-interface=lo
1708
bind-interfaces
1544
bind-interfaces
1709
cache-size=2048
1545
cache-size=2048
1710
domain-needed
1546
domain-needed
1711
expand-hosts
1547
expand-hosts
1712
bogus-priv
1548
bogus-priv
1713
filterwin2k
1549
filterwin2k
1714
log-queries
1550
log-queries
1715
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1551
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1716
server=$DNS1
1552
server=$DNS1
1717
server=$DNS2
1553
server=$DNS2
1718
EOF
1554
EOF
1719
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1555
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1720
	cat << EOF > /etc/dnsmasq-whitelist.conf
1556
	cat << EOF > /etc/dnsmasq-whitelist.conf
1721
# Configuration file for "dnsmasq with whitelist"
1557
# Configuration file for "dnsmasq with whitelist"
1722
# ADD Toulouse university whitelist domains
1558
# ADD Toulouse university whitelist domains
1723
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1559
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1724
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1560
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1725
pid-file=/var/run/dnsmasq-whitelist.pid
1561
pid-file=/var/run/dnsmasq-whitelist.pid
1726
listen-address=$PRIVATE_IP
1562
listen-address=$PRIVATE_IP
1727
port=55
1563
port=55
1728
no-dhcp-interface=$INTIF
1564
no-dhcp-interface=$INTIF
1729
no-dhcp-interface=tun0
1565
no-dhcp-interface=tun0
1730
no-dhcp-interface=lo
1566
no-dhcp-interface=lo
1731
bind-interfaces
1567
bind-interfaces
1732
cache-size=1024
1568
cache-size=1024
1733
domain-needed
1569
domain-needed
1734
expand-hosts
1570
expand-hosts
1735
bogus-priv
1571
bogus-priv
1736
filterwin2k
1572
filterwin2k
1737
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1573
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1738
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
1574
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
1739
EOF
1575
EOF
1740
# 4th dnsmasq listen on udp 56 ("blackhole")
1576
# 4th dnsmasq listen on udp 56 ("blackhole")
1741
	cat << EOF > /etc/dnsmasq-blackhole.conf
1577
	cat << EOF > /etc/dnsmasq-blackhole.conf
1742
# Configuration file for "dnsmasq as a blackhole"
1578
# Configuration file for "dnsmasq as a blackhole"
1743
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1579
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1744
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1580
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1745
pid-file=/var/run/dnsmasq-blackhole.pid
1581
pid-file=/var/run/dnsmasq-blackhole.pid
1746
listen-address=$PRIVATE_IP
1582
listen-address=$PRIVATE_IP
1747
port=56
1583
port=56
1748
no-dhcp-interface=$INTIF
1584
no-dhcp-interface=$INTIF
1749
no-dhcp-interface=tun0
1585
no-dhcp-interface=tun0
1750
no-dhcp-interface=lo
1586
no-dhcp-interface=lo
1751
bind-interfaces
1587
bind-interfaces
1752
cache-size=256
1588
cache-size=256
1753
domain-needed
1589
domain-needed
1754
expand-hosts
1590
expand-hosts
1755
bogus-priv
1591
bogus-priv
1756
filterwin2k
1592
filterwin2k
1757
EOF
1593
EOF
1758
 
1594
 
1759
# the main instance should start after network and chilli (which create tun0)
1595
# the main instance should start after network and chilli (which create tun0)
1760
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1596
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1761
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1597
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1762
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1598
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1763
	for list in blacklist whitelist blackhole
1599
	for list in blacklist whitelist blackhole
1764
	do
1600
	do
1765
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1601
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1766
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1602
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1767
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1603
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1768
	done
1604
	done
1769
} # End dnsmasq
1605
} # End dnsmasq
1770
 
1606
 
1771
##########################################################
1607
##########################################################
1772
##		Fonction "BL"				##
1608
##		Fonction "BL"				##
1773
##########################################################
1609
##########################################################
1774
BL ()
1610
BL ()
1775
{
1611
{
1776
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1612
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1777
	rm -rf $DIR_DG/lists/blacklists
1613
	rm -rf $DIR_DG/lists/blacklists
1778
	mkdir -p /tmp/blacklists
1614
	mkdir -p /tmp/blacklists
1779
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1615
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1780
# creation of file for the rehabilited domains and urls
1616
# creation of file for the rehabilited domains and urls
1781
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1617
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1782
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1618
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1783
	touch $DIR_DG/lists/exceptionsitelist
1619
	touch $DIR_DG/lists/exceptionsitelist
1784
	touch $DIR_DG/lists/exceptionurllist
1620
	touch $DIR_DG/lists/exceptionurllist
1785
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1621
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1786
	cat <<EOF > $DIR_DG/lists/bannedurllist
1622
	cat <<EOF > $DIR_DG/lists/bannedurllist
1787
# Dansguardian filter config for ALCASAR
1623
# Dansguardian filter config for ALCASAR
1788
EOF
1624
EOF
1789
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1625
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1790
# Dansguardian domain filter config for ALCASAR
1626
# Dansguardian domain filter config for ALCASAR
1791
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1627
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1792
#**
1628
#**
1793
# block all SSL and CONNECT tunnels
1629
# block all SSL and CONNECT tunnels
1794
**s
1630
**s
1795
# block all SSL and CONNECT tunnels specified only as an IP
1631
# block all SSL and CONNECT tunnels specified only as an IP
1796
*ips
1632
*ips
1797
# block all sites specified only by an IP
1633
# block all sites specified only by an IP
1798
*ip
1634
*ip
1799
EOF
1635
EOF
1800
# Add Bing to the safesearch url regext list (parental control)
1636
# Add Bing to the safesearch url regext list (parental control)
1801
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1637
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1802
# Bing - add 'adlt=strict'
1638
# Bing - add 'adlt=strict'
1803
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1639
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1804
EOF
1640
EOF
1805
# change the google safesearch ("safe=strict" instead of "safe=vss")
1641
# change the google safesearch ("safe=strict" instead of "safe=vss")
1806
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1642
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1807
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1643
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1808
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1644
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1809
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1645
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1810
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1646
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1811
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1647
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1812
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1648
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1813
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1649
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1814
# add custom ALCASAR BL files
1650
# add custom ALCASAR BL files
1815
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1651
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1816
	do
1652
	do
1817
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1653
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1818
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1654
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1819
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1655
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1820
	done
1656
	done
1821
	chown -R dansguardian:apache $DIR_DG
1657
	chown -R dansguardian:apache $DIR_DG
1822
	chown -R root:apache $DIR_DEST_SHARE
1658
	chown -R root:apache $DIR_DEST_SHARE
1823
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1659
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1824
# adapt the Toulouse BL to ALCASAR architecture
1660
# adapt the Toulouse BL to ALCASAR architecture
1825
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1661
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1826
# enable the default categories
1662
# enable the default categories
1827
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1663
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1828
} # End BL()
1664
} # End BL()
1829
 
1665
 
1830
##########################################################
1666
##########################################################
1831
##		Fonction "cron"				##
1667
##		Fonction "cron"				##
1832
## - Mise en place des différents fichiers de cron	##
1668
## - Mise en place des différents fichiers de cron	##
1833
##########################################################
1669
##########################################################
1834
cron ()
1670
cron ()
1835
{
1671
{
1836
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1672
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1837
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1673
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1838
	cat <<EOF > /etc/crontab
1674
	cat <<EOF > /etc/crontab
1839
SHELL=/usr/bin/bash
1675
SHELL=/usr/bin/bash
1840
PATH=/usr/sbin:/usr/bin
1676
PATH=/usr/sbin:/usr/bin
1841
MAILTO=root
1677
MAILTO=root
1842
HOME=/
1678
HOME=/
1843
 
1679
 
1844
# run-parts
1680
# run-parts
1845
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1681
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1846
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1682
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1847
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1683
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1848
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1684
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1849
EOF
1685
EOF
1850
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1686
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1851
	cat <<EOF >> /etc/anacrontab
1687
	cat <<EOF >> /etc/anacrontab
1852
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1688
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1853
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1689
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1854
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1690
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1855
EOF
1691
EOF
1856
 
1692
 
1857
	cat <<EOF > /etc/cron.d/alcasar-mysql
1693
	cat <<EOF > /etc/cron.d/alcasar-mysql
1858
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1694
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1859
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1695
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1860
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1696
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1861
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1697
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1862
EOF
1698
EOF
1863
	cat <<EOF > /etc/cron.d/alcasar-archive
1699
	cat <<EOF > /etc/cron.d/alcasar-archive
1864
# Archive des logs et de la base de données (tous les lundi à 5h35)
1700
# Archive des logs et de la base de données (tous les lundi à 5h35)
1865
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1701
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1866
EOF
1702
EOF
1867
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1703
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1868
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1704
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1869
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1705
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1870
EOF
1706
EOF
1871
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1707
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1872
# mise à jour automatique de la distribution tous les jours 3h30
1708
# mise à jour automatique de la distribution tous les jours 3h30
1873
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1709
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1874
EOF
1710
EOF
1875
 
1711
 
1876
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1712
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1877
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1713
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1878
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1714
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1879
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1715
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1880
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1716
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1881
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1717
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1882
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1718
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1883
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1719
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1884
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1720
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1885
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1721
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1886
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1722
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1887
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1723
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1888
EOF
1724
EOF
1889
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1725
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1890
# run the "watchdog" every 3'
1726
# run the "watchdog" every 3'
1891
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1727
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1892
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1728
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1893
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1729
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1894
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1730
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1895
EOF
1731
EOF
1896
# Enabling the watchdog every 18'
1732
# Enabling the watchdog every 18'
1897
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1733
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1898
# activate  the daemon-watchdog after boot process
1734
# activate  the daemon-watchdog after boot process
1899
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1735
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1900
# activate the daemon-watchdog every 18'
1736
# activate the daemon-watchdog every 18'
1901
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1737
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1902
EOF
1738
EOF
1903
 
1739
 
1904
# Enabling category update from rsync
1740
# Enabling category update from rsync
1905
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1741
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1906
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1742
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1907
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1743
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1908
EOF
1744
EOF
1909
 
1745
 
1910
# Renew the Let's Encrypt certificate
1746
# Renew the Let's Encrypt certificate
1911
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1747
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1912
# Automatic renew of the Let's Encrypt certificate
1748
# Automatic renew of the Let's Encrypt certificate
1913
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1749
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1914
EOF
1750
EOF
1915
 
1751
 
1916
# removing the users crons
1752
# removing the users crons
1917
	rm -f /var/spool/cron/*
1753
	rm -f /var/spool/cron/*
1918
} # End cron()
1754
} # End cron()
1919
 
1755
 
1920
##################################################################
1756
##################################################################
1921
## 			Fonction "Fail2Ban"			##
1757
## 			Fonction "Fail2Ban"			##
1922
##- Modification de la configuration de fail2ban		##
1758
##- Modification de la configuration de fail2ban		##
1923
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1759
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1924
##################################################################
1760
##################################################################
1925
fail2ban()
1761
fail2ban()
1926
{
1762
{
1927
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1763
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1928
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1764
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1929
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1765
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1930
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1766
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1931
	chmod 644 /var/log/fail2ban.log
1767
	chmod 644 /var/log/fail2ban.log
1932
	chmod 644 /var/Save/security/watchdog.log
1768
	chmod 644 /var/Save/security/watchdog.log
1933
	/usr/bin/touch /var/log/auth.log
1769
	/usr/bin/touch /var/log/auth.log
1934
# fail2ban unit
1770
# fail2ban unit
1935
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1771
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1936
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1772
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1937
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1773
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1938
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1774
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1939
} # End fail2ban()
1775
} # End fail2ban()
1940
 
1776
 
1941
##################################################################
1777
##################################################################
1942
## 			Fonction "gammu_smsd"			##
1778
## 			Fonction "gammu_smsd"			##
1943
## - Creation de la base de donnée Gammu			##
1779
## - Creation de la base de donnée Gammu			##
1944
## - Creation du fichier de config: gammu_smsd_conf		##
1780
## - Creation du fichier de config: gammu_smsd_conf		##
1945
##################################################################
1781
##################################################################
1946
gammu_smsd()
1782
gammu_smsd()
1947
{
1783
{
1948
# Create 'gammu' databse
1784
# Create 'gammu' databse
1949
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1785
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1950
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1786
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1951
# Add a gammu database structure
1787
# Add a gammu database structure
1952
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1788
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1953
 
1789
 
1954
# Config file for the daemon
1790
# Config file for the daemon
1955
cat << EOF > /etc/gammu_smsd_conf
1791
cat << EOF > /etc/gammu_smsd_conf
1956
[gammu]
1792
[gammu]
1957
port = /dev/ttyUSB0
1793
port = /dev/ttyUSB0
1958
connection = at115200
1794
connection = at115200
1959
 
1795
 
1960
;########################################################
1796
;########################################################
1961
 
1797
 
1962
[smsd]
1798
[smsd]
1963
 
1799
 
1964
PIN = 1234
1800
PIN = 1234
1965
 
1801
 
1966
logfile = /var/log/gammu-smsd/gammu-smsd.log
1802
logfile = /var/log/gammu-smsd/gammu-smsd.log
1967
logformat = textall
1803
logformat = textall
1968
debuglevel = 0
1804
debuglevel = 0
1969
 
1805
 
1970
service = sql
1806
service = sql
1971
driver = native_mysql
1807
driver = native_mysql
1972
user = $DB_USER
1808
user = $DB_USER
1973
password = $radiuspwd
1809
password = $radiuspwd
1974
pc = localhost
1810
pc = localhost
1975
database = $DB_GAMMU
1811
database = $DB_GAMMU
1976
 
1812
 
1977
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1813
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1978
 
1814
 
1979
StatusFrequency = 30
1815
StatusFrequency = 30
1980
;LoopSleep = 2
1816
;LoopSleep = 2
1981
 
1817
 
1982
;ResetFrequency = 300
1818
;ResetFrequency = 300
1983
;HardResetFrequency = 120
1819
;HardResetFrequency = 120
1984
 
1820
 
1985
CheckSecurity = 1
1821
CheckSecurity = 1
1986
CheckSignal = 1
1822
CheckSignal = 1
1987
CheckBattery = 0
1823
CheckBattery = 0
1988
EOF
1824
EOF
1989
 
1825
 
1990
chmod 755 /etc/gammu_smsd_conf
1826
chmod 755 /etc/gammu_smsd_conf
1991
 
1827
 
1992
# Log folder for gammu-smsd
1828
# Log folder for gammu-smsd
1993
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1829
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1994
chmod 755 /var/log/gammu-smsd
1830
chmod 755 /var/log/gammu-smsd
1995
 
1831
 
1996
# Write radius credentials in the gammu script
1832
# Write radius credentials in the gammu script
1997
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1833
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1998
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1834
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1999
 
1835
 
2000
# Udev rule for Huawei GSM MODEM (idVendor: 12d1) --> run "modeswitch" to switch from "mass_storage" mode to "ttyUSB" (modem) mode
1836
# Udev rule for Huawei GSM MODEM (idVendor: 12d1) --> run "modeswitch" to switch from "mass_storage" mode to "ttyUSB" (modem) mode
2001
cat << EOF > /lib/udev/rules.d/66-huawei.rules
1837
cat << EOF > /lib/udev/rules.d/66-huawei.rules
2002
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1838
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2003
EOF
1839
EOF
2004
 
1840
 
2005
} # End gammu_smsd()
1841
} # End gammu_smsd()
2006
 
1842
 
2007
 
1843
 
2008
##################################################################
1844
##################################################################
2009
##			Fonction "msec"				##
1845
##			Fonction "msec"				##
2010
## - Apply the "fileserver" security level			##
1846
## - Apply the "fileserver" security level			##
2011
## - remove the "system request" for rebboting			##
1847
## - remove the "system request" for rebboting			##
2012
## - Fix several file permissions				##
1848
## - Fix several file permissions				##
2013
##################################################################
1849
##################################################################
2014
msec()
1850
msec()
2015
{
1851
{
2016
 
1852
 
2017
# Apply fileserver security level
1853
# Apply fileserver security level
2018
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1854
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2019
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1855
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2020
 
1856
 
2021
# Set permissions monitoring and enforcement
1857
# Set permissions monitoring and enforcement
2022
cat <<EOF > /etc/security/msec/perm.local
1858
cat <<EOF > /etc/security/msec/perm.local
2023
/var/log/firefwall/                     root.apache     750
1859
/var/log/firefwall/                     root.apache     750
2024
/var/log/firewall/*                     root.apache     640
1860
/var/log/firewall/*                     root.apache     640
2025
/etc/security/msec/perm.local           root.root       640
1861
/etc/security/msec/perm.local           root.root       640
2026
/etc/security/msec/level.local          root.root       640
1862
/etc/security/msec/level.local          root.root       640
2027
/etc/freeradius-web                     root.apache     750
1863
/etc/freeradius-web                     root.apache     750
2028
/etc/freeradius-web/admin.conf          root.apache     640
1864
/etc/freeradius-web/admin.conf          root.apache     640
2029
/etc/raddb/client.conf                  radius.radius   640
1865
/etc/raddb/client.conf                  radius.radius   640
2030
/etc/raddb/radius.conf                  radius.radius   640
1866
/etc/raddb/radius.conf                  radius.radius   640
2031
/etc/raddb/mods-available/ldap          radius.apache   660
1867
/etc/raddb/mods-available/ldap          radius.apache   660
2032
/etc/raddb/sites-available/alcasar      radius.apache   660
1868
/etc/raddb/sites-available/alcasar      radius.apache   660
2033
/etc/pki/*                              root.apache     750
1869
/etc/pki/*                              root.apache     750
2034
/var/log/netflow/porttracker            root.apache     770
1870
/var/log/netflow/porttracker            root.apache     770
2035
/var/log/netflow/porttracker/*          root.apache     660
1871
/var/log/netflow/porttracker/*          root.apache     660
2036
EOF
1872
EOF
2037
# apply now hourly & daily checks
1873
# apply now hourly & daily checks
2038
/usr/sbin/msec
1874
/usr/sbin/msec
2039
/etc/cron.weekly/msec
1875
/etc/cron.weekly/msec
2040
 
1876
 
2041
} # End msec()
1877
} # End msec()
2042
 
1878
 
2043
 
1879
 
2044
##################################################################
1880
##################################################################
2045
##			Fonction "letsencrypt"			##
1881
##			Fonction "letsencrypt"			##
2046
## - Install Let's Encrypt client				##
1882
## - Install Let's Encrypt client				##
2047
## - Prepare Let's Encrypt ALCASAR configuration file		##
1883
## - Prepare Let's Encrypt ALCASAR configuration file		##
2048
##################################################################
1884
##################################################################
2049
letsencrypt()
1885
letsencrypt()
2050
{
1886
{
2051
	echo "Installing Let's Encrypt client..."
1887
	echo "Installing Let's Encrypt client..."
2052
 
1888
 
2053
	# Extract acme.sh
1889
	# Extract acme.sh
2054
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1890
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2055
 
1891
 
2056
	pwdInstall=$(pwd)
1892
	pwdInstall=$(pwd)
2057
	cd /tmp/acme.sh-*
1893
	cd /tmp/acme.sh-*
2058
 
1894
 
2059
	acmesh_installDir="/opt/acme.sh"
1895
	acmesh_installDir="/opt/acme.sh"
2060
	acmesh_confDir="/usr/local/etc/letsencrypt"
1896
	acmesh_confDir="/usr/local/etc/letsencrypt"
2061
	acmesh_userAgent="ALCASAR"
1897
	acmesh_userAgent="ALCASAR"
2062
 
1898
 
2063
	# Install acme.sh
1899
	# Install acme.sh
2064
	./acme.sh --install \
1900
	./acme.sh --install \
2065
		--home $acmesh_installDir \
1901
		--home $acmesh_installDir \
2066
		--config-home $acmesh_confDir/data \
1902
		--config-home $acmesh_confDir/data \
2067
		--certhome $acmesh_confDir/certs \
1903
		--certhome $acmesh_confDir/certs \
2068
		--accountkey $acmesh_confDir/ca/account.key \
1904
		--accountkey $acmesh_confDir/ca/account.key \
2069
		--accountconf $acmesh_confDir/data/account.conf \
1905
		--accountconf $acmesh_confDir/data/account.conf \
2070
		--useragent $acmesh_userAgent \
1906
		--useragent $acmesh_userAgent \
2071
		--nocron \
1907
		--nocron \
2072
		> /dev/null
1908
		> /dev/null
2073
 
1909
 
2074
	if [ $? -ne 0 ]; then
1910
	if [ $? -ne 0 ]; then
2075
		echo "Error during installation of Let's Encrypt client (acme.sh)."
1911
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2076
	fi
1912
	fi
2077
 
1913
 
2078
	# Create configuration file
1914
	# Create configuration file
2079
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
1915
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2080
email=
1916
email=
2081
dateIssueRequest=
1917
dateIssueRequest=
2082
domainRequest=
1918
domainRequest=
2083
challenge=
1919
challenge=
2084
dateIssued=
1920
dateIssued=
2085
dnsapi=
1921
dnsapi=
2086
dateNextRenewal=
1922
dateNextRenewal=
2087
EOF
1923
EOF
2088
 
1924
 
2089
	cd $pwdInstall
1925
	cd $pwdInstall
2090
	rm -rf /tmp/acme.sh-*
1926
	rm -rf /tmp/acme.sh-*
2091
 
1927
 
2092
} # END letsencrypt()
1928
} # END letsencrypt()
2093
 
1929
 
2094
##################################################################
1930
##################################################################
2095
##		Fonction "post_install"			##
1931
##		Fonction "post_install"			##
2096
## - Modifying banners (locals et ssh) & prompts	##
1932
## - Modifying banners (locals et ssh) & prompts	##
2097
## - SSH config						##
1933
## - SSH config						##
2098
## - sudoers config & files security			##
1934
## - sudoers config & files security			##
2099
## - log rotate & ANSSI security parameters		##
1935
## - log rotate & ANSSI security parameters		##
2100
## - Apply former conf in case of an update		##
1936
## - Apply former conf in case of an update		##
2101
##########################################################
1937
##########################################################
2102
post_install()
1938
post_install()
2103
{
1939
{
2104
# change the SSH banner
1940
# change the SSH banner
2105
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1941
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2106
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1942
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2107
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1943
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2108
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1944
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2109
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1945
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2110
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1946
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2111
# postfix banner anonymisation
1947
# postfix banner anonymisation
2112
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1948
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
2113
	chown -R postfix:postfix /var/lib/postfix
1949
	chown -R postfix:postfix /var/lib/postfix
2114
# sshd liste on EXTIF & INTIF
1950
# sshd liste on EXTIF & INTIF
2115
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1951
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2116
# sshd authorized certificate for root login
1952
# sshd authorized certificate for root login
2117
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1953
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2118
# ALCASAR conf file
1954
# ALCASAR conf file
2119
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
1955
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2120
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1956
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2121
	echo "SSH=on" >> $CONF_FILE
1957
	echo "SSH=on" >> $CONF_FILE
2122
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1958
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2123
	echo "LDAP=off" >> $CONF_FILE
1959
	echo "LDAP=off" >> $CONF_FILE
2124
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
1960
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2125
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
1961
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2126
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
1962
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2127
	echo "LDAP_FILTER=" >> $CONF_FILE
1963
	echo "LDAP_FILTER=" >> $CONF_FILE
2128
	echo "LDAP_USER=alcasar" >> $CONF_FILE
1964
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2129
	echo "LDAP_PASSWORD=" >> $CONF_FILE
1965
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2130
	echo "MULTIWAN=off" >> $CONF_FILE
1966
	echo "MULTIWAN=off" >> $CONF_FILE
2131
	echo "FAILOVER=30" >> $CONF_FILE
1967
	echo "FAILOVER=30" >> $CONF_FILE
2132
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1968
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2133
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1969
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2134
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1970
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2135
# Prompt customisation (colors)
1971
# Prompt customisation (colors)
2136
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1972
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2137
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1973
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2138
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1974
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2139
# sudoers configuration for "apache" & "sysadmin"
1975
# sudoers configuration for "apache" & "sysadmin"
2140
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1976
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2141
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1977
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2142
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1978
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2143
# Modify some logrotate files (gammu, ulogd)
1979
# Modify some logrotate files (gammu, ulogd)
2144
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1980
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2145
	chmod 644 /etc/logrotate.d/*
1981
	chmod 644 /etc/logrotate.d/*
2146
# Log compression
1982
# Log compression
2147
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1983
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2148
# actualisation des fichiers logs compressés
1984
# actualisation des fichiers logs compressés
2149
	for dir in firewall dansguardian httpd
1985
	for dir in firewall dansguardian lighttpd
2150
	do
1986
	do
2151
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1987
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2152
	done
1988
	done
2153
# create the alcasar-load_balancing unit
1989
# create the alcasar-load_balancing unit
2154
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1990
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2155
#  This file is part of systemd.
1991
#  This file is part of systemd.
2156
#
1992
#
2157
#  systemd is free software; you can redistribute it and/or modify it
1993
#  systemd is free software; you can redistribute it and/or modify it
2158
#  under the terms of the GNU General Public License as published by
1994
#  under the terms of the GNU General Public License as published by
2159
#  the Free Software Foundation; either version 2 of the License, or
1995
#  the Free Software Foundation; either version 2 of the License, or
2160
#  (at your option) any later version.
1996
#  (at your option) any later version.
2161
 
1997
 
2162
# This unit lauches alcasar-load-balancing.sh script.
1998
# This unit lauches alcasar-load-balancing.sh script.
2163
[Unit]
1999
[Unit]
2164
Description=alcasar-load_balancing.sh execution
2000
Description=alcasar-load_balancing.sh execution
2165
After=network.target iptables.service
2001
After=network.target iptables.service
2166
 
2002
 
2167
[Service]
2003
[Service]
2168
Type=oneshot
2004
Type=oneshot
2169
RemainAfterExit=yes
2005
RemainAfterExit=yes
2170
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2006
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2171
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2007
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2172
TimeoutSec=0
2008
TimeoutSec=0
2173
SysVStartPriority=99
2009
SysVStartPriority=99
2174
 
2010
 
2175
[Install]
2011
[Install]
2176
WantedBy=multi-user.target
2012
WantedBy=multi-user.target
2177
EOF
2013
EOF
2178
# processes launched at boot time (Systemctl)
2014
# processes launched at boot time (Systemctl)
2179
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2015
	for i in alcasar-load_balancing mysqld lighttpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2180
	do
2016
	do
2181
		/usr/bin/systemctl -q enable $i.service
2017
		/usr/bin/systemctl -q enable $i.service
2182
	done
2018
	done
2183
 
2019
 
2184
# disable processes at boot time (Systemctl)
2020
# disable processes at boot time (Systemctl)
2185
	for i in ulogd gpm
2021
	for i in ulogd gpm
2186
	do
2022
	do
2187
		/usr/bin/systemctl -q disable $i.service
2023
		/usr/bin/systemctl -q disable $i.service
2188
	done
2024
	done
2189
 
2025
 
2190
# Apply French Security Agency (ANSSI) rules
2026
# Apply French Security Agency (ANSSI) rules
2191
# ignore ICMP broadcast (smurf attack)
2027
# ignore ICMP broadcast (smurf attack)
2192
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2028
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2193
# ignore ICMP errors bogus
2029
# ignore ICMP errors bogus
2194
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2030
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2195
# remove ICMP redirects responces
2031
# remove ICMP redirects responces
2196
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2032
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2197
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2033
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2198
# enable SYN Cookies (Syn flood attacks)
2034
# enable SYN Cookies (Syn flood attacks)
2199
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2035
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2200
# enable kernel antispoofing
2036
# enable kernel antispoofing
2201
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2037
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2202
# ignore source routing
2038
# ignore source routing
2203
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2039
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2204
# set conntrack timer to 1h (3600s) instead of 5 weeks
2040
# set conntrack timer to 1h (3600s) instead of 5 weeks
2205
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2041
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2206
# disable log_martians (ALCASAR is often installed between two private network addresses)
2042
# disable log_martians (ALCASAR is often installed between two private network addresses)
2207
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2043
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2208
# disable iptables_helpers
2044
# disable iptables_helpers
2209
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2045
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2210
# Switch to the router mode
2046
# Switch to the router mode
2211
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2047
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2212
# Remove unused service ipv6
2048
# Remove unused service ipv6
2213
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2049
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2214
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2050
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2215
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2051
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2216
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2052
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2217
# switch to multi-users runlevel (instead of x11)
2053
# switch to multi-users runlevel (instead of x11)
2218
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2054
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2219
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2055
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2220
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2056
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2221
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2057
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2222
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2058
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2223
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2059
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2224
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2060
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2225
	if [ $vm_vga == 0 ] # is not a VM
2061
	if [ $vm_vga == 0 ] # is not a VM
2226
	then
2062
	then
2227
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2063
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2228
		echo >> /etc/mageia-release
2064
		echo >> /etc/mageia-release
2229
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2065
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2230
	fi
2066
	fi
2231
	if [ $Lang == "fr" ]
2067
	if [ $Lang == "fr" ]
2232
	then
2068
	then
2233
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2069
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2234
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2070
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2235
	else
2071
	else
2236
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2072
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2237
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2073
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2238
	fi
2074
	fi
2239
	/usr/bin/update-grub2
2075
	/usr/bin/update-grub2
2240
# Load and apply the previous conf file
2076
# Load and apply the previous conf file
2241
	if [ "$mode" = "update" ]
2077
	if [ "$mode" = "update" ]
2242
	then
2078
	then
2243
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2079
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2244
		$DIR_DEST_BIN/alcasar-conf.sh --load
2080
		$DIR_DEST_BIN/alcasar-conf.sh --load
2245
		PARENT_SCRIPT=`basename $0`
2081
		PARENT_SCRIPT=`basename $0`
2246
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2082
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2247
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2083
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2248
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2084
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2249
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2085
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2250
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2086
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2251
	fi
2087
	fi
2252
	rm -f /tmp/alcasar-conf*
2088
	rm -f /tmp/alcasar-conf*
2253
	chown -R root:apache $DIR_DEST_ETC/*
2089
	chown -R root:apache $DIR_DEST_ETC/*
2254
	chmod -R 660 $DIR_DEST_ETC/*
2090
	chmod -R 660 $DIR_DEST_ETC/*
2255
	chmod ug+x $DIR_DEST_ETC/digest
2091
	chmod ug+x $DIR_DEST_ETC/digest
2256
	cd $DIR_INSTALL
2092
	cd $DIR_INSTALL
2257
	echo ""
2093
	echo ""
2258
	echo "#############################################################################"
2094
	echo "#############################################################################"
2259
	if [ $Lang == "fr" ]
2095
	if [ $Lang == "fr" ]
2260
		then
2096
		then
2261
		echo "#                        Fin d'installation d'ALCASAR                       #"
2097
		echo "#                        Fin d'installation d'ALCASAR                       #"
2262
		echo "#                                                                           #"
2098
		echo "#                                                                           #"
2263
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2099
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2264
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2100
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2265
		echo "#                                                                           #"
2101
		echo "#                                                                           #"
2266
		echo "#############################################################################"
2102
		echo "#############################################################################"
2267
		echo
2103
		echo
2268
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2104
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2269
		echo
2105
		echo
2270
		echo "- Lisez attentivement la documentation d'exploitation"
2106
		echo "- Lisez attentivement la documentation d'exploitation"
2271
		echo
2107
		echo
2272
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2108
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2273
		echo
2109
		echo
2274
		echo "                   Appuyez sur 'Entrée' pour continuer"
2110
		echo "                   Appuyez sur 'Entrée' pour continuer"
2275
	else
2111
	else
2276
		echo "#                        End of ALCASAR install process                     #"
2112
		echo "#                        End of ALCASAR install process                     #"
2277
		echo "#                                                                           #"
2113
		echo "#                                                                           #"
2278
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2114
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2279
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2115
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2280
		echo "#                                                                           #"
2116
		echo "#                                                                           #"
2281
		echo "#############################################################################"
2117
		echo "#############################################################################"
2282
		echo
2118
		echo
2283
		echo "- The system will be rebooted in order to operate ALCASAR"
2119
		echo "- The system will be rebooted in order to operate ALCASAR"
2284
		echo
2120
		echo
2285
		echo "- Read the exploitation documentation"
2121
		echo "- Read the exploitation documentation"
2286
		echo
2122
		echo
2287
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2123
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2288
		echo
2124
		echo
2289
		echo "                   Hit 'Enter' to continue"
2125
		echo "                   Hit 'Enter' to continue"
2290
	fi
2126
	fi
2291
	sleep 2
2127
	sleep 2
2292
	if [ "$mode" != "update" ]
2128
	if [ "$mode" != "update" ]
2293
	then
2129
	then
2294
		read a
2130
		read a
2295
	fi
2131
	fi
2296
	clear
2132
	clear
2297
	reboot
2133
	reboot
2298
} # End post_install ()
2134
} # End post_install ()
2299
 
2135
 
2300
#################################
2136
#################################
2301
#  	Main Install loop  	#
2137
#  	Main Install loop  	#
2302
#################################
2138
#################################
2303
dir_exec=`dirname "$0"`
2139
dir_exec=`dirname "$0"`
2304
if [ $dir_exec != "." ]
2140
if [ $dir_exec != "." ]
2305
then
2141
then
2306
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2142
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2307
	echo "Launch this program from the ALCASAR archive directory"
2143
	echo "Launch this program from the ALCASAR archive directory"
2308
	exit 0
2144
	exit 0
2309
fi
2145
fi
2310
if [[ $EUID > 0 ]]
2146
if [[ $EUID > 0 ]]
2311
then
2147
then
2312
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2148
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2313
	echo "You must be "root" to install ALCASAR ('su' command)"
2149
	echo "You must be "root" to install ALCASAR ('su' command)"
2314
	exit 0
2150
	exit 0
2315
fi
2151
fi
2316
VERSION=`cat $DIR_INSTALL/VERSION`
2152
VERSION=`cat $DIR_INSTALL/VERSION`
2317
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2153
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2318
nb_args=$#
2154
nb_args=$#
2319
args=$1
2155
args=$1
2320
if [ $nb_args -eq 0 ]
2156
if [ $nb_args -eq 0 ]
2321
then
2157
then
2322
	nb_args=1
2158
	nb_args=1
2323
	args="-h"
2159
	args="-h"
2324
fi
2160
fi
2325
chmod -R u+x $DIR_SCRIPTS/*
2161
chmod -R u+x $DIR_SCRIPTS/*
2326
case $args in
2162
case $args in
2327
	-\? | -h* | --h*)
2163
	-\? | -h* | --h*)
2328
		echo "$usage"
2164
		echo "$usage"
2329
		exit 0
2165
		exit 0
2330
		;;
2166
		;;
2331
	-i | --install)
2167
	-i | --install)
2332
		header_install
2168
		header_install
2333
		license
2169
		license
2334
		header_install
2170
		header_install
2335
		testing
2171
		testing
2336
# RPMs install
2172
# RPMs install
2337
		$DIR_SCRIPTS/alcasar-urpmi.sh
2173
		$DIR_SCRIPTS/alcasar-urpmi.sh
2338
		if [ "$?" != "0" ]
2174
		if [ "$?" != "0" ]
2339
		then
2175
		then
2340
			exit 0
2176
			exit 0
2341
		fi
2177
		fi
2342
		if [ -e $CONF_FILE ]
2178
		if [ -e $CONF_FILE ]
2343
		then
2179
		then
2344
# Uninstall or update the running version
2180
# Uninstall or update the running version
2345
			if [ "$mode" == "update" ]
2181
			if [ "$mode" == "update" ]
2346
			then
2182
			then
2347
				$DIR_SCRIPTS/alcasar-uninstall.sh -update
2183
				$DIR_SCRIPTS/alcasar-uninstall.sh -update
2348
			else
2184
			else
2349
				$DIR_SCRIPTS/alcasar-uninstall.sh -full
2185
				$DIR_SCRIPTS/alcasar-uninstall.sh -full
2350
			fi
2186
			fi
2351
		fi
2187
		fi
2352
	if [ $DEBUG_ALCASAR == "on" ]
2188
	if [ $DEBUG_ALCASAR == "on" ]
2353
	then
2189
	then
2354
		echo "*** 'debug' : end of cleaning ***"
2190
		echo "*** 'debug' : end of cleaning ***"
2355
		read a
2191
		read a
2356
	fi
2192
	fi
2357
# Test if manual update
2193
# Test if manual update
2358
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2194
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2359
		then
2195
		then
2360
			header_install
2196
			header_install
2361
			if [ $Lang == "fr" ]
2197
			if [ $Lang == "fr" ]
2362
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2198
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2363
				else echo "The configuration file of an old version has been found";
2199
				else echo "The configuration file of an old version has been found";
2364
			fi
2200
			fi
2365
			response=0
2201
			response=0
2366
			PTN='^[oOnNyY]$'
2202
			PTN='^[oOnNyY]$'
2367
			until [[ $(expr $response : $PTN) -gt 0 ]]
2203
			until [[ $(expr $response : $PTN) -gt 0 ]]
2368
			do
2204
			do
2369
				if [ $Lang == "fr" ]
2205
				if [ $Lang == "fr" ]
2370
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2206
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2371
					else echo -n "Do you want to use it (Y/n)?";
2207
					else echo -n "Do you want to use it (Y/n)?";
2372
				 fi
2208
				 fi
2373
				read response
2209
				read response
2374
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2210
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2375
				then rm -f /tmp/alcasar-conf*
2211
				then rm -f /tmp/alcasar-conf*
2376
				fi
2212
				fi
2377
			done
2213
			done
2378
		fi
2214
		fi
2379
# Test if update
2215
# Test if update
2380
		if [ -e /tmp/alcasar-conf* ]
2216
		if [ -e /tmp/alcasar-conf* ]
2381
		then
2217
		then
2382
			if [ $Lang == "fr" ]
2218
			if [ $Lang == "fr" ]
2383
				then echo "#### Installation avec mise à jour ####";
2219
				then echo "#### Installation avec mise à jour ####";
2384
				else echo "#### Installation with update     ####";
2220
				else echo "#### Installation with update     ####";
2385
			fi
2221
			fi
2386
# Extract the central configuration file
2222
# Extract the central configuration file
2387
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
2223
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
2388
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2224
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2389
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2225
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2390
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2226
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2391
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2227
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2392
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2228
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2393
			mode="update"
2229
			mode="update"
2394
		fi
2230
		fi
2395
		for func in init network ACC CA time_server init_db freeradius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2231
		for func in init network ACC CA time_server init_db freeradius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2396
		do
2232
		do
2397
			$func
2233
			$func
2398
			if [ $DEBUG_ALCASAR == "on" ]
2234
			if [ $DEBUG_ALCASAR == "on" ]
2399
				then
2235
				then
2400
				echo "*** 'debug' : end of install '$func' ***"
2236
				echo "*** 'debug' : end of install '$func' ***"
2401
				read a
2237
				read a
2402
			fi
2238
			fi
2403
		done
2239
		done
2404
		;;
2240
		;;
2405
	-u | --uninstall)
2241
	-u | --uninstall)
2406
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2242
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2407
		then
2243
		then
2408
			if [ $Lang == "fr" ]
2244
			if [ $Lang == "fr" ]
2409
				then echo "ALCASAR n'est pas installé!";
2245
				then echo "ALCASAR n'est pas installé!";
2410
				else echo "ALCASAR isn't installed!";
2246
				else echo "ALCASAR isn't installed!";
2411
			fi
2247
			fi
2412
			exit 0
2248
			exit 0
2413
		fi
2249
		fi
2414
		response=0
2250
		response=0
2415
		PTN='^[oOnN]$'
2251
		PTN='^[oOnN]$'
2416
		until [[ $(expr $response : $PTN) -gt 0 ]]
2252
		until [[ $(expr $response : $PTN) -gt 0 ]]
2417
		do
2253
		do
2418
			if [ $Lang == "fr" ]
2254
			if [ $Lang == "fr" ]
2419
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2255
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2420
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2256
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2421
			fi
2257
			fi
2422
			read response
2258
			read response
2423
		done
2259
		done
2424
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2260
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2425
		then
2261
		then
2426
			$DIR_SCRIPTS/alcasar-conf.sh --create
2262
			$DIR_SCRIPTS/alcasar-conf.sh --create
2427
		else
2263
		else
2428
			rm -f /tmp/alcasar-conf*
2264
			rm -f /tmp/alcasar-conf*
2429
		fi
2265
		fi
2430
# Uninstall the running version
2266
# Uninstall the running version
2431
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2267
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2432
		;;
2268
		;;
2433
	*)
2269
	*)
2434
		echo "Argument inconnu :$1";
2270
		echo "Argument inconnu :$1";
2435
		echo "Unknown argument :$1";
2271
		echo "Unknown argument :$1";
2436
		echo "$usage"
2272
		echo "$usage"
2437
		exit 1
2273
		exit 1
2438
		;;
2274
		;;
2439
esac
2275
esac
2440
# end of script
2276
# end of script
2441
 
2277
 
2442
 
2278