Subversion Repositories ALCASAR

Rev

Rev 2549 | Rev 2558 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2549 Rev 2552
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2549 2018-05-06 02:27:57Z tom.houdayer $
2
#  $Id: alcasar.sh 2552 2018-05-08 22:21:47Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC			: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA			: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	dnsmasq			: Name server configuration
42
#	dnsmasq			: Name server configuration
43
#	vnstat			: little network stat daemon
43
#	vnstat			: little network stat daemon
44
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
45
#	cron			: Logs export + watchdog + connexion statistics
45
#	cron			: Logs export + watchdog + connexion statistics
46
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	msec			: Mandriva security package configuration
48
#	msec			: Mandriva security package configuration
49
#	letsencrypt		: Let's Encrypt client
49
#	letsencrypt		: Let's Encrypt client
50
#	post_install		: Security, log rotation, etc.
50
#	post_install	: Security, log rotation, etc.
51
 
51
 
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
53
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
55
Lang=`echo $LANG|cut -c 1-2`
55
Lang=`echo $LANG|cut -c 1-2`
56
mode="install"
56
mode="install"
57
# ******* Files parameters - paramètres fichiers *********
57
# ******* Files parameters - paramètres fichiers *********
58
DIR_INSTALL=`pwd`				# current directory
58
DIR_INSTALL=`pwd`						# current directory
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
62
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
62
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
63
DIR_WEB="/var/www/html"				# directory of Lighttpd
63
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_DG="/etc/e2guardian"			# directory of E2Guardian
64
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
65
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
71
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"				# database name used by FreeRadius server
72
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_USER="radius"				# user name allows to request the users database
73
DB_USER="radius"						# user name allows to request the users database
74
DB_GAMMU="gammu"				# database name used by Gammu-smsd
74
DB_GAMMU="gammu"						# database name used by Gammu-smsd
75
# ******* Network parameters - paramètres réseau *******
75
# ******* Network parameters - paramètres réseau *******
76
HOSTNAME="alcasar"				# default hostname
76
HOSTNAME="alcasar"						# default hostname
77
DOMAIN="localdomain"				# default local domain
77
DOMAIN="localdomain"					# default local domain
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`		# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
80
MTU="1500"
80
MTU="1500"
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
# ****** Paths - chemin des commandes *******
82
# ****** Paths - chemin des commandes *******
83
SED="/bin/sed -i"
83
SED="/bin/sed -i"
84
# ****************** End of global parameters *********************
84
# ****************** End of global parameters *********************
85
 
85
 
86
license ()
86
license ()
87
{
87
{
88
	if [ $Lang == "fr" ]
88
	if [ $Lang == "fr" ]
89
	then
89
	then
90
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
	else
91
	else
92
		cat $DIR_INSTALL/gpl-warning.txt | more
92
		cat $DIR_INSTALL/gpl-warning.txt | more
93
	fi
93
	fi
94
	response=0
94
	response=0
95
	PTN='^[oOyYnN]$'
95
	PTN='^[oOyYnN]$'
96
	until [[ $(expr $response : $PTN) -gt 0 ]]
96
	until [[ $(expr $response : $PTN) -gt 0 ]]
97
	do
97
	do
98
		if [ $Lang == "fr" ]
98
		if [ $Lang == "fr" ]
99
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
			else echo -n "Do you accept the terms of this license (Y/n)? : "
101
		fi
101
		fi
102
		read response
102
		read response
103
	done
103
	done
104
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	if [ "$response" = "n" ] || [ "$response" = "N" ]
105
	then
105
	then
106
		exit 1
106
		exit 1
107
	fi
107
	fi
108
}
108
}
109
 
109
 
110
header_install ()
110
header_install ()
111
{
111
{
112
	clear
112
	clear
113
	echo "-----------------------------------------------------------------------------"
113
	echo "-----------------------------------------------------------------------------"
114
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "-----------------------------------------------------------------------------"
116
	echo "-----------------------------------------------------------------------------"
117
}
117
}
118
 
118
 
119
##################################################################
119
########################################################
120
##			Function "testing"			##
120
##                  Function "testing"                ##
121
## - Test of Mageia version					##
121
## - Test Mageia version                              ##
122
## - Test of ALCASAR version (if already installed)		##
122
## - Test ALCASAR version (if already installed)      ##
123
## - Test of free space on /var  (>10G)				##
123
## - Test free space on /var  (>10G)                  ##
124
## - Test of Internet access					##
124
## - Test Internet access                             ##
125
##################################################################
125
########################################################
126
testing ()
126
testing ()
127
{
127
{
128
# Test of Mageia version
128
# Test of Mageia version
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
	fic=`cat /etc/product.id`
130
	fic=`cat /etc/product.id`
131
	unknown_os=0
131
	unknown_os=0
132
	old="$IFS"
132
	old="$IFS"
133
	IFS=","
133
	IFS=","
134
	set $fic
134
	set $fic
135
	for i in $*
135
	for i in $*
136
	do
136
	do
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
			then
138
			then
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			unknown_os=`expr $unknown_os + 1`
140
			unknown_os=`expr $unknown_os + 1`
141
		fi
141
		fi
142
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
			then
143
			then
144
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
			unknown_os=`expr $unknown_os + 1`
145
			unknown_os=`expr $unknown_os + 1`
146
		fi
146
		fi
147
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
			then
148
			then
149
			ARCH=`echo $i|cut -d"=" -f2`
149
			ARCH=`echo $i|cut -d"=" -f2`
150
			unknown_os=`expr $unknown_os + 1`
150
			unknown_os=`expr $unknown_os + 1`
151
		fi
151
		fi
152
	done
152
	done
153
	if [ "$ARCH" == "i586" ]
153
	if [ "$ARCH" == "i586" ]
154
		then
154
		then
155
		if [ $Lang == "fr" ]
155
		if [ $Lang == "fr" ]
156
			then echo -n "Votre architecture matérielle doit être en 64bits"
156
			then echo -n "Votre architecture matérielle doit être en 64bits"
157
			else echo -n "You hardware architecture must be 64bits"
157
			else echo -n "You hardware architecture must be 64bits"
158
		fi
158
		fi
159
		exit 1
159
		exit 1
160
	fi
160
	fi
161
	IFS="$old"
161
	IFS="$old"
162
# Test if ALCASAR is already installed
162
# Test if ALCASAR is already installed
163
	if [ -e $CONF_FILE ]
163
	if [ -e $CONF_FILE ]
164
	then
164
	then
165
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
165
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
166
		if [ $Lang == "fr" ]
166
		if [ $Lang == "fr" ]
167
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
167
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
168
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
168
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
169
		fi
169
		fi
170
		response=0
170
		response=0
171
		PTN='^[12]$'
171
		PTN='^[12]$'
172
		until [[ $(expr $response : $PTN) -gt 0 ]]
172
		until [[ $(expr $response : $PTN) -gt 0 ]]
173
		do
173
		do
174
			if [ $Lang == "fr" ]
174
			if [ $Lang == "fr" ]
175
			then
175
			then
176
				echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
176
				echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
177
			else
177
			else
178
				echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
178
				echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
179
			fi
179
			fi
180
			read response
180
			read response
181
		done
181
		done
182
		if [ "$response" = "2" ]
182
		if [ "$response" = "2" ]
183
		then
183
		then
184
			rm -f /tmp/alcasar-conf*
184
			rm -f /tmp/alcasar-conf*
185
		else
185
		else
186
# Retrieve former NICname
186
# Retrieve former NICname
187
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
187
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
188
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
188
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
189
			[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
189
			[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
190
			[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
190
			[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
191
# Create the current conf file
191
# Create the current conf file
192
			$DIR_SCRIPTS/alcasar-conf.sh --create
192
			$DIR_SCRIPTS/alcasar-conf.sh --create
193
			mode="update"
193
			mode="update"
194
		fi
194
		fi
195
	fi
195
	fi
196
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
196
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
197
		then
197
		then
198
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
198
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
199
			then
199
			then
200
			echo
200
			echo
201
			if [ $Lang == "fr" ]
201
			if [ $Lang == "fr" ]
202
				then
202
				then
203
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
203
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
204
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
204
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
205
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
205
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
206
				echo "3 - Importez votre base des usagers"
206
				echo "3 - Importez votre base des usagers"
207
			else
207
			else
208
				echo "The automatic update of ALCASAR can't be performed."
208
				echo "The automatic update of ALCASAR can't be performed."
209
				echo "1 - Save your traceability files and the user database"
209
				echo "1 - Save your traceability files and the user database"
210
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
210
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
211
				echo "3 - Import your users database"
211
				echo "3 - Import your users database"
212
			fi
212
			fi
213
		else
213
		else
214
			if [ $Lang == "fr" ]
214
			if [ $Lang == "fr" ]
215
				then
215
				then
216
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
216
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
217
			else
217
			else
218
				echo "The installation of ALCASAR can't be performed."
218
				echo "The installation of ALCASAR can't be performed."
219
			fi
219
			fi
220
		fi
220
		fi
221
		echo
221
		echo
222
		if [ $Lang == "fr" ]
222
		if [ $Lang == "fr" ]
223
			then
223
			then
224
			echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
224
			echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
225
		else
225
		else
226
			echo "The OS must be replaced (Mageia6-64bits)"
226
			echo "The OS must be replaced (Mageia6-64bits)"
227
		fi
227
		fi
228
		exit 0
228
		exit 0
229
	fi
229
	fi
230
	if [ ! -d /var/log/netflow/porttracker ]
230
	if [ ! -d /var/log/netflow/porttracker ]
231
		then
231
		then
232
# Test free space on /var
232
# Test free space on /var
233
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
233
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
234
		if [ $free_space -lt 10 ]
234
		if [ $free_space -lt 10 ]
235
			then
235
			then
236
			if [ $Lang == "fr" ]
236
			if [ $Lang == "fr" ]
237
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
237
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
238
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
238
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
239
			fi
239
			fi
240
		exit 0
240
		exit 0
241
		fi
241
		fi
242
	fi
242
	fi
243
	if [ $Lang == "fr" ]
243
	if [ $Lang == "fr" ]
244
		then echo -n "Tests des paramètres réseau : "
244
		then echo -n "Tests des paramètres réseau : "
245
		else echo -n "Network parameters tests: "
245
		else echo -n "Network parameters tests: "
246
	fi
246
	fi
247
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
247
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
248
	cd /etc/sysconfig/network-scripts/
248
	cd /etc/sysconfig/network-scripts/
249
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
249
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
250
	for i in $IF_INTERFACES
250
	for i in $IF_INTERFACES
251
	do
251
	do
252
		if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
252
		if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
253
			rm -f ifcfg-$i
253
			rm -f ifcfg-$i
254
 
254
 
255
			if [ $Lang == "fr" ]
255
			if [ $Lang == "fr" ]
256
				then echo "Suppression : ifcfg-$i"
256
				then echo "Suppression : ifcfg-$i"
257
				else echo "Deleting: ifcfg-$i"
257
				else echo "Deleting: ifcfg-$i"
258
			fi
258
			fi
259
		fi
259
		fi
260
	done
260
	done
261
	cd $DIR_INSTALL
261
	cd $DIR_INSTALL
262
	echo -n "."
262
	echo -n "."
263
# Test Ethernet NIC links state
263
# Test Ethernet NIC links state
264
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
264
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
265
	for i in $DOWN_IF
265
	for i in $DOWN_IF
266
	do
266
	do
267
		echo $i
267
		echo $i
268
		if [ $Lang == "fr" ]
268
		if [ $Lang == "fr" ]
269
		then
269
		then
270
			echo "Échec"
270
			echo "Échec"
271
			echo "Le lien réseau de la carte $i n'est pas actif."
271
			echo "Le lien réseau de la carte $i n'est pas actif."
272
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
272
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
273
		else
273
		else
274
			echo "Failed"
274
			echo "Failed"
275
			echo "The link state of $i interface is down."
275
			echo "The link state of $i interface is down."
276
			echo "Make sure that this network card is connected to a switch or an A.P."
276
			echo "Make sure that this network card is connected to a switch or an A.P."
277
		fi
277
		fi
278
		exit 0
278
		exit 0
279
	done
279
	done
280
	echo -n "."
280
	echo -n "."
281
# Test EXTIF config files
281
# Test EXTIF config files
282
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
282
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
283
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
283
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
284
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
284
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
285
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
285
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
286
	then
286
	then
287
		if [ $Lang == "fr" ]
287
		if [ $Lang == "fr" ]
288
		then
288
		then
289
			echo "Échec"
289
			echo "Échec"
290
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
290
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
291
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
291
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
292
			echo "Appliquez les changements : 'systemctl restart network'"
292
			echo "Appliquez les changements : 'systemctl restart network'"
293
		else
293
		else
294
			echo "Failed"
294
			echo "Failed"
295
			echo "The Internet connected network card ($EXTIF) isn't well configured."
295
			echo "The Internet connected network card ($EXTIF) isn't well configured."
296
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
296
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
297
			echo "Apply the new configuration 'systemctl restart network'"
297
			echo "Apply the new configuration 'systemctl restart network'"
298
		fi
298
		fi
299
		echo "DEVICE=$EXTIF"
299
		echo "DEVICE=$EXTIF"
300
		echo "IPADDR="
300
		echo "IPADDR="
301
		echo "NETMASK="
301
		echo "NETMASK="
302
		echo "GATEWAY="
302
		echo "GATEWAY="
303
		echo "DNS1="
303
		echo "DNS1="
304
		echo "DNS2="
304
		echo "DNS2="
305
		echo "ONBOOT=yes"
305
		echo "ONBOOT=yes"
306
		exit 0
306
		exit 0
307
	fi
307
	fi
308
	echo -n "."
308
	echo -n "."
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
310
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
310
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
311
		if [ $Lang == "fr" ]
311
		if [ $Lang == "fr" ]
312
		then
312
		then
313
			echo "Échec"
313
			echo "Échec"
314
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
314
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
315
			echo "Réglez ce problème puis relancez ce script."
315
			echo "Réglez ce problème puis relancez ce script."
316
		else
316
		else
317
			echo "Failed"
317
			echo "Failed"
318
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
318
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
319
			echo "Resolv this problem, then restart this script."
319
			echo "Resolv this problem, then restart this script."
320
		fi
320
		fi
321
		exit 0
321
		exit 0
322
	fi
322
	fi
323
	echo -n "."
323
	echo -n "."
324
# Test if default GW is alive
324
# Test if default GW is alive
325
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
325
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
326
	if [ $(expr $arp_reply) -eq 0 ]
326
	if [ $(expr $arp_reply) -eq 0 ]
327
		then
327
		then
328
		if [ $Lang == "fr" ]
328
		if [ $Lang == "fr" ]
329
		then
329
		then
330
			echo "Échec"
330
			echo "Échec"
331
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
331
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
332
			echo "Réglez ce problème puis relancez ce script."
332
			echo "Réglez ce problème puis relancez ce script."
333
		else
333
		else
334
			echo "Failed"
334
			echo "Failed"
335
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
335
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
336
			echo "Resolv this problem, then restart this script."
336
			echo "Resolv this problem, then restart this script."
337
		fi
337
		fi
338
		exit 0
338
		exit 0
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test Internet connectivity
341
# Test Internet connectivity
342
	rm -rf /tmp/con_ok.html
342
	rm -rf /tmp/con_ok.html
343
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
343
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
344
	if [ ! -e /tmp/con_ok.html ]
344
	if [ ! -e /tmp/con_ok.html ]
345
	then
345
	then
346
		if [ $Lang == "fr" ]
346
		if [ $Lang == "fr" ]
347
		then
347
		then
348
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
348
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
349
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
349
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
350
			echo "Vérifiez la validité des adresses IP des DNS."
350
			echo "Vérifiez la validité des adresses IP des DNS."
351
		else
351
		else
352
			echo "The Internet connection try failed (google.fr)."
352
			echo "The Internet connection try failed (google.fr)."
353
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
353
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
354
			echo "Verify the DNS IP addresses"
354
			echo "Verify the DNS IP addresses"
355
		fi
355
		fi
356
		exit 0
356
		exit 0
357
	fi
357
	fi
358
	rm -rf /tmp/con_ok.html
358
	rm -rf /tmp/con_ok.html
359
	echo ". : ok"
359
	echo ". : ok"
360
} # end of testing ()
360
} # end of testing ()
361
 
361
 
362
##################################################################
362
#######################################################################
363
##			Function "init"				##
363
##                    Function "init"                                ##
364
## - Création du fichier "/root/ALCASAR_parametres.tx		##
364
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
365
## - Installation et modification des scripts du portail	##
365
## - Creation of random password for GRUB, mariadb (admin and user)  ##
366
##################################################################
366
#######################################################################
367
init ()
367
init ()
368
{
368
{
369
	if [ "$mode" != "update" ]
369
	if [ "$mode" != "update" ]
370
	then
370
	then
371
# On affecte le nom d'organisme
371
# On affecte le nom d'organisme
372
		header_install
372
		header_install
373
		ORGANISME=!
373
		ORGANISME=!
374
		PTN='^[a-zA-Z0-9-]*$'
374
		PTN='^[a-zA-Z0-9-]*$'
375
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
375
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
376
		do
376
		do
377
			if [ $Lang == "fr" ]
377
			if [ $Lang == "fr" ]
378
				then echo -n "Entrez le nom de votre organisme : "
378
				then echo -n "Entrez le nom de votre organisme : "
379
				else echo -n "Enter the name of your organism : "
379
				else echo -n "Enter the name of your organism : "
380
			fi
380
			fi
381
			read ORGANISME
381
			read ORGANISME
382
			if [ "$ORGANISME" == "" ]
382
			if [ "$ORGANISME" == "" ]
383
				then
383
				then
384
				ORGANISME=!
384
				ORGANISME=!
385
			fi
385
			fi
386
		done
386
		done
387
	fi
387
	fi
388
# On crée aléatoirement les mots de passe et les secrets partagés
388
# On crée aléatoirement les mots de passe et les secrets partagés
389
# We create random passwords and shared secrets
389
# We create random passwords and shared secrets
390
	rm -f $PASSWD_FILE
390
	rm -f $PASSWD_FILE
391
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
391
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
392
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
392
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
393
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
393
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
394
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
394
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
395
		grep -v '[eE]nter password:' | \
395
		grep -v '[eE]nter password:' | \
396
		sed -e "s/PBKDF2 hash of your password is //"`
396
		sed -e "s/PBKDF2 hash of your password is //"`
397
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
397
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
398
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
398
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
399
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
399
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
400
	chmod 0600 /boot/grub2/user.cfg
400
	chmod 0600 /boot/grub2/user.cfg
401
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
401
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
402
	echo "GRUB2_user=root" >> $PASSWD_FILE
402
	echo "GRUB2_user=root" >> $PASSWD_FILE
403
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
403
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
404
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
404
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
405
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
405
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
406
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
406
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
407
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
407
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
408
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
408
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
409
	echo "db_user=$DB_USER" >> $PASSWD_FILE
409
	echo "db_user=$DB_USER" >> $PASSWD_FILE
410
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
410
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
411
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
411
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
412
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
412
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
413
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
413
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
414
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
414
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
415
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
415
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
416
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
416
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
417
	chmod 640 $PASSWD_FILE
417
	chmod 640 $PASSWD_FILE
418
#  copy scripts in in /usr/local/bin
418
#  copy scripts in in /usr/local/bin
419
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
419
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
420
#  copy conf files in /usr/local/etc
420
#  copy conf files in /usr/local/etc
421
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
421
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
422
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
422
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
423
# generate central conf file
423
# generate central conf file
424
	cat <<EOF > $CONF_FILE
424
	cat <<EOF > $CONF_FILE
425
##########################################
425
##########################################
426
##                                      ##
426
##                                      ##
427
##          ALCASAR Parameters          ##
427
##          ALCASAR Parameters          ##
428
##                                      ##
428
##                                      ##
429
##########################################
429
##########################################
430
 
430
 
431
INSTALL_DATE=$DATE
431
INSTALL_DATE=$DATE
432
VERSION=$VERSION
432
VERSION=$VERSION
433
ORGANISM=$ORGANISME
433
ORGANISM=$ORGANISME
434
HOSTNAME=$HOSTNAME
434
HOSTNAME=$HOSTNAME
435
DOMAIN=$DOMAIN
435
DOMAIN=$DOMAIN
436
EOF
436
EOF
437
	chmod o-rwx $CONF_FILE
437
	chmod o-rwx $CONF_FILE
438
} # End of init ()
438
} # End of init ()
439
 
439
 
440
##################################################################
440
#########################################################
441
##			Function "network"			##
441
##                    Function "network"               ##
442
## - Définition du plan d'adressage du réseau de consultation	##
442
## - Define the several network address                ##
443
## - Nommage DNS du système 					##
443
## - Define the DNS naming                             ##
444
## - Configuration de l'interface INTIF (réseau de consultation)##
444
## - INTIF parameters (consultation network)           ##
445
## - Modification du fichier /etc/hosts				##
445
## - Write "/etc/hosts" file                           ##
446
## - Renseignement des fichiers hosts.allow et hosts.deny	##
446
## - write "hosts.allow" & "hosts.deny" files          ##
447
##################################################################
447
#########################################################
448
network ()
448
network ()
449
{
449
{
450
	header_install
450
	header_install
451
	if [ "$mode" != "update" ]
451
	if [ "$mode" != "update" ]
452
		then
452
		then
453
		if [ $Lang == "fr" ]
453
		if [ $Lang == "fr" ]
454
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
454
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
455
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
455
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
456
		fi
456
		fi
457
		response=0
457
		response=0
458
		PTN='^[oOyYnN]$'
458
		PTN='^[oOyYnN]$'
459
		until [[ $(expr $response : $PTN) -gt 0 ]]
459
		until [[ $(expr $response : $PTN) -gt 0 ]]
460
		do
460
		do
461
			if [ $Lang == "fr" ]
461
			if [ $Lang == "fr" ]
462
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
462
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
463
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
463
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
464
			fi
464
			fi
465
			read response
465
			read response
466
		done
466
		done
467
		if [ "$response" = "n" ] || [ "$response" = "N" ]
467
		if [ "$response" = "n" ] || [ "$response" = "N" ]
468
		then
468
		then
469
			PRIVATE_IP_MASK="0"
469
			PRIVATE_IP_MASK="0"
470
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
470
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
471
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
471
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
472
			do
472
			do
473
				if [ $Lang == "fr" ]
473
				if [ $Lang == "fr" ]
474
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
474
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
475
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
475
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
476
				fi
476
				fi
477
				read PRIVATE_IP_MASK
477
				read PRIVATE_IP_MASK
478
			done
478
			done
479
		else
479
		else
480
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
480
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
481
		fi
481
		fi
482
	else
482
	else
483
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
483
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
484
		rm -rf conf/etc/alcasar.conf
484
		rm -rf conf/etc/alcasar.conf
485
	fi
485
	fi
486
# Define LAN side global parameters
486
# Define LAN side global parameters
487
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
487
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
488
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
488
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
489
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
489
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
490
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
490
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
491
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
491
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
492
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
492
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
493
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
493
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
494
		then
494
		then
495
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
495
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
496
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
496
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
497
	fi
497
	fi
498
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
498
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
499
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
499
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
500
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
500
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
501
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
501
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
502
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
502
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
503
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
503
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
504
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
504
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
505
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
505
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
506
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
506
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
507
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
507
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
508
# Define Internet parameters
508
# Define Internet parameters
509
	if [ "$mode" != "update" ]
509
	if [ "$mode" != "update" ]
510
	then
510
	then
511
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
511
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
512
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
512
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
513
	else
513
	else
514
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
514
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
515
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
515
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
516
	fi
516
	fi
517
	if [ "$DNS1" == "" ]
517
	if [ "$DNS1" == "" ]
518
	then
518
	then
519
		if [ $Lang == "fr" ]
519
		if [ $Lang == "fr" ]
520
		then
520
		then
521
			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
521
			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
522
			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
522
			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
523
		else
523
		else
524
			echo "The IP address of DNS servers are not set correctly"
524
			echo "The IP address of DNS servers are not set correctly"
525
			echo "Check the extern network card configuration ($EXTIF)"
525
			echo "Check the extern network card configuration ($EXTIF)"
526
		fi
526
		fi
527
		exit 0
527
		exit 0
528
	fi
528
	fi
529
	DNS1=${DNS1:=208.67.220.220}
529
	DNS1=${DNS1:=208.67.220.220}
530
	DNS2=${DNS2:=208.67.222.222}
530
	DNS2=${DNS2:=208.67.222.222}
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
534
# Wrtie the conf file
534
# Write network parameters in the conf file
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
539
 
-
 
540
	for i in $INTERFACES
539
	for i in $INTERFACES
541
	do
540
	do
542
		SUB=`echo ${i:0:2}`
541
		SUB=`echo ${i:0:2}`
543
		if [ $SUB = "wl" ]
542
		if [ $SUB = "wl" ]
544
			then WIFIF=$i
543
			then WIFIF=$i
545
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
544
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
546
			then LANIF=$i
545
			then LANIF=$i
547
		fi
546
		fi
548
	done
547
	done
549
 
-
 
550
	if [ -n "$WIFIF" ]
548
	if [ -n "$WIFIF" ]
551
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
549
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
552
	elif [ -n "$LANIF" ]
550
	elif [ -n "$LANIF" ]
553
		then echo "LANIF=$LANIF" >> $CONF_FILE
551
		then echo "LANIF=$LANIF" >> $CONF_FILE
554
	fi
552
	fi
555
	#########################################################################################################
553
	#########################################################################################################
556
 
-
 
557
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
554
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
558
	if [ $IP_SETTING == "dhcp" ]
555
	if [ $IP_SETTING == "dhcp" ]
559
		then
556
		then
560
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
557
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
561
		echo "GW=dhcp" >> $CONF_FILE
558
		echo "GW=dhcp" >> $CONF_FILE
562
	else
559
	else
563
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
560
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
564
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
561
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
565
	fi
562
	fi
566
	echo "DNS1=$DNS1" >> $CONF_FILE
563
	echo "DNS1=$DNS1" >> $CONF_FILE
567
	echo "DNS2=$DNS2" >> $CONF_FILE
564
	echo "DNS2=$DNS2" >> $CONF_FILE
568
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
565
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
569
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
566
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
570
	echo "DHCP=on" >> $CONF_FILE
567
	echo "DHCP=on" >> $CONF_FILE
571
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
568
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
572
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
569
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
573
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
570
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
574
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
571
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
575
	echo "INT_DNS_IP=none" >> $CONF_FILE
572
	echo "INT_DNS_IP=none" >> $CONF_FILE
576
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
573
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
577
# network default
574
# network default
578
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
575
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
579
	cat <<EOF > /etc/sysconfig/network
576
	cat <<EOF > /etc/sysconfig/network
580
NETWORKING=yes
577
NETWORKING=yes
581
FORWARD_IPV4=true
578
FORWARD_IPV4=true
582
EOF
579
EOF
583
# /etc/hosts config
580
# write "/etc/hosts"
584
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
581
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
585
	cat <<EOF > /etc/hosts
582
	cat <<EOF > /etc/hosts
586
127.0.0.1	localhost
583
127.0.0.1	localhost
587
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
584
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
588
EOF
585
EOF
589
# EXTIF (Internet) config
586
# write EXTIF (Internet) config
590
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
587
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
591
	if [ $IP_SETTING == "dhcp" ]
588
	if [ $IP_SETTING == "dhcp" ]
592
		then
589
		then
593
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
590
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
594
DEVICE=$EXTIF
591
DEVICE=$EXTIF
595
BOOTPROTO=dhcp
592
BOOTPROTO=dhcp
596
DNS1=127.0.0.1
593
DNS1=127.0.0.1
597
PEERDNS=no
594
PEERDNS=no
598
RESOLV_MODS=yes
595
RESOLV_MODS=yes
599
ONBOOT=yes
596
ONBOOT=yes
600
NOZEROCONF=yes
597
NOZEROCONF=yes
601
METRIC=10
598
METRIC=10
602
MII_NOT_SUPPORTED=yes
599
MII_NOT_SUPPORTED=yes
603
IPV6INIT=no
600
IPV6INIT=no
604
IPV6TO4INIT=no
601
IPV6TO4INIT=no
605
ACCOUNTING=no
602
ACCOUNTING=no
606
USERCTL=no
603
USERCTL=no
607
MTU=$MTU
604
MTU=$MTU
608
EOF
605
EOF
609
		else
606
		else
610
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
607
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
611
DEVICE=$EXTIF
608
DEVICE=$EXTIF
612
BOOTPROTO=static
609
BOOTPROTO=static
613
IPADDR=$PUBLIC_IP
610
IPADDR=$PUBLIC_IP
614
NETMASK=$PUBLIC_NETMASK
611
NETMASK=$PUBLIC_NETMASK
615
GATEWAY=$PUBLIC_GATEWAY
612
GATEWAY=$PUBLIC_GATEWAY
616
DNS1=127.0.0.1
613
DNS1=127.0.0.1
617
RESOLV_MODS=yes
614
RESOLV_MODS=yes
618
ONBOOT=yes
615
ONBOOT=yes
619
METRIC=10
616
METRIC=10
620
NOZEROCONF=yes
617
NOZEROCONF=yes
621
MII_NOT_SUPPORTED=yes
618
MII_NOT_SUPPORTED=yes
622
IPV6INIT=no
619
IPV6INIT=no
623
IPV6TO4INIT=no
620
IPV6TO4INIT=no
624
ACCOUNTING=no
621
ACCOUNTING=no
625
USERCTL=no
622
USERCTL=no
626
MTU=$MTU
623
MTU=$MTU
627
EOF
624
EOF
628
	fi
625
	fi
629
# Config INTIF (consultation LAN) in normal mode
626
# write INTIF (consultation LAN) in normal mode
630
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
627
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
631
DEVICE=$INTIF
628
DEVICE=$INTIF
632
BOOTPROTO=static
629
BOOTPROTO=static
633
ONBOOT=yes
630
ONBOOT=yes
634
NOZEROCONF=yes
631
NOZEROCONF=yes
635
MII_NOT_SUPPORTED=yes
632
MII_NOT_SUPPORTED=yes
636
IPV6INIT=no
633
IPV6INIT=no
637
IPV6TO4INIT=no
634
IPV6TO4INIT=no
638
ACCOUNTING=no
635
ACCOUNTING=no
639
USERCTL=no
636
USERCTL=no
640
EOF
637
EOF
641
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
638
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
642
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
639
# write INTIF in bypass mode (see "alcasar-bypass.sh")
643
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
640
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
644
DEVICE=$INTIF
641
DEVICE=$INTIF
645
BOOTPROTO=static
642
BOOTPROTO=static
646
IPADDR=$PRIVATE_IP
643
IPADDR=$PRIVATE_IP
647
NETMASK=$PRIVATE_NETMASK
644
NETMASK=$PRIVATE_NETMASK
648
ONBOOT=yes
645
ONBOOT=yes
649
METRIC=10
646
METRIC=10
650
NOZEROCONF=yes
647
NOZEROCONF=yes
651
MII_NOT_SUPPORTED=yes
648
MII_NOT_SUPPORTED=yes
652
IPV6INIT=no
649
IPV6INIT=no
653
IPV6TO4INIT=no
650
IPV6TO4INIT=no
654
ACCOUNTING=no
651
ACCOUNTING=no
655
USERCTL=no
652
USERCTL=no
656
EOF
653
EOF
657
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
654
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
658
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
655
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
659
	then
656
	then
660
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
657
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
661
DEVICE=$WIFIF
658
DEVICE=$WIFIF
662
BOOTPROTO=static
659
BOOTPROTO=static
663
ONBOOT=yes
660
ONBOOT=yes
664
NOZEROCONF=yes
661
NOZEROCONF=yes
665
MII_NOT_SUPPORTED=yes
662
MII_NOT_SUPPORTED=yes
666
IPV6INIT=no
663
IPV6INIT=no
667
IPV6TO4INIT=no
664
IPV6TO4INIT=no
668
ACCOUNTING=no
665
ACCOUNTING=no
669
USERCTL=no
666
USERCTL=no
670
EOF
667
EOF
671
	elif [ -n "$LANIF" ]
668
	elif [ -n "$LANIF" ]
672
	then
669
	then
673
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
670
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
674
DEVICE=$LANIF
671
DEVICE=$LANIF
675
BOOTPROTO=static
672
BOOTPROTO=static
676
ONBOOT=yes
673
ONBOOT=yes
677
NOZEROCONF=yes
674
NOZEROCONF=yes
678
MII_NOT_SUPPORTED=yes
675
MII_NOT_SUPPORTED=yes
679
IPV6INIT=no
676
IPV6INIT=no
680
IPV6TO4INIT=no
677
IPV6TO4INIT=no
681
ACCOUNTING=no
678
ACCOUNTING=no
682
USERCTL=no
679
USERCTL=no
683
EOF
680
EOF
684
	fi
681
	fi
685
	#########################################################################################################
682
	#########################################################################################################
686
# Renseignement des fichiers hosts.allow et hosts.deny
683
# write hosts.allow & hosts.deny
687
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
684
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
688
	cat <<EOF > /etc/hosts.allow
685
	cat <<EOF > /etc/hosts.allow
689
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
686
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
690
sshd: ALL
687
sshd: ALL
691
ntpd: $PRIVATE_NETWORK_SHORT
688
ntpd: $PRIVATE_NETWORK_SHORT
692
EOF
689
EOF
693
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
690
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
694
	cat <<EOF > /etc/hosts.deny
691
	cat <<EOF > /etc/hosts.deny
695
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
692
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
696
EOF
693
EOF
697
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
694
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
698
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
695
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
699
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
696
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
700
# load conntrack ftp module
697
# load conntrack ftp module
701
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
698
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
702
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
699
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
703
# load ipt_NETFLOW module
700
# load ipt_NETFLOW module
704
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
701
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
705
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
702
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
706
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
703
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
707
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
704
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
708
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
705
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
709
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
706
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
710
#
707
#
711
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
708
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
712
} # End of network ()
709
} # End of network ()
713
 
710
 
714
##################################################################
711
###################################################
715
##			Function "ACC"				##
712
##                  Function "ACC"               ##
716
## - installation of then ALCASAR Control Center (ACC)	)	##
713
## - copy ALCASAR Control Center (ACC) files     ##
717
## - configuration of the web server (Lighttpd)			##
714
## - configuration of the web server (Lighttpd)  ##
718
## - creation of the first ACC admin account 			##
715
## - creation of the first ACC admin account     ##
719
## - secure the access						##
716
## - secure the ACC access                       ##
720
##################################################################
717
###################################################
721
ACC ()
718
ACC ()
722
{
719
{
723
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
720
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
724
	mkdir $DIR_WEB
721
	mkdir $DIR_WEB
725
# Copy & adapt ACC files
722
# Copy & adapt ACC files
726
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
723
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
727
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
724
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
728
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
725
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
729
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
726
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
730
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
727
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
731
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
728
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
732
	chown -R apache:apache $DIR_WEB/*
729
	chown -R apache:apache $DIR_WEB/*
733
# copy & adapt "freeradius-web" files
730
# copy & adapt "freeradius-web" files
734
	cp -rf $DIR_CONF/freeradius-web/ /etc/
731
	cp -rf $DIR_CONF/freeradius-web/ /etc/
735
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
732
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
736
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
733
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
737
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
734
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
738
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
735
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
739
	cat <<EOF > /etc/freeradius-web/naslist.conf
736
	cat <<EOF > /etc/freeradius-web/naslist.conf
740
nas1_name: alcasar-$ORGANISME
737
nas1_name: alcasar-$ORGANISME
741
nas1_model: Network Access Controler
738
nas1_model: Network Access Controler
742
nas1_ip: $PRIVATE_IP
739
nas1_ip: $PRIVATE_IP
743
nas1_port_num: 0
740
nas1_port_num: 0
744
nas1_community: public
741
nas1_community: public
745
EOF
742
EOF
746
	chown -R apache:apache /etc/freeradius-web/
743
	chown -R apache:apache /etc/freeradius-web/
747
# create the log & backup structure :
744
# create the log & backup structure :
748
# - base = users database
745
# - base = users database
749
# - archive = tarball of "base + http firewall + netflow"
746
# - archive = tarball of "base + http firewall + netflow"
750
# - security = watchdog log
747
# - security = watchdog log
751
	for i in base archive security activity_report;
748
	for i in base archive security activity_report;
752
	do
749
	do
753
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
750
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
754
	done
751
	done
755
	chown -R root:apache $DIR_SAVE
752
	chown -R root:apache $DIR_SAVE
756
# Configuring & securing php
753
# Configuring & securing php
757
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
754
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
758
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
755
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
759
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
756
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
760
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
757
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
761
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
758
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
762
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
759
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
763
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
760
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
764
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
761
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
765
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
762
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
766
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
763
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
767
# Configuring & securing Lighttpd
764
# Configuring & securing Lighttpd
768
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
765
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
769
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
766
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
770
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
767
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
771
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
768
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
772
	[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
769
	[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
773
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
770
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
774
 
771
 
775
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
772
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
776
	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
773
	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
777
 
774
 
778
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
775
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
779
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
776
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
780
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
777
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
781
 
778
 
782
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
779
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
783
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
780
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
784
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
781
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
785
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
782
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
786
 
783
 
787
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
784
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
788
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
785
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
789
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
786
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
790
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
787
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
791
 
788
 
792
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
789
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
793
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
790
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
794
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
791
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
795
 
792
 
796
	/usr/bin/systemctl start lighttpd
793
	/usr/bin/systemctl start lighttpd
797
	/usr/bin/systemctl start php-fpm
794
	/usr/bin/systemctl start php-fpm
798
 
795
 
799
# Définition du premier compte lié au profil 'admin'
796
# Creation of the first account (in 'admin' profile)
800
	if [ "$mode" = "install" ]
797
	if [ "$mode" = "install" ]
801
		then
798
		then
802
			header_install
799
			header_install
803
# Creation of keys file for the admin account ("admin")
800
# Creation of keys file for the admin account ("admin")
804
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
801
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
805
			mkdir -p $DIR_DEST_ETC/digest
802
			mkdir -p $DIR_DEST_ETC/digest
806
			chmod 755 $DIR_DEST_ETC/digest
803
			chmod 755 $DIR_DEST_ETC/digest
807
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
804
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
808
			do
805
			do
809
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
806
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
810
			done
807
			done
811
	fi
808
	fi
812
 
809
 
813
	# Launch after coova (in order to wait tun0 to be up)
810
	# Launch after coova (in order to wait tun0 to be up)
814
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
811
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
815
	# Log file for ACC access imputability
812
	# Log file for ACC access imputability
816
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
813
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
817
	chown root:apache /var/Save/security/acc_access.log
814
	chown root:apache /var/Save/security/acc_access.log
818
	chmod 664 /var/Save/security/acc_access.log
815
	chmod 664 /var/Save/security/acc_access.log
819
} # End of ACC ()
816
} # End of ACC ()
820
 
817
 
821
##########################################################################
818
##################################################################
822
##				Fonction "CA"				##
819
##                               Fonction "CA"                  ##
823
## - Creating the CA and the server certificate (lighttpd)	 	##
820
## - Creating the CA and the server certificate (lighttpd)      ##
824
##########################################################################
821
##################################################################
825
CA ()
822
CA ()
826
{
823
{
827
	$DIR_DEST_BIN/alcasar-CA.sh
824
	$DIR_DEST_BIN/alcasar-CA.sh
828
 
825
 
829
	chown -R root:apache /etc/pki
826
	chown -R root:apache /etc/pki
830
	chmod -R 750 /etc/pki
827
	chmod -R 750 /etc/pki
831
} # End of CA ()
828
} # End of CA ()
832
 
829
 
833
##################################################################
830
#############################################################
834
##                    Function "time_server"                    ##
831
##               Function "time_server"                    ##
835
## - Configuring NTP server                                     ##
832
## - Configuring NTP server                                ##
836
##################################################################
833
#############################################################
837
time_server ()
834
time_server ()
838
{
835
{
839
# Set the Internet time server
836
# Set the Internet time server
840
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
837
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
841
	cat <<EOF > /etc/ntp/step-tickers
838
	cat <<EOF > /etc/ntp/step-tickers
842
0.fr.pool.ntp.org	# adapt to your country
839
0.fr.pool.ntp.org	# adapt to your country
843
1.fr.pool.ntp.org
840
1.fr.pool.ntp.org
844
2.fr.pool.ntp.org
841
2.fr.pool.ntp.org
845
EOF
842
EOF
846
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
843
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
847
	cat <<EOF > /etc/ntp.conf
844
	cat <<EOF > /etc/ntp.conf
848
server 0.fr.pool.ntp.org	# adapt to your country
845
server 0.fr.pool.ntp.org	# adapt to your country
849
server 1.fr.pool.ntp.org
846
server 1.fr.pool.ntp.org
850
server 2.fr.pool.ntp.org
847
server 2.fr.pool.ntp.org
851
server 127.127.1.0   		# local clock si NTP internet indisponible ...
848
server 127.127.1.0   		# local clock si NTP internet indisponible ...
852
fudge 127.127.1.0 stratum 10
849
fudge 127.127.1.0 stratum 10
853
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
850
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
854
restrict 127.0.0.1
851
restrict 127.0.0.1
855
driftfile /var/lib/ntp/drift
852
driftfile /var/lib/ntp/drift
856
logfile /var/log/ntp.log
853
logfile /var/log/ntp.log
857
disable monitor
854
disable monitor
858
EOF
855
EOF
859
	chown -R ntp:ntp /var/lib/ntp
856
	chown -R ntp:ntp /var/lib/ntp
860
# Synchronize now
857
# Synchronize now
861
	ntpd -q -g &
858
	ntpd -q -g &
862
} # End of time_server ()
859
} # End of time_server ()
863
 
860
 
864
#####################################################################
861
#####################################################################
865
##                     Function "init_db"                          ##
862
##                     Function "init_db"                          ##
866
## - Mysql initialization                                          ##
863
## - Mysql initialization                                          ##
867
## - Set admin (root) password                                     ##
864
## - Set admin (root) password                                     ##
868
## - Remove unused users & databases                               ##
865
## - Remove unused users & databases                               ##
869
## - Radius database creation                                      ##
866
## - Radius database creation                                      ##
870
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
867
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
871
#####################################################################
868
#####################################################################
872
init_db ()
869
init_db ()
873
{
870
{
874
	if [ `systemctl is-active mysqld` == "active" ]
871
	if [ `systemctl is-active mysqld` == "active" ]
875
	then
872
	then
876
		systemctl stop mysqld
873
		systemctl stop mysqld
877
	fi
874
	fi
878
	rm -rf /var/lib/mysql # to be sure that there is no former installation
875
	rm -rf /var/lib/mysql # to be sure that there is no former installation
879
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
876
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
880
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
877
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
881
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
878
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
882
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
879
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
883
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
880
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
884
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
881
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
885
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
882
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
886
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
883
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
887
	/usr/bin/systemctl start mysqld
884
	/usr/bin/systemctl start mysqld
888
	nb_round=1
885
	nb_round=1
889
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
886
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
890
	do
887
	do
891
		nb_round=`expr $nb_round + 1`
888
		nb_round=`expr $nb_round + 1`
892
		sleep 2
889
		sleep 2
893
	done
890
	done
894
	if [ ! -S /var/lib/mysql/mysql.sock ]
891
	if [ ! -S /var/lib/mysql/mysql.sock ]
895
	then
892
	then
896
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
893
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
897
		exit
894
		exit
898
	fi
895
	fi
899
	MYSQL="/usr/bin/mysql --execute"
896
	MYSQL="/usr/bin/mysql --execute"
900
# Secure the server
897
# Secure the server
901
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
898
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
902
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
899
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
903
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
900
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
904
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
901
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
905
# Create 'radius' database
902
# Create 'radius' database
906
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
903
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
907
# Add an empty radius database structure
904
# Add an empty radius database structure
908
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
905
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
909
# modify the start script in order to close accounting connexion when the system is comming down or up
906
# modify the start script in order to close accounting connexion when the system is comming down or up
910
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
907
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
911
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
908
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
912
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
909
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
913
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
910
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
914
	/usr/bin/systemctl daemon-reload
911
	/usr/bin/systemctl daemon-reload
915
} # End of init_db ()
912
} # End of init_db ()
916
 
913
 
917
###################################################################
914
###################################################################
918
##                       Function "freeradius"                   ##
915
##                       Function "freeradius"                   ##
919
## - Set the configuration files                                 ##
916
## - Set the configuration files                                 ##
920
## - Set the shared secret between coova-chilli and freeradius   ##
917
## - Set the shared secret between coova-chilli and freeradius   ##
921
## - Adapt the Mysql conf file and counters                      ##
918
## - Adapt the Mysql conf file and counters                      ##
922
###################################################################
919
###################################################################
923
freeradius ()
920
freeradius ()
924
{
921
{
925
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
922
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
926
	chown -R radius:radius /etc/raddb
923
	chown -R radius:radius /etc/raddb
927
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
924
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
928
# Set radius global parameters (radius.conf)
925
# Set radius global parameters (radius.conf)
929
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
926
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
930
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
927
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
931
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
928
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
932
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
929
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
933
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
930
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
934
 
931
 
935
# Add ALCASAR dictionary
932
# Add ALCASAR dictionary
936
	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
933
	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
937
	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
934
	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
938
# Add CoovaChilli dictionary
935
# Add CoovaChilli dictionary
939
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
936
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
940
	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
937
	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
941
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
938
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
942
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
939
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
943
	cat << EOF > /etc/raddb/clients.conf
940
	cat << EOF > /etc/raddb/clients.conf
944
client localhost {
941
client localhost {
945
	ipaddr = 127.0.0.1
942
	ipaddr = 127.0.0.1
946
	secret = $secretradius
943
	secret = $secretradius
947
	shortname = chilli
944
	shortname = chilli
948
	nas_type = other
945
	nas_type = other
949
}
946
}
950
EOF
947
EOF
951
# Set Virtual server (remvove all except "alcasar virtual site")
948
# Set Virtual server (remvove all except "alcasar virtual site")
952
	rm -f /etc/raddb/sites-enabled/*
949
	rm -f /etc/raddb/sites-enabled/*
953
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
950
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
954
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
951
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
955
	chown radius:apache /etc/raddb/sites-available/alcasar*
952
	chown radius:apache /etc/raddb/sites-available/alcasar*
956
	chmod 660 /etc/raddb/sites-available/alcasar*
953
	chmod 660 /etc/raddb/sites-available/alcasar*
957
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
954
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
958
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
955
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
959
 
956
 
960
# Set modules
957
# Set modules
961
# Add custom LDAP "available module"
958
# Add custom LDAP "available module"
962
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
959
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
963
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
960
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
964
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
961
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
965
	rm -rf  /etc/raddb/mods-enabled/*
962
	rm -rf  /etc/raddb/mods-enabled/*
966
	for mods in sql sqlcounter attr_filter expiration logintime pap expr
963
	for mods in sql sqlcounter attr_filter expiration logintime pap expr
967
	do
964
	do
968
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
965
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
969
	done
966
	done
970
# Configure SQL mod
967
# Configure SQL mod
971
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
968
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
972
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
969
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
973
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
970
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
974
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
971
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
975
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
972
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
976
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
973
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
977
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
974
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
978
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
975
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
979
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
976
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
980
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
977
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
981
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
978
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
982
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
979
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
983
# sqlcounter modifications
980
# sqlcounter modifications
984
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
981
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
985
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
982
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
986
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
983
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
987
	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
984
	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
988
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
985
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
989
query = "\
986
query = "\
990
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
987
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
991
    FROM radacct \
988
    FROM radacct \
992
    WHERE username = '%{\${key}}' \
989
    WHERE username = '%{\${key}}' \
993
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
990
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
994
EOF
991
EOF
995
	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
992
	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
996
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
993
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
997
query = "\
994
query = "\
998
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
995
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
999
    FROM radacct \
996
    FROM radacct \
1000
    WHERE username='%{\${key}}' \
997
    WHERE username='%{\${key}}' \
1001
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
998
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
1002
EOF
999
EOF
1003
	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1000
	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1004
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1001
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1005
query = "\
1002
query = "\
1006
    SELECT IFNULL(SUM(AcctSessionTime),0) \
1003
    SELECT IFNULL(SUM(AcctSessionTime),0) \
1007
    FROM radacct \
1004
    FROM radacct \
1008
    WHERE username='%{\${key}}'"
1005
    WHERE username='%{\${key}}'"
1009
EOF
1006
EOF
1010
	[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
1007
	[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
1011
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
1008
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
1012
query = "\
1009
query = "\
1013
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1010
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1014
    FROM radacct \
1011
    FROM radacct \
1015
    WHERE username='%{\${key}}' \
1012
    WHERE username='%{\${key}}' \
1016
    ORDER BY acctstarttime \
1013
    ORDER BY acctstarttime \
1017
    LIMIT 1),0)"
1014
    LIMIT 1),0)"
1018
EOF
1015
EOF
1019
# make certain that mysql is up before freeradius start
1016
# make certain that mysql is up before freeradius start
1020
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1017
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1021
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1018
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1022
	/usr/bin/systemctl daemon-reload
1019
	/usr/bin/systemctl daemon-reload
1023
 # Allow apache to change some conf files (ie : ldap on/off)
1020
 # Allow apache to change some conf files (ie : ldap on/off)
1024
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1021
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1025
 
1022
 
1026
} # End freeradius ()
1023
} # End freeradius ()
1027
 
1024
 
1028
#############################################################################
1025
#############################################################################
1029
##                              Function "chilli"                          ##
1026
##                           Function "chilli"                             ##
1030
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1027
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1031
## - Adapt the authentication web page (intercept.php)                     ##
1028
## - Adapt the authentication web page (intercept.php)                     ##
1032
#############################################################################
1029
#############################################################################
1033
chilli ()
1030
chilli ()
1034
{
1031
{
1035
# chilli unit for systemd
1032
# chilli unit for systemd
1036
	cat << EOF > /lib/systemd/system/chilli.service
1033
	cat << EOF > /lib/systemd/system/chilli.service
1037
#  This file is part of systemd.
1034
#  This file is part of systemd.
1038
#
1035
#
1039
#  systemd is free software; you can redistribute it and/or modify it
1036
#  systemd is free software; you can redistribute it and/or modify it
1040
#  under the terms of the GNU General Public License as published by
1037
#  under the terms of the GNU General Public License as published by
1041
#  the Free Software Foundation; either version 2 of the License, or
1038
#  the Free Software Foundation; either version 2 of the License, or
1042
#  (at your option) any later version.
1039
#  (at your option) any later version.
1043
[Unit]
1040
[Unit]
1044
Description=chilli is a captive portal daemon
1041
Description=chilli is a captive portal daemon
1045
After=network.target
1042
After=network.target
1046
 
1043
 
1047
[Service]
1044
[Service]
1048
Type=forking
1045
Type=forking
1049
ExecStart=/usr/libexec/chilli start
1046
ExecStart=/usr/libexec/chilli start
1050
ExecStop=/usr/libexec/chilli stop
1047
ExecStop=/usr/libexec/chilli stop
1051
ExecReload=/usr/libexec/chilli reload
1048
ExecReload=/usr/libexec/chilli reload
1052
PIDFile=/var/run/chilli.pid
1049
PIDFile=/var/run/chilli.pid
1053
 
1050
 
1054
[Install]
1051
[Install]
1055
WantedBy=multi-user.target
1052
WantedBy=multi-user.target
1056
EOF
1053
EOF
1057
# init file creation
1054
# init file creation
1058
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1055
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1059
	cat <<EOF > /etc/init.d/chilli
1056
	cat <<EOF > /etc/init.d/chilli
1060
#!/bin/sh
1057
#!/bin/sh
1061
#
1058
#
1062
# chilli CoovaChilli init
1059
# chilli CoovaChilli init
1063
#
1060
#
1064
# chkconfig: 2345 65 35
1061
# chkconfig: 2345 65 35
1065
# description: CoovaChilli
1062
# description: CoovaChilli
1066
### BEGIN INIT INFO
1063
### BEGIN INIT INFO
1067
# Provides:       chilli
1064
# Provides:       chilli
1068
# Required-Start: network
1065
# Required-Start: network
1069
# Should-Start:
1066
# Should-Start:
1070
# Required-Stop:  network
1067
# Required-Stop:  network
1071
# Should-Stop:
1068
# Should-Stop:
1072
# Default-Start:  2 3 5
1069
# Default-Start:  2 3 5
1073
# Default-Stop:
1070
# Default-Stop:
1074
# Description:    CoovaChilli access controller
1071
# Description:    CoovaChilli access controller
1075
### END INIT INFO
1072
### END INIT INFO
1076
 
1073
 
1077
[ -f /usr/sbin/chilli ] || exit 0
1074
[ -f /usr/sbin/chilli ] || exit 0
1078
. /etc/init.d/functions
1075
. /etc/init.d/functions
1079
CONFIG=/etc/chilli.conf
1076
CONFIG=/etc/chilli.conf
1080
pidfile=/var/run/chilli.pid
1077
pidfile=/var/run/chilli.pid
1081
[ -f \$CONFIG ] || {
1078
[ -f \$CONFIG ] || {
1082
	echo "\$CONFIG Not found"
1079
	echo "\$CONFIG Not found"
1083
	exit 0
1080
	exit 0
1084
}
1081
}
1085
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1082
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1086
RETVAL=0
1083
RETVAL=0
1087
prog="chilli"
1084
prog="chilli"
1088
case \$1 in
1085
case \$1 in
1089
	start)
1086
	start)
1090
		if [ -f \$pidfile ] ; then
1087
		if [ -f \$pidfile ] ; then
1091
			gprintf "chilli is already running"
1088
			gprintf "chilli is already running"
1092
		else
1089
		else
1093
			gprintf "Starting \$prog: "
1090
			gprintf "Starting \$prog: "
1094
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1091
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1095
			rm -f /var/run/chilli* # cleaning
1092
			rm -f /var/run/chilli* # cleaning
1096
			/usr/sbin/modprobe tun >/dev/null 2>&1
1093
			/usr/sbin/modprobe tun >/dev/null 2>&1
1097
			echo 1 > /proc/sys/net/ipv4/ip_forward
1094
			echo 1 > /proc/sys/net/ipv4/ip_forward
1098
			[ -e /dev/net/tun ] || {
1095
			[ -e /dev/net/tun ] || {
1099
				(cd /dev;
1096
				(cd /dev;
1100
				mkdir net;
1097
				mkdir net;
1101
				cd net;
1098
				cd net;
1102
				mknod tun c 10 200)
1099
				mknod tun c 10 200)
1103
			}
1100
			}
1104
			ifconfig $INTIF 0.0.0.0
1101
			ifconfig $INTIF 0.0.0.0
1105
			/usr/sbin/ethtool -K $INTIF gro off
1102
			/usr/sbin/ethtool -K $INTIF gro off
1106
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1103
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1107
			RETVAL=\$?
1104
			RETVAL=\$?
1108
		fi
1105
		fi
1109
		;;
1106
		;;
1110
 
1107
 
1111
	reload)
1108
	reload)
1112
		killall -HUP chilli
1109
		killall -HUP chilli
1113
		;;
1110
		;;
1114
 
1111
 
1115
	restart)
1112
	restart)
1116
		\$0 stop
1113
		\$0 stop
1117
		sleep 2
1114
		sleep 2
1118
		\$0 start
1115
		\$0 start
1119
		;;
1116
		;;
1120
 
1117
 
1121
	status)
1118
	status)
1122
		status chilli
1119
		status chilli
1123
		RETVAL=0
1120
		RETVAL=0
1124
		;;
1121
		;;
1125
 
1122
 
1126
	stop)
1123
	stop)
1127
		if [ -f \$pidfile ] ; then
1124
		if [ -f \$pidfile ] ; then
1128
			gprintf "Shutting down \$prog: "
1125
			gprintf "Shutting down \$prog: "
1129
			killproc /usr/sbin/chilli
1126
			killproc /usr/sbin/chilli
1130
			RETVAL=\$?
1127
			RETVAL=\$?
1131
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1128
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1132
			[ -e \$current_users_file ] && rm -f \$current_users_file
1129
			[ -e \$current_users_file ] && rm -f \$current_users_file
1133
		else
1130
		else
1134
			gprintf "chilli is not running"
1131
			gprintf "chilli is not running"
1135
		fi
1132
		fi
1136
		;;
1133
		;;
1137
 
1134
 
1138
	*)
1135
	*)
1139
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1136
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1140
		exit 1
1137
		exit 1
1141
esac
1138
esac
1142
echo
1139
echo
1143
EOF
1140
EOF
1144
	chmod a+x /etc/init.d/chilli
1141
	chmod a+x /etc/init.d/chilli
1145
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1142
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1146
# conf file creation
1143
# conf file creation
1147
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1144
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1148
	#NTP Option configuration for DHCP
1145
	#NTP Option configuration for DHCP
1149
	#DHCP Options : rfc2132
1146
	#DHCP Options : rfc2132
1150
		#dhcp option value will be convert in hexa.
1147
		#dhcp option value will be convert in hexa.
1151
		#NTP option (or 'option 42') is like :
1148
		#NTP option (or 'option 42') is like :
1152
		#
1149
		#
1153
		#    Code   Len         Address 1               Address 2
1150
		#    Code   Len         Address 1               Address 2
1154
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1151
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1155
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1152
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1156
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1153
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1157
		#
1154
		#
1158
		#Code : 42 => 2a
1155
		#Code : 42 => 2a
1159
		#Len : 4 => 04
1156
		#Len : 4 => 04
1160
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1157
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1161
	cat <<EOF > /etc/chilli.conf
1158
	cat <<EOF > /etc/chilli.conf
1162
# coova config for ALCASAR
1159
# coova config for ALCASAR
1163
cmdsocket	/var/run/chilli.sock
1160
cmdsocket	/var/run/chilli.sock
1164
unixipc		chilli.$INTIF.ipc
1161
unixipc		chilli.$INTIF.ipc
1165
pidfile		/var/run/chilli.pid
1162
pidfile		/var/run/chilli.pid
1166
net		$PRIVATE_NETWORK_MASK
1163
net		$PRIVATE_NETWORK_MASK
1167
dhcpif		$INTIF
1164
dhcpif		$INTIF
1168
ethers		$DIR_DEST_ETC/alcasar-ethers
1165
ethers		$DIR_DEST_ETC/alcasar-ethers
1169
#nodynip
1166
#nodynip
1170
#statip
1167
#statip
1171
dynip		$PRIVATE_NETWORK_MASK
1168
dynip		$PRIVATE_NETWORK_MASK
1172
domain		$DOMAIN
1169
domain		$DOMAIN
1173
dns1		$PRIVATE_IP
1170
dns1		$PRIVATE_IP
1174
dns2		$PRIVATE_IP
1171
dns2		$PRIVATE_IP
1175
uamlisten	$PRIVATE_IP
1172
uamlisten	$PRIVATE_IP
1176
uamport		3990
1173
uamport		3990
1177
uamuiport	3991
1174
uamuiport	3991
1178
macauth
1175
macauth
1179
macpasswd	password
1176
macpasswd	password
1180
strictmacauth
1177
strictmacauth
1181
locationname	$HOSTNAME.$DOMAIN
1178
locationname	$HOSTNAME.$DOMAIN
1182
radiusserver1	127.0.0.1
1179
radiusserver1	127.0.0.1
1183
radiusserver2	127.0.0.1
1180
radiusserver2	127.0.0.1
1184
radiussecret	$secretradius
1181
radiussecret	$secretradius
1185
radiusauthport	1812
1182
radiusauthport	1812
1186
radiusacctport	1813
1183
radiusacctport	1813
1187
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1184
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1188
redirurl
1185
redirurl
1189
radiusnasid	$HOSTNAME.$DOMAIN
1186
radiusnasid	$HOSTNAME.$DOMAIN
1190
uamsecret	$secretuam
1187
uamsecret	$secretuam
1191
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1188
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1192
coaport		3799
1189
coaport		3799
1193
conup		$DIR_DEST_BIN/alcasar-conup.sh
1190
conup		$DIR_DEST_BIN/alcasar-conup.sh
1194
condown		$DIR_DEST_BIN/alcasar-condown.sh
1191
condown		$DIR_DEST_BIN/alcasar-condown.sh
1195
include		$DIR_DEST_ETC/alcasar-uamallowed
1192
include		$DIR_DEST_ETC/alcasar-uamallowed
1196
include		$DIR_DEST_ETC/alcasar-uamdomain
1193
include		$DIR_DEST_ETC/alcasar-uamdomain
1197
dhcpopt		2a04$PRIVATE_IP_HEXA
1194
dhcpopt		2a04$PRIVATE_IP_HEXA
1198
#dhcpgateway		none
1195
#dhcpgateway		none
1199
#dhcprelayagent		none
1196
#dhcprelayagent		none
1200
#dhcpgatewayport	none
1197
#dhcpgatewayport	none
1201
sslkeyfile	/etc/pki/tls/private/alcasar.key
1198
sslkeyfile	/etc/pki/tls/private/alcasar.key
1202
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1199
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1203
redirssl
1200
redirssl
1204
uamuissl
1201
uamuissl
1205
EOF
1202
EOF
1206
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1203
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1207
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1204
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1208
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1205
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1209
# create files for trusted domains and urls
1206
# create files for trusted domains and urls
1210
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1207
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1211
	chown root:apache $DIR_DEST_ETC/alcasar-*
1208
	chown root:apache $DIR_DEST_ETC/alcasar-*
1212
	chmod 660 $DIR_DEST_ETC/alcasar-*
1209
	chmod 660 $DIR_DEST_ETC/alcasar-*
1213
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1210
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1214
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1211
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1215
# user 'chilli' creation (in order to run conup/off and up/down scripts
1212
# user 'chilli' creation (in order to run conup/off and up/down scripts
1216
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1213
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1217
	if [ "$chilli_exist" == "1" ]
1214
	if [ "$chilli_exist" == "1" ]
1218
	then
1215
	then
1219
		userdel -r chilli 2>/dev/null
1216
		userdel -r chilli 2>/dev/null
1220
	fi
1217
	fi
1221
	groupadd -f chilli
1218
	groupadd -f chilli
1222
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1219
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1223
}  # End of chilli ()
1220
}  # End of chilli ()
1224
 
1221
 
1225
################################################################
1222
################################################################
1226
##                   Function "e2guardian"                    ##
1223
##                   Function "e2guardian"                    ##
1227
## - Set the parameters of this HTML proxy (as controler)     ##
1224
## - Set the parameters of this HTML proxy (as controler)     ##
1228
################################################################
1225
################################################################
1229
e2guardian ()
1226
e2guardian ()
1230
{
1227
{
1231
	mkdir -p /var/e2guardian /var/log/e2guardian
1228
	mkdir -p /var/e2guardian /var/log/e2guardian
1232
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1229
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1233
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1230
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1234
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1231
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1235
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1232
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1236
# By default the filter is off
1233
# By default the filter is off
1237
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1234
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1238
# French deny HTML page
1235
# French deny HTML page
1239
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1236
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1240
# Listen only on LAN side
1237
# Listen only on LAN side
1241
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1238
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1242
# DG send its flow to HAVP
1239
# DG send its flow to HAVP
1243
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1240
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1244
# replace the default deny HTML page
1241
# replace the default deny HTML page
1245
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1242
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1246
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1243
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1247
# Don't log
1244
# Don't log
1248
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1245
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1249
# # Change the default report page
1246
# # Change the default report page
1250
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1247
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1251
# Disable HTML content control
1248
# Disable HTML content control
1252
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1249
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1253
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1250
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1254
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1251
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1255
# Disable URL control with regex
1252
# Disable URL control with regex
1256
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1253
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1257
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1254
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1258
# Configure E2guardian for large site
1255
# Configure E2guardian for large site
1259
# Minimum number of processus to handle connections
1256
# Minimum number of processus to handle connections
1260
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1257
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1261
# Maximum number of processus to handle connections
1258
# Maximum number of processus to handle connections
1262
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1259
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1263
# Run at least 8 daemons
1260
# Run at least 8 daemons
1264
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1261
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1265
# minimum number of processes to spawn
1262
# minimum number of processes to spawn
1266
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1263
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1267
# maximum age of a child process before it croaks it
1264
# maximum age of a child process before it croaks it
1268
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1265
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1269
# Disable download files control
1266
# Disable download files control
1270
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1267
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1271
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1268
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1272
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1269
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1273
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1270
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1274
	touch $DIR_DG/lists/bannedextensionlist
1271
	touch $DIR_DG/lists/bannedextensionlist
1275
	touch $DIR_DG/lists/bannedmimetypelist
1272
	touch $DIR_DG/lists/bannedmimetypelist
1276
# 'Safesearch' regex actualisation
1273
# 'Safesearch' regex actualisation
1277
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1274
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1278
# empty LAN IP list that won't be WEB filtered
1275
# empty LAN IP list that won't be WEB filtered
1279
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1276
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1280
	touch $DIR_DG/lists/exceptioniplist
1277
	touch $DIR_DG/lists/exceptioniplist
1281
# Keep a copy of URL & domain filter configuration files
1278
# Keep a copy of URL & domain filter configuration files
1282
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1279
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1283
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1280
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1284
} # End of e2guardian ()
1281
} # End of e2guardian ()
1285
 
1282
 
1286
##################################################################
1283
##################################################################
1287
##                     Function "antivirus"                     ##
1284
##                     Function "antivirus"                     ##
1288
## - Set the parameters of havp, libclamav and freshclam        ##
1285
## - Set the parameters of havp, libclamav and freshclam        ##
1289
##################################################################
1286
##################################################################
1290
antivirus ()
1287
antivirus ()
1291
{
1288
{
1292
# create 'havp' user
1289
# create 'havp' user
1293
	havp_exist=`grep -c ^havp: /etc/passwd`
1290
	havp_exist=`grep -c ^havp: /etc/passwd`
1294
	if [ "$havp_exist" == "1" ]
1291
	if [ "$havp_exist" == "1" ]
1295
	then
1292
	then
1296
		userdel -r havp 2>/dev/null
1293
		userdel -r havp 2>/dev/null
1297
		groupdel havp 2>/dev/null
1294
		groupdel havp 2>/dev/null
1298
	fi
1295
	fi
1299
	groupadd -f havp
1296
	groupadd -f havp
1300
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1297
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1301
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1298
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1302
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1299
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1303
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1300
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1304
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1301
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1305
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1302
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1306
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1303
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1307
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1304
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1308
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1305
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1309
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1306
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1310
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1307
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1311
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1308
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1312
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1309
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1313
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1310
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1314
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1311
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1315
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1312
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1316
# skip checking of youtube flow (too heavy load / risk too low)
1313
# skip checking of youtube flow (too heavy load / risk too low)
1317
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1314
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1318
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1315
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1319
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1316
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1320
# adapt init script and systemd unit
1317
# adapt init script and systemd unit
1321
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1318
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1322
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1319
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1323
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1320
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1324
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1321
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1325
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1322
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1326
# replace of the intercept page (template)
1323
# replace of the intercept page (template)
1327
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1324
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1328
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1325
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1329
# update virus database every 4 hours (24h/6)
1326
# update virus database every 4 hours (24h/6)
1330
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1327
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1331
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1328
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1332
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1329
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1333
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1330
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1334
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1331
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1335
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1332
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1336
# update now
1333
# update now
1337
	/usr/bin/freshclam --no-warnings
1334
	/usr/bin/freshclam --no-warnings
1338
} # End of antivirus ()
1335
} # End of antivirus ()
1339
 
1336
 
1340
################################################################################
1337
################################################################################
1341
##                           Function "tinyproxy"                             ##
1338
##                           Function "tinyproxy"                             ##
1342
## - Set the parameters of tinyproxy (proxy between filterde users and havp)  ##
1339
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1343
################################################################################
1340
################################################################################
1344
tinyproxy ()
1341
tinyproxy ()
1345
{
1342
{
1346
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1343
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1347
	if [ "$tinyproxy_exist" == "1" ]
1344
	if [ "$tinyproxy_exist" == "1" ]
1348
	then
1345
	then
1349
		userdel -r tinyproxy 2>/dev/null
1346
		userdel -r tinyproxy 2>/dev/null
1350
		groupdel tinyproxy 2>/dev/null
1347
		groupdel tinyproxy 2>/dev/null
1351
	fi
1348
	fi
1352
	groupadd -f tinyproxy
1349
	groupadd -f tinyproxy
1353
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1350
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1354
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1351
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1355
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1352
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1356
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1353
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1357
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1354
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1358
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1355
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1359
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1356
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1360
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1357
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1361
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1358
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1362
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1359
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1363
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1360
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1364
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1361
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1365
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1362
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1366
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1363
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1367
# Create the systemd unit
1364
# Create the systemd unit
1368
cat << EOF > /lib/systemd/system/tinyproxy.service
1365
cat << EOF > /lib/systemd/system/tinyproxy.service
1369
#  This file is part of systemd.
1366
#  This file is part of systemd.
1370
#
1367
#
1371
#  systemd is free software; you can redistribute it and/or modify it
1368
#  systemd is free software; you can redistribute it and/or modify it
1372
#  under the terms of the GNU General Public License as published by
1369
#  under the terms of the GNU General Public License as published by
1373
#  the Free Software Foundation; either version 2 of the License, or
1370
#  the Free Software Foundation; either version 2 of the License, or
1374
#  (at your option) any later version.
1371
#  (at your option) any later version.
1375
 
1372
 
1376
# This unit launches tinyproxy (a very light proxy).
1373
# This unit launches tinyproxy (a very light proxy).
1377
# The "sleep 2" is needed because the pid file isn't ready for systemd
1374
# The "sleep 2" is needed because the pid file isn't ready for systemd
1378
[Unit]
1375
[Unit]
1379
Description=Tinyproxy Web Proxy Server
1376
Description=Tinyproxy Web Proxy Server
1380
After=network.target iptables.service
1377
After=network.target iptables.service
1381
 
1378
 
1382
[Service]
1379
[Service]
1383
Type=forking
1380
Type=forking
1384
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1381
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1385
ExecStartPre=/bin/sleep 2
1382
ExecStartPre=/bin/sleep 2
1386
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1383
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1387
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1384
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1388
 
1385
 
1389
[Install]
1386
[Install]
1390
WantedBy=multi-user.target
1387
WantedBy=multi-user.target
1391
EOF
1388
EOF
1392
 
1389
 
1393
} # end of tinyproxy
1390
} # end of tinyproxy
1394
##############################################################################
1391
##############################################################################
1395
##                            function "ulogd"                              ##
1392
##                            function "ulogd"                              ##
1396
## - Ulog config for multi-log files                                        ##
1393
## - Ulog config for multi-log files                                        ##
1397
##############################################################################
1394
##############################################################################
1398
ulogd ()
1395
ulogd ()
1399
{
1396
{
1400
# Three instances of ulogd (three different logfiles)
1397
# Three instances of ulogd (three different logfiles)
1401
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1398
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1402
	nl=1
1399
	nl=1
1403
	for log_type in traceability ssh ext-access
1400
	for log_type in traceability ssh ext-access
1404
	do
1401
	do
1405
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1402
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1406
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1403
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1407
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1404
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1408
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1405
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1409
		cat << EOF >> /etc/ulogd-$log_type.conf
1406
		cat << EOF >> /etc/ulogd-$log_type.conf
1410
[emu1]
1407
[emu1]
1411
file="/var/log/firewall/$log_type.log"
1408
file="/var/log/firewall/$log_type.log"
1412
sync=1
1409
sync=1
1413
EOF
1410
EOF
1414
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1411
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1415
		nl=`expr $nl + 1`
1412
		nl=`expr $nl + 1`
1416
	done
1413
	done
1417
	chown -R root:apache /var/log/firewall
1414
	chown -R root:apache /var/log/firewall
1418
	chmod 750 /var/log/firewall
1415
	chmod 750 /var/log/firewall
1419
	chmod 640 /var/log/firewall/*
1416
	chmod 640 /var/log/firewall/*
1420
}  # End of ulogd ()
1417
}  # End of ulogd ()
1421
 
1418
 
1422
 
1419
 
1423
##########################################################
1420
##########################################################
1424
##                    Function "nfsen"                  ##
1421
##                    Function "nfsen"                  ##
1425
## - install the nfsen grapher                          ##
1422
## - install the nfsen grapher                          ##
1426
## - install the two plugins porttracker & surfmap      ##
1423
## - install the two plugins porttracker & surfmap      ##
1427
##########################################################
1424
##########################################################
1428
nfsen()
1425
nfsen()
1429
{
1426
{
1430
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1427
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1431
# Add PortTracker plugin
1428
# Add PortTracker plugin
1432
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1429
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1433
	do
1430
	do
1434
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1431
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1435
	done
1432
	done
1436
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1433
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1437
# use of our conf file and init unit
1434
# use of our conf file and init unit
1438
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1435
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1439
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1436
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1440
	DirTmp=$(pwd)
1437
	DirTmp=$(pwd)
1441
	cd /tmp/nfsen-*/
1438
	cd /tmp/nfsen-*/
1442
	/usr/bin/perl install.pl etc/nfsen.conf
1439
	/usr/bin/perl install.pl etc/nfsen.conf
1443
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1440
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1444
# Create RRD DB for porttracker (only in it still doesn't exist)
1441
# Create RRD DB for porttracker (only in it still doesn't exist)
1445
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1442
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1446
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1443
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1447
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1444
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1448
	chmod -R 770 /var/log/netflow/porttracker
1445
	chmod -R 770 /var/log/netflow/porttracker
1449
# nfsen unit for systemd
1446
# nfsen unit for systemd
1450
	cat << EOF > /lib/systemd/system/nfsen.service
1447
	cat << EOF > /lib/systemd/system/nfsen.service
1451
#  This file is part of systemd.
1448
#  This file is part of systemd.
1452
#
1449
#
1453
#  systemd is free software; you can redistribute it and/or modify it
1450
#  systemd is free software; you can redistribute it and/or modify it
1454
#  under the terms of the GNU General Public License as published by
1451
#  under the terms of the GNU General Public License as published by
1455
#  the Free Software Foundation; either version 2 of the License, or
1452
#  the Free Software Foundation; either version 2 of the License, or
1456
#  (at your option) any later version.
1453
#  (at your option) any later version.
1457
 
1454
 
1458
# This unit launches nfsen (a Netflow grapher).
1455
# This unit launches nfsen (a Netflow grapher).
1459
[Unit]
1456
[Unit]
1460
Description= NfSen init script
1457
Description= NfSen init script
1461
After=network.target iptables.service
1458
After=network.target iptables.service
1462
 
1459
 
1463
[Service]
1460
[Service]
1464
Type=oneshot
1461
Type=oneshot
1465
RemainAfterExit=yes
1462
RemainAfterExit=yes
1466
PIDFile=/var/run/nfsen/nfsen.pid
1463
PIDFile=/var/run/nfsen/nfsen.pid
1467
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1464
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1468
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1465
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1469
ExecStart=/usr/bin/nfsen start
1466
ExecStart=/usr/bin/nfsen start
1470
ExecStop=/usr/bin/nfsen stop
1467
ExecStop=/usr/bin/nfsen stop
1471
ExecReload=/usr/bin/nfsen restart
1468
ExecReload=/usr/bin/nfsen restart
1472
TimeoutSec=0
1469
TimeoutSec=0
1473
 
1470
 
1474
[Install]
1471
[Install]
1475
WantedBy=multi-user.target
1472
WantedBy=multi-user.target
1476
EOF
1473
EOF
1477
# Add the listen port to collect netflow packet (nfcapd)
1474
# Add the listen port to collect netflow packet (nfcapd)
1478
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1475
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1479
# expire delay for the profile "live"
1476
# expire delay for the profile "live"
1480
	/usr/bin/systemctl start nfsen
1477
	/usr/bin/systemctl start nfsen
1481
	/bin/nfsen -m live -e 62d 2>/dev/null
1478
	/bin/nfsen -m live -e 62d 2>/dev/null
1482
# add SURFmap plugin
1479
# add SURFmap plugin
1483
	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1480
	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1484
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1481
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1485
	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1482
	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1486
	cd /tmp/
1483
	cd /tmp/
1487
	/usr/bin/sh SURFmap/install.sh
1484
	/usr/bin/sh SURFmap/install.sh
1488
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1485
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1489
# clear the installation
1486
# clear the installation
1490
	cd $DirTmp
1487
	cd $DirTmp
1491
	rm -rf /tmp/nfsen-*
1488
	rm -rf /tmp/nfsen-*
1492
	rm -rf /tmp/SURFmap*
1489
	rm -rf /tmp/SURFmap*
1493
} # End of nfsen ()
1490
} # End of nfsen ()
1494
 
1491
 
1495
##################################################
1492
###########################################################
1496
##               Function "vnstat"              ##
1493
##                     Function "vnstat"                 ##
1497
## - Initialization of Vnstat and vnstat phpFE  ##
1494
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1498
##################################################
1495
###########################################################
1499
vnstat ()
1496
vnstat ()
1500
{
1497
{
1501
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1498
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1502
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1499
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1503
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1500
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1504
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1501
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1505
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1502
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1506
	/usr/bin/vnstat -u -i $EXTIF
1503
	/usr/bin/vnstat -u -i $EXTIF
1507
} # End of vnstat
1504
} # End of vnstat
1508
 
1505
 
1509
################################################################
1506
################################################################
1510
##            Function "dnsmasq"                              ##
1507
##                     Function "dnsmasq"                     ##
1511
## - creation of the conf files of the 4 intances of dnsmasq  ## 
1508
## - creation of the conf files of the 4 intances of dnsmasq  ## 
1512
################################################################
1509
################################################################
1513
dnsmasq ()
1510
dnsmasq ()
1514
{
1511
{
1515
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1512
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1516
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1513
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1517
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1514
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1518
	cat << EOF > /etc/dnsmasq.conf
1515
	cat << EOF > /etc/dnsmasq.conf
1519
# Configuration file for "dnsmasq in forward mode"
1516
# Configuration file for "dnsmasq in forward mode"
1520
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1517
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1521
listen-address=$PRIVATE_IP
1518
listen-address=$PRIVATE_IP
1522
pid-file=/var/run/dnsmasq.pid
1519
pid-file=/var/run/dnsmasq.pid
1523
listen-address=127.0.0.1
1520
listen-address=127.0.0.1
1524
no-dhcp-interface=$INTIF
1521
no-dhcp-interface=$INTIF
1525
no-dhcp-interface=tun0
1522
no-dhcp-interface=tun0
1526
no-dhcp-interface=lo
1523
no-dhcp-interface=lo
1527
bind-interfaces
1524
bind-interfaces
1528
cache-size=2048
1525
cache-size=2048
1529
domain-needed
1526
domain-needed
1530
expand-hosts
1527
expand-hosts
1531
bogus-priv
1528
bogus-priv
1532
filterwin2k
1529
filterwin2k
1533
server=$DNS1
1530
server=$DNS1
1534
server=$DNS2
1531
server=$DNS2
1535
# DHCP service is configured. It will be enabled in "bypass" mode
1532
# DHCP service is configured. It will be enabled in "bypass" mode
1536
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1533
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1537
#dhcp-option=option:router,$PRIVATE_IP
1534
#dhcp-option=option:router,$PRIVATE_IP
1538
#dhcp-option=option:ntp-server,$PRIVATE_IP
1535
#dhcp-option=option:ntp-server,$PRIVATE_IP
1539
#domain=$DOMAIN
1536
#domain=$DOMAIN
1540
 
1537
 
1541
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1538
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1542
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1539
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1543
EOF
1540
EOF
1544
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1541
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1545
	cat << EOF > /etc/dnsmasq-blacklist.conf
1542
	cat << EOF > /etc/dnsmasq-blacklist.conf
1546
# Configuration file for "dnsmasq with blacklist"
1543
# Configuration file for "dnsmasq with blacklist"
1547
# Add Toulouse University blacklist domains
1544
# Add Toulouse University blacklist domains
1548
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1545
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1549
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1546
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1550
pid-file=/var/run/dnsmasq-blacklist.pid
1547
pid-file=/var/run/dnsmasq-blacklist.pid
1551
listen-address=$PRIVATE_IP
1548
listen-address=$PRIVATE_IP
1552
port=54
1549
port=54
1553
no-dhcp-interface=$INTIF
1550
no-dhcp-interface=$INTIF
1554
no-dhcp-interface=tun0
1551
no-dhcp-interface=tun0
1555
no-dhcp-interface=lo
1552
no-dhcp-interface=lo
1556
bind-interfaces
1553
bind-interfaces
1557
cache-size=2048
1554
cache-size=2048
1558
domain-needed
1555
domain-needed
1559
expand-hosts
1556
expand-hosts
1560
bogus-priv
1557
bogus-priv
1561
filterwin2k
1558
filterwin2k
1562
log-queries
1559
log-queries
1563
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1560
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1564
server=$DNS1
1561
server=$DNS1
1565
server=$DNS2
1562
server=$DNS2
1566
EOF
1563
EOF
1567
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1564
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1568
	cat << EOF > /etc/dnsmasq-whitelist.conf
1565
	cat << EOF > /etc/dnsmasq-whitelist.conf
1569
# Configuration file for "dnsmasq with whitelist"
1566
# Configuration file for "dnsmasq with whitelist"
1570
# ADD Toulouse university whitelist domains
1567
# ADD Toulouse university whitelist domains
1571
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1568
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1572
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1569
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1573
pid-file=/var/run/dnsmasq-whitelist.pid
1570
pid-file=/var/run/dnsmasq-whitelist.pid
1574
listen-address=$PRIVATE_IP
1571
listen-address=$PRIVATE_IP
1575
port=55
1572
port=55
1576
no-dhcp-interface=$INTIF
1573
no-dhcp-interface=$INTIF
1577
no-dhcp-interface=tun0
1574
no-dhcp-interface=tun0
1578
no-dhcp-interface=lo
1575
no-dhcp-interface=lo
1579
bind-interfaces
1576
bind-interfaces
1580
cache-size=1024
1577
cache-size=1024
1581
domain-needed
1578
domain-needed
1582
expand-hosts
1579
expand-hosts
1583
bogus-priv
1580
bogus-priv
1584
filterwin2k
1581
filterwin2k
1585
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1582
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1586
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
1583
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
1587
EOF
1584
EOF
1588
# 4th dnsmasq listen on udp 56 ("blackhole")
1585
# 4th dnsmasq listen on udp 56 ("blackhole")
1589
	cat << EOF > /etc/dnsmasq-blackhole.conf
1586
	cat << EOF > /etc/dnsmasq-blackhole.conf
1590
# Configuration file for "dnsmasq as a blackhole"
1587
# Configuration file for "dnsmasq as a blackhole"
1591
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1588
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1592
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1589
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1593
pid-file=/var/run/dnsmasq-blackhole.pid
1590
pid-file=/var/run/dnsmasq-blackhole.pid
1594
listen-address=$PRIVATE_IP
1591
listen-address=$PRIVATE_IP
1595
port=56
1592
port=56
1596
no-dhcp-interface=$INTIF
1593
no-dhcp-interface=$INTIF
1597
no-dhcp-interface=tun0
1594
no-dhcp-interface=tun0
1598
no-dhcp-interface=lo
1595
no-dhcp-interface=lo
1599
bind-interfaces
1596
bind-interfaces
1600
cache-size=256
1597
cache-size=256
1601
domain-needed
1598
domain-needed
1602
expand-hosts
1599
expand-hosts
1603
bogus-priv
1600
bogus-priv
1604
filterwin2k
1601
filterwin2k
1605
EOF
1602
EOF
1606
 
1603
 
1607
# the main instance should start after network and chilli (which create tun0)
1604
# the main instance should start after network and chilli (which create tun0)
1608
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1605
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1609
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1606
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1610
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1607
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1611
	for list in blacklist whitelist blackhole
1608
	for list in blacklist whitelist blackhole
1612
	do
1609
	do
1613
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1610
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1614
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1611
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1615
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1612
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1616
	done
1613
	done
1617
} # End dnsmasq
1614
} # End dnsmasq
1618
 
1615
 
1619
#######################################################
1616
##########################################################
1620
##                   Function "BL"                   ##
1617
##                      Function "BL"                   ##
-
 
1618
## - copy Toulouse BL                                   ##
-
 
1619
## - adapt this BL to ALCASAR architecture              ##
-
 
1620
##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
-
 
1621
##     - URLs for E²guardian                            ##
-
 
1622
##     - IPs for NetFilter                              ##
1621
#######################################################
1623
##########################################################
1622
BL ()
1624
BL ()
1623
{
1625
{
1624
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1626
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1625
	rm -rf $DIR_DG/lists/blacklists
1627
	rm -rf $DIR_DG/lists/blacklists
1626
	mkdir -p /tmp/blacklists
1628
	mkdir -p /tmp/blacklists
1627
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1629
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1628
# creation of file for the rehabilited domains and urls
1630
# creation of file for the rehabilited domains and urls
1629
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1631
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1630
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1632
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1631
	touch $DIR_DG/lists/exceptionsitelist
1633
	touch $DIR_DG/lists/exceptionsitelist
1632
	touch $DIR_DG/lists/exceptionurllist
1634
	touch $DIR_DG/lists/exceptionurllist
1633
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1635
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1634
	cat <<EOF > $DIR_DG/lists/bannedurllist
1636
	cat <<EOF > $DIR_DG/lists/bannedurllist
1635
# E2guardian filter config for ALCASAR
1637
# E2guardian filter config for ALCASAR
1636
EOF
1638
EOF
1637
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1639
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1638
# E2guardian domain filter config for ALCASAR
1640
# E2guardian domain filter config for ALCASAR
1639
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1641
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1640
#**
1642
#**
1641
# block all SSL and CONNECT tunnels
1643
# block all SSL and CONNECT tunnels
1642
**s
1644
**s
1643
# block all SSL and CONNECT tunnels specified only as an IP
1645
# block all SSL and CONNECT tunnels specified only as an IP
1644
*ips
1646
*ips
1645
# block all sites specified only by an IP
1647
# block all sites specified only by an IP
1646
*ip
1648
*ip
1647
EOF
1649
EOF
1648
# Add Bing to the safesearch url regext list (parental control)
1650
# Add Bing to the safesearch url regext list (parental control)
1649
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1651
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1650
# Bing - add 'adlt=strict'
1652
# Bing - add 'adlt=strict'
1651
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1653
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1652
EOF
1654
EOF
1653
# change the google safesearch ("safe=strict" instead of "safe=vss")
1655
# change the google safesearch ("safe=strict" instead of "safe=vss")
1654
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1656
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1655
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1657
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1656
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1658
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1657
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1659
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1658
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1660
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1659
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1661
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1660
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1662
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1661
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1663
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1662
# add custom ALCASAR BL files
1664
# add custom ALCASAR BL files
1663
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1665
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1664
	do
1666
	do
1665
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1667
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1666
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1668
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1667
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1669
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1668
	done
1670
	done
1669
	chown -R e2guardian:apache $DIR_DG
1671
	chown -R e2guardian:apache $DIR_DG
1670
	chown -R root:apache $DIR_DEST_SHARE
1672
	chown -R root:apache $DIR_DEST_SHARE
1671
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1673
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1672
# adapt the Toulouse BL to ALCASAR architecture
1674
# adapt the Toulouse BL to ALCASAR architecture
1673
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1675
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1674
# enable the default categories
1676
# enable the default categories
1675
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1677
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1676
} # End BL()
1678
} # End BL()
1677
 
1679
 
1678
##########################################################
1680
#######################################################
1679
##                     Function "cron"                  ##
1681
##                  Function "cron"                  ##
-
 
1682
## - write all cron & anacron files                  ##
1680
##########################################################
1683
#######################################################
1681
cron ()
1684
cron ()
1682
{
1685
{
1683
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1686
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1684
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1687
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1685
	cat <<EOF > /etc/crontab
1688
	cat <<EOF > /etc/crontab
1686
SHELL=/usr/bin/bash
1689
SHELL=/usr/bin/bash
1687
PATH=/usr/sbin:/usr/bin
1690
PATH=/usr/sbin:/usr/bin
1688
MAILTO=root
1691
MAILTO=root
1689
HOME=/
1692
HOME=/
1690
 
1693
 
1691
# run-parts
1694
# run-parts
1692
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1695
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1693
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1696
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1694
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1697
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1695
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1698
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1696
EOF
1699
EOF
1697
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1700
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1698
	cat <<EOF >> /etc/anacrontab
1701
	cat <<EOF >> /etc/anacrontab
1699
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1702
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1700
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1703
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1701
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1704
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1702
EOF
1705
EOF
1703
 
1706
 
1704
	cat <<EOF > /etc/cron.d/alcasar-mysql
1707
	cat <<EOF > /etc/cron.d/alcasar-mysql
1705
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1708
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1706
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1709
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1707
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1710
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1708
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1711
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1709
EOF
1712
EOF
1710
	cat <<EOF > /etc/cron.d/alcasar-archive
1713
	cat <<EOF > /etc/cron.d/alcasar-archive
1711
# Archive des logs et de la base de données (tous les lundi à 5h35)
1714
# Archive des logs et de la base de données (tous les lundi à 5h35)
1712
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1715
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1713
EOF
1716
EOF
1714
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1717
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1715
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1718
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1716
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1719
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1717
EOF
1720
EOF
1718
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1721
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1719
# mise à jour automatique de la distribution tous les jours 3h30
1722
# mise à jour automatique de la distribution tous les jours 3h30
1720
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1723
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1721
EOF
1724
EOF
1722
 
1725
 
1723
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1726
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1724
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1727
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1725
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1728
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1726
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1729
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1727
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1730
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1728
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1731
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1729
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1732
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1730
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1733
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1731
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1734
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1732
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1735
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1733
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1736
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1734
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1737
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1735
EOF
1738
EOF
1736
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1739
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1737
# run the "watchdog" every 3'
1740
# run the "watchdog" every 3'
1738
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1741
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1739
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1742
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1740
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1743
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1741
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1744
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1742
EOF
1745
EOF
1743
# Enabling the watchdog every 18'
1746
# Enabling the watchdog every 18'
1744
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1747
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1745
# activate  the daemon-watchdog after boot process
1748
# activate  the daemon-watchdog after boot process
1746
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1749
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1747
# activate the daemon-watchdog every 18'
1750
# activate the daemon-watchdog every 18'
1748
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1751
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1749
EOF
1752
EOF
1750
 
1753
 
1751
# Enabling category update from rsync
1754
# Enabling category update from rsync
1752
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1755
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1753
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1756
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1754
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1757
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1755
EOF
1758
EOF
1756
 
1759
 
1757
# Renew the Let's Encrypt certificate
1760
# Renew the Let's Encrypt certificate
1758
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1761
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1759
# Automatic renew of the Let's Encrypt certificate
1762
# Automatic renew of the Let's Encrypt certificate
1760
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1763
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1761
EOF
1764
EOF
1762
 
1765
 
1763
# removing the users crons
1766
# removing the users crons
1764
	rm -f /var/spool/cron/*
1767
	rm -f /var/spool/cron/*
1765
} # End cron()
1768
} # End cron()
1766
 
1769
 
1767
##################################################################
1770
######################################################################
1768
## 			Fonction "Fail2Ban"			##
1771
##                      Fonction "Fail2Ban"                         ##
1769
##- Modification de la configuration de fail2ban		##
1772
##- Adapt conf file to ALCASAR                                      ##
1770
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1773
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1771
##################################################################
1774
######################################################################
1772
fail2ban()
1775
fail2ban()
1773
{
1776
{
1774
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1777
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1775
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1778
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1776
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1779
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1777
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1780
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1778
	chmod 644 /var/log/fail2ban.log
1781
	chmod 644 /var/log/fail2ban.log
1779
	chmod 644 /var/Save/security/watchdog.log
1782
	chmod 644 /var/Save/security/watchdog.log
1780
	/usr/bin/touch /var/log/auth.log
1783
	/usr/bin/touch /var/log/auth.log
1781
# fail2ban unit
1784
# fail2ban unit
1782
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1785
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1783
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1786
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1784
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1787
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1785
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1788
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1786
} # End fail2ban()
1789
} # End fail2ban()
1787
 
1790
 
1788
##################################################################
1791
#########################################################
1789
## 			Fonction "gammu_smsd"			##
1792
##                   Fonction "gammu_smsd"             ##
1790
## - Creation de la base de donnée Gammu			##
1793
## - Creating of SMS management database               ##
1791
## - Creation du fichier de config: gammu_smsd_conf		##
1794
## - Write the gammu a gammu_smsd conf files           ##
1792
##################################################################
1795
#########################################################
1793
gammu_smsd()
1796
gammu_smsd()
1794
{
1797
{
1795
# Create 'gammu' databse
1798
# Create 'gammu' databse
1796
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1799
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1797
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1800
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1798
# Add a gammu database structure
1801
# Add a gammu database structure
1799
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1802
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1800
 
1803
 
-
 
1804
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1801
# Config file for the daemon
1805
cat << EOF > /etc/gammurc
-
 
1806
[gammu]
-
 
1807
device = /dev/ttyUSB0
-
 
1808
connection = at115200
-
 
1809
EOF
-
 
1810
 
1802
cat << EOF > /etc/gammu_smsd_conf
1811
cat << EOF > /etc/gammu_smsd_conf
1803
[gammu]
1812
[gammu]
1804
port = /dev/ttyUSB0
1813
port = /dev/ttyUSB0
1805
connection = at115200
1814
connection = at115200
1806
 
1815
 
1807
;########################################################
-
 
1808
 
-
 
1809
[smsd]
1816
[smsd]
1810
 
-
 
1811
PIN = 1234
1817
PIN = 1234
1812
 
-
 
1813
logfile = /var/log/gammu-smsd/gammu-smsd.log
1818
logfile = /var/log/gammu-smsd/gammu-smsd.log
1814
logformat = textall
1819
logformat = textall
1815
debuglevel = 0
1820
debuglevel = 0
1816
 
1821
 
1817
service = sql
1822
service = sql
1818
driver = native_mysql
1823
driver = native_mysql
1819
user = $DB_USER
1824
user = $DB_USER
1820
password = $radiuspwd
1825
password = $radiuspwd
1821
pc = localhost
1826
pc = localhost
1822
database = $DB_GAMMU
1827
database = $DB_GAMMU
1823
 
1828
 
1824
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1829
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1825
 
1830
 
1826
StatusFrequency = 30
1831
StatusFrequency = 30
1827
;LoopSleep = 2
1832
;LoopSleep = 2
1828
 
1833
 
1829
;ResetFrequency = 300
1834
;ResetFrequency = 300
1830
;HardResetFrequency = 120
1835
;HardResetFrequency = 120
1831
 
1836
 
1832
CheckSecurity = 1
1837
CheckSecurity = 1
1833
CheckSignal = 1
1838
CheckSignal = 1
1834
CheckBattery = 0
1839
CheckBattery = 0
1835
EOF
1840
EOF
1836
 
1841
 
1837
chmod 755 /etc/gammu_smsd_conf
1842
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1838
 
1843
 
1839
# Log folder for gammu-smsd
1844
# Log folder for gammu-smsd
1840
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1845
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1841
chmod 755 /var/log/gammu-smsd
1846
chmod 755 /var/log/gammu-smsd
1842
 
1847
 
1843
# Write radius credentials in the gammu script
1848
# Write radius credentials in the gammu script
1844
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1849
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1845
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1850
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1846
 
1851
 
1847
# Udev rule for Huawei GSM MODEM (idVendor: 12d1) --> run "modeswitch" to switch from "mass_storage" mode to "ttyUSB" (modem) mode
1852
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
1848
# normally not needed now since modeswitch is managed by udev (see RPM)
1853
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
1849
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
1854
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
1850
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1855
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1851
#EOF
1856
#EOF
1852
 
1857
 
-
 
1858
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
1853
} # End gammu_smsd()
1859
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
1854
 
1860
 
-
 
1861
} # End gammu_smsd()
1855
 
1862
 
1856
##################################################################
1863
############################################################
1857
##			Fonction "msec"				##
1864
##                 Fonction "msec"                        ##
1858
## - Apply the "fileserver" security level			##
1865
## - Apply the "fileserver" security level                ##
1859
## - remove the "system request" for rebboting			##
1866
## - remove the "system request" for rebboting            ##
1860
## - Fix several file permissions				##
1867
## - Fix several file permissions                         ##
1861
##################################################################
1868
############################################################
1862
msec()
1869
msec()
1863
{
1870
{
1864
 
1871
 
1865
# Apply fileserver security level
1872
# Apply fileserver security level
1866
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1873
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1867
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1874
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1868
 
1875
 
1869
# Set permissions monitoring and enforcement
1876
# Set permissions monitoring and enforcement
1870
cat <<EOF > /etc/security/msec/perm.local
1877
cat <<EOF > /etc/security/msec/perm.local
1871
/var/log/firefwall/                     root.apache     750
1878
/var/log/firefwall/                     root.apache     750
1872
/var/log/firewall/*                     root.apache     640
1879
/var/log/firewall/*                     root.apache     640
1873
/etc/security/msec/perm.local           root.root       640
1880
/etc/security/msec/perm.local           root.root       640
1874
/etc/security/msec/level.local          root.root       640
1881
/etc/security/msec/level.local          root.root       640
1875
/etc/freeradius-web                     root.apache     750
1882
/etc/freeradius-web                     root.apache     750
1876
/etc/freeradius-web/admin.conf          root.apache     640
1883
/etc/freeradius-web/admin.conf          root.apache     640
1877
/etc/raddb/client.conf                  radius.radius   640
1884
/etc/raddb/client.conf                  radius.radius   640
1878
/etc/raddb/radius.conf                  radius.radius   640
1885
/etc/raddb/radius.conf                  radius.radius   640
1879
/etc/raddb/mods-available/ldap          radius.apache   660
1886
/etc/raddb/mods-available/ldap          radius.apache   660
1880
/etc/raddb/sites-available/alcasar      radius.apache   660
1887
/etc/raddb/sites-available/alcasar      radius.apache   660
1881
/etc/pki/*                              root.apache     750
1888
/etc/pki/*                              root.apache     750
1882
/var/log/netflow/porttracker            root.apache     770
1889
/var/log/netflow/porttracker            root.apache     770
1883
/var/log/netflow/porttracker/*          root.apache     660
1890
/var/log/netflow/porttracker/*          root.apache     660
1884
EOF
1891
EOF
1885
# apply now hourly & daily checks
1892
# apply now hourly & daily checks
1886
/usr/sbin/msec
1893
/usr/sbin/msec
1887
/etc/cron.weekly/msec
1894
/etc/cron.weekly/msec
1888
 
1895
 
1889
} # End msec()
1896
} # End msec()
1890
 
1897
 
1891
 
1898
 
1892
##################################################################
1899
##################################################################
1893
##			Fonction "letsencrypt"			##
1900
##                   Fonction "letsencrypt"                     ##
1894
## - Install Let's Encrypt client				##
1901
## - Install Let's Encrypt client                               ##
1895
## - Prepare Let's Encrypt ALCASAR configuration file		##
1902
## - Prepare Let's Encrypt ALCASAR configuration file           ##
1896
##################################################################
1903
##################################################################
1897
letsencrypt()
1904
letsencrypt()
1898
{
1905
{
1899
	echo "Installing Let's Encrypt client..."
1906
	echo "Installing Let's Encrypt client..."
1900
 
1907
 
1901
	# Extract acme.sh
1908
	# Extract acme.sh
1902
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1909
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1903
 
1910
 
1904
	pwdInstall=$(pwd)
1911
	pwdInstall=$(pwd)
1905
	cd /tmp/acme.sh-*
1912
	cd /tmp/acme.sh-*
1906
 
1913
 
1907
	acmesh_installDir="/opt/acme.sh"
1914
	acmesh_installDir="/opt/acme.sh"
1908
	acmesh_confDir="/usr/local/etc/letsencrypt"
1915
	acmesh_confDir="/usr/local/etc/letsencrypt"
1909
	acmesh_userAgent="ALCASAR"
1916
	acmesh_userAgent="ALCASAR"
1910
 
1917
 
1911
	# Install acme.sh
1918
	# Install acme.sh
1912
	./acme.sh --install \
1919
	./acme.sh --install \
1913
		--home $acmesh_installDir \
1920
		--home $acmesh_installDir \
1914
		--config-home $acmesh_confDir/data \
1921
		--config-home $acmesh_confDir/data \
1915
		--certhome $acmesh_confDir/certs \
1922
		--certhome $acmesh_confDir/certs \
1916
		--accountkey $acmesh_confDir/ca/account.key \
1923
		--accountkey $acmesh_confDir/ca/account.key \
1917
		--accountconf $acmesh_confDir/data/account.conf \
1924
		--accountconf $acmesh_confDir/data/account.conf \
1918
		--useragent $acmesh_userAgent \
1925
		--useragent $acmesh_userAgent \
1919
		--nocron \
1926
		--nocron \
1920
		> /dev/null
1927
		> /dev/null
1921
 
1928
 
1922
	if [ $? -ne 0 ]; then
1929
	if [ $? -ne 0 ]; then
1923
		echo "Error during installation of Let's Encrypt client (acme.sh)."
1930
		echo "Error during installation of Let's Encrypt client (acme.sh)."
1924
	fi
1931
	fi
1925
 
1932
 
1926
	# Create configuration file
1933
	# Create configuration file
1927
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
1934
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
1928
email=
1935
email=
1929
dateIssueRequest=
1936
dateIssueRequest=
1930
domainRequest=
1937
domainRequest=
1931
challenge=
1938
challenge=
1932
dateIssued=
1939
dateIssued=
1933
dnsapi=
1940
dnsapi=
1934
dateNextRenewal=
1941
dateNextRenewal=
1935
EOF
1942
EOF
1936
 
1943
 
1937
	cd $pwdInstall
1944
	cd $pwdInstall
1938
	rm -rf /tmp/acme.sh-*
1945
	rm -rf /tmp/acme.sh-*
1939
 
1946
 
1940
} # END letsencrypt()
1947
} # END letsencrypt()
1941
 
1948
 
1942
##################################################################
1949
##################################################################
1943
##		Fonction "post_install"			##
1950
##                    Fonction "post_install"                   ##
1944
## - Modifying banners (locals et ssh) & prompts	##
1951
## - Modifying banners (locals et ssh) & prompts                ##
1945
## - SSH config						##
1952
## - SSH config                                                 ##
1946
## - sudoers config & files security			##
1953
## - sudoers config & files security                            ##
1947
## - log rotate & ANSSI security parameters		##
1954
## - log rotate & ANSSI security parameters                     ##
1948
## - Apply former conf in case of an update		##
1955
## - Apply former conf in case of an update                     ##
1949
##########################################################
1956
##################################################################
1950
post_install()
1957
post_install()
1951
{
1958
{
1952
# change the SSH banner
1959
# change the SSH banner
1953
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1960
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1954
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1961
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1955
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1962
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1956
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1963
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1957
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1964
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1958
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1965
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1959
# postfix banner anonymisation
1966
# postfix banner anonymisation
1960
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1967
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1961
	chown -R postfix:postfix /var/lib/postfix
1968
	chown -R postfix:postfix /var/lib/postfix
1962
# sshd liste on EXTIF & INTIF
1969
# sshd liste on EXTIF & INTIF
1963
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1970
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1964
# sshd authorized certificate for root login
1971
# sshd authorized certificate for root login
1965
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1972
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1966
# ALCASAR conf file
1973
# ALCASAR conf file
1967
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
1974
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
1968
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1975
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1969
	echo "SSH=on" >> $CONF_FILE
1976
	echo "SSH=on" >> $CONF_FILE
1970
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1977
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1971
	echo "LDAP=off" >> $CONF_FILE
1978
	echo "LDAP=off" >> $CONF_FILE
1972
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
1979
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
1973
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
1980
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
1974
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
1981
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
1975
	echo "LDAP_FILTER=" >> $CONF_FILE
1982
	echo "LDAP_FILTER=" >> $CONF_FILE
1976
	echo "LDAP_USER=alcasar" >> $CONF_FILE
1983
	echo "LDAP_USER=alcasar" >> $CONF_FILE
1977
	echo "LDAP_PASSWORD=" >> $CONF_FILE
1984
	echo "LDAP_PASSWORD=" >> $CONF_FILE
1978
	echo "MULTIWAN=off" >> $CONF_FILE
1985
	echo "MULTIWAN=off" >> $CONF_FILE
1979
	echo "FAILOVER=30" >> $CONF_FILE
1986
	echo "FAILOVER=30" >> $CONF_FILE
1980
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1987
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1981
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1988
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1982
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1989
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1983
# Prompt customisation (colors)
1990
# Prompt customisation (colors)
1984
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1991
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1985
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1992
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1986
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1993
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1987
# sudoers configuration for "apache" & "sysadmin"
1994
# sudoers configuration for "apache" & "sysadmin"
1988
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1995
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1989
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1996
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1990
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1997
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1991
# Modify some logrotate files (gammu, ulogd)
1998
# Modify some logrotate files (gammu, ulogd)
1992
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1999
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1993
	chmod 644 /etc/logrotate.d/*
2000
	chmod 644 /etc/logrotate.d/*
1994
# Log compression
2001
# Log compression
1995
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2002
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1996
# actualisation des fichiers logs compressés
2003
# actualisation des fichiers logs compressés
1997
	for dir in firewall e2guardian lighttpd
2004
	for dir in firewall e2guardian lighttpd
1998
	do
2005
	do
1999
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2006
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2000
	done
2007
	done
2001
# create the alcasar-load_balancing unit
2008
# create the alcasar-load_balancing unit
2002
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2009
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2003
#  This file is part of systemd.
2010
#  This file is part of systemd.
2004
#
2011
#
2005
#  systemd is free software; you can redistribute it and/or modify it
2012
#  systemd is free software; you can redistribute it and/or modify it
2006
#  under the terms of the GNU General Public License as published by
2013
#  under the terms of the GNU General Public License as published by
2007
#  the Free Software Foundation; either version 2 of the License, or
2014
#  the Free Software Foundation; either version 2 of the License, or
2008
#  (at your option) any later version.
2015
#  (at your option) any later version.
2009
 
2016
 
2010
# This unit lauches alcasar-load-balancing.sh script.
2017
# This unit lauches alcasar-load-balancing.sh script.
2011
[Unit]
2018
[Unit]
2012
Description=alcasar-load_balancing.sh execution
2019
Description=alcasar-load_balancing.sh execution
2013
After=network.target iptables.service
2020
After=network.target iptables.service
2014
 
2021
 
2015
[Service]
2022
[Service]
2016
Type=oneshot
2023
Type=oneshot
2017
RemainAfterExit=yes
2024
RemainAfterExit=yes
2018
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2025
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2019
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2026
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2020
TimeoutSec=0
2027
TimeoutSec=0
2021
SysVStartPriority=99
2028
SysVStartPriority=99
2022
 
2029
 
2023
[Install]
2030
[Install]
2024
WantedBy=multi-user.target
2031
WantedBy=multi-user.target
2025
EOF
2032
EOF
2026
# processes launched at boot time (Systemctl)
2033
# processes launched at boot time (Systemctl)
2027
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2034
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2028
	do
2035
	do
2029
		/usr/bin/systemctl -q enable $i.service
2036
		/usr/bin/systemctl -q enable $i.service
2030
	done
2037
	done
2031
 
2038
 
2032
# disable processes at boot time (Systemctl)
2039
# disable processes at boot time (Systemctl)
2033
	for i in ulogd gpm
2040
	for i in ulogd gpm
2034
	do
2041
	do
2035
		/usr/bin/systemctl -q disable $i.service
2042
		/usr/bin/systemctl -q disable $i.service
2036
	done
2043
	done
2037
 
2044
 
2038
# Apply French Security Agency (ANSSI) rules
2045
# Apply French Security Agency (ANSSI) rules
2039
# ignore ICMP broadcast (smurf attack)
2046
# ignore ICMP broadcast (smurf attack)
2040
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2047
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2041
# ignore ICMP errors bogus
2048
# ignore ICMP errors bogus
2042
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2049
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2043
# remove ICMP redirects responces
2050
# remove ICMP redirects responces
2044
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2051
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2045
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2052
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2046
# enable SYN Cookies (Syn flood attacks)
2053
# enable SYN Cookies (Syn flood attacks)
2047
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2054
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2048
# enable kernel antispoofing
2055
# enable kernel antispoofing
2049
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2056
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2050
# ignore source routing
2057
# ignore source routing
2051
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2058
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2052
# set conntrack timer to 1h (3600s) instead of 5 weeks
2059
# set conntrack timer to 1h (3600s) instead of 5 weeks
2053
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2060
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2054
# disable log_martians (ALCASAR is often installed between two private network addresses)
2061
# disable log_martians (ALCASAR is often installed between two private network addresses)
2055
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2062
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2056
# disable iptables_helpers
2063
# disable iptables_helpers
2057
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2064
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2058
# Switch to the router mode
2065
# Switch to the router mode
2059
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2066
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2060
# Remove unused service ipv6
2067
# Remove unused service ipv6
2061
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2068
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2062
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2069
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2063
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2070
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2064
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2071
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2065
# switch to multi-users runlevel (instead of x11)
2072
# switch to multi-users runlevel (instead of x11)
2066
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2073
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2067
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2074
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2068
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2075
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2069
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2076
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2070
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2077
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2071
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2078
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2072
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2079
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2073
	if [ $vm_vga == 0 ] # is not a VM
2080
	if [ $vm_vga == 0 ] # is not a VM
2074
	then
2081
	then
2075
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2082
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2076
		echo >> /etc/mageia-release
2083
		echo >> /etc/mageia-release
2077
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2084
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2078
	fi
2085
	fi
2079
	if [ $Lang == "fr" ]
2086
	if [ $Lang == "fr" ]
2080
	then
2087
	then
2081
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2088
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2082
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2089
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2083
	else
2090
	else
2084
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2091
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2085
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2092
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2086
	fi
2093
	fi
2087
	/usr/bin/update-grub2
2094
	/usr/bin/update-grub2
2088
# Load and apply the previous conf file
2095
# Load and apply the previous conf file
2089
	if [ "$mode" = "update" ]
2096
	if [ "$mode" = "update" ]
2090
	then
2097
	then
2091
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2098
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2092
		$DIR_DEST_BIN/alcasar-conf.sh --load
2099
		$DIR_DEST_BIN/alcasar-conf.sh --load
2093
		PARENT_SCRIPT=`basename $0`
2100
		PARENT_SCRIPT=`basename $0`
2094
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2101
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2095
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2102
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2096
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2103
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2097
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2104
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2098
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2105
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2099
	fi
2106
	fi
2100
	rm -f /tmp/alcasar-conf*
2107
	rm -f /tmp/alcasar-conf*
2101
	chown -R root:apache $DIR_DEST_ETC/*
2108
	chown -R root:apache $DIR_DEST_ETC/*
2102
	chmod -R 660 $DIR_DEST_ETC/*
2109
	chmod -R 660 $DIR_DEST_ETC/*
2103
	chmod ug+x $DIR_DEST_ETC/digest
2110
	chmod ug+x $DIR_DEST_ETC/digest
2104
	cd $DIR_INSTALL
2111
	cd $DIR_INSTALL
2105
	echo ""
2112
	echo ""
2106
	echo "#############################################################################"
2113
	echo "#############################################################################"
2107
	if [ $Lang == "fr" ]
2114
	if [ $Lang == "fr" ]
2108
		then
2115
		then
2109
		echo "#                        Fin d'installation d'ALCASAR                       #"
2116
		echo "#                        Fin d'installation d'ALCASAR                       #"
2110
		echo "#                                                                           #"
2117
		echo "#                                                                           #"
2111
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2118
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2112
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2119
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2113
		echo "#                                                                           #"
2120
		echo "#                                                                           #"
2114
		echo "#############################################################################"
2121
		echo "#############################################################################"
2115
		echo
2122
		echo
2116
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2123
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2117
		echo
2124
		echo
2118
		echo "- Lisez attentivement la documentation d'exploitation"
2125
		echo "- Lisez attentivement la documentation d'exploitation"
2119
		echo
2126
		echo
2120
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2127
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2121
		echo
2128
		echo
2122
		echo "                   Appuyez sur 'Entrée' pour continuer"
2129
		echo "                   Appuyez sur 'Entrée' pour continuer"
2123
	else
2130
	else
2124
		echo "#                        End of ALCASAR install process                     #"
2131
		echo "#                        End of ALCASAR install process                     #"
2125
		echo "#                                                                           #"
2132
		echo "#                                                                           #"
2126
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2133
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2127
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2134
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2128
		echo "#                                                                           #"
2135
		echo "#                                                                           #"
2129
		echo "#############################################################################"
2136
		echo "#############################################################################"
2130
		echo
2137
		echo
2131
		echo "- The system will be rebooted in order to operate ALCASAR"
2138
		echo "- The system will be rebooted in order to operate ALCASAR"
2132
		echo
2139
		echo
2133
		echo "- Read the exploitation documentation"
2140
		echo "- Read the exploitation documentation"
2134
		echo
2141
		echo
2135
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2142
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2136
		echo
2143
		echo
2137
		echo "                   Hit 'Enter' to continue"
2144
		echo "                   Hit 'Enter' to continue"
2138
	fi
2145
	fi
2139
	sleep 2
2146
	sleep 2
2140
	if [ "$mode" != "update" ] && [ "$DEBUG_ALCASAR" != "on" ]
2147
	if [ "$mode" != "update" ] && [ "$DEBUG_ALCASAR" != "on" ]
2141
	then
2148
	then
2142
		read a
2149
		read a
2143
	fi
2150
	fi
2144
	clear
2151
	clear
2145
	reboot
2152
	reboot
2146
} # End post_install ()
2153
} # End post_install ()
2147
 
2154
 
2148
#################################
2155
#####################################################################################
2149
#  	Main Install loop  	#
2156
#                                   Main Install loop                               #
2150
#################################
2157
#####################################################################################
2151
dir_exec=`dirname "$0"`
2158
dir_exec=`dirname "$0"`
2152
if [ $dir_exec != "." ]
2159
if [ $dir_exec != "." ]
2153
then
2160
then
2154
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2161
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2155
	echo "Launch this program from the ALCASAR archive directory"
2162
	echo "Launch this program from the ALCASAR archive directory"
2156
	exit 0
2163
	exit 0
2157
fi
2164
fi
2158
if [[ $EUID > 0 ]]
2165
if [[ $EUID > 0 ]]
2159
then
2166
then
2160
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2167
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2161
	echo "You must be "root" to install ALCASAR ('su' command)"
2168
	echo "You must be "root" to install ALCASAR ('su' command)"
2162
	exit 0
2169
	exit 0
2163
fi
2170
fi
2164
VERSION=`cat $DIR_INSTALL/VERSION`
2171
VERSION=`cat $DIR_INSTALL/VERSION`
2165
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2172
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2166
nb_args=$#
2173
nb_args=$#
2167
args=$1
2174
args=$1
2168
if [ $nb_args -eq 0 ]
2175
if [ $nb_args -eq 0 ]
2169
then
2176
then
2170
	nb_args=1
2177
	nb_args=1
2171
	args="-h"
2178
	args="-h"
2172
fi
2179
fi
2173
chmod -R u+x $DIR_SCRIPTS/*
2180
chmod -R u+x $DIR_SCRIPTS/*
2174
case $args in
2181
case $args in
2175
	-\? | -h* | --h*)
2182
	-\? | -h* | --h*)
2176
		echo "$usage"
2183
		echo "$usage"
2177
		exit 0
2184
		exit 0
2178
		;;
2185
		;;
2179
	-i | --install)
2186
	-i | --install)
2180
		header_install
2187
		header_install
2181
		license
2188
		license
2182
		header_install
2189
		header_install
2183
		testing
2190
		testing
2184
# RPMs install
2191
# RPMs install
2185
		$DIR_SCRIPTS/alcasar-urpmi.sh
2192
		$DIR_SCRIPTS/alcasar-urpmi.sh
2186
		if [ "$?" != "0" ]
2193
		if [ "$?" != "0" ]
2187
		then
2194
		then
2188
			exit 0
2195
			exit 0
2189
		fi
2196
		fi
2190
		if [ -e $CONF_FILE ]
2197
		if [ -e $CONF_FILE ]
2191
		then
2198
		then
2192
# Uninstall or update the running version
2199
# Uninstall or update the running version
2193
			if [ "$mode" == "update" ]
2200
			if [ "$mode" == "update" ]
2194
			then
2201
			then
2195
				$DIR_SCRIPTS/alcasar-uninstall.sh -update
2202
				$DIR_SCRIPTS/alcasar-uninstall.sh -update
2196
			else
2203
			else
2197
				$DIR_SCRIPTS/alcasar-uninstall.sh -full
2204
				$DIR_SCRIPTS/alcasar-uninstall.sh -full
2198
			fi
2205
			fi
2199
		fi
2206
		fi
2200
	if [ $DEBUG_ALCASAR == "on" ]
2207
	if [ $DEBUG_ALCASAR == "on" ]
2201
	then
2208
	then
2202
		echo "*** 'debug' : end of cleaning ***"
2209
		echo "*** 'debug' : end of cleaning ***"
2203
		read a
2210
		read a
2204
	fi
2211
	fi
2205
# Test if manual update
2212
# Test if manual update
2206
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2213
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2207
		then
2214
		then
2208
			header_install
2215
			header_install
2209
			if [ $Lang == "fr" ]
2216
			if [ $Lang == "fr" ]
2210
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2217
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2211
				else echo "The configuration file of an old version has been found";
2218
				else echo "The configuration file of an old version has been found";
2212
			fi
2219
			fi
2213
			response=0
2220
			response=0
2214
			PTN='^[oOnNyY]$'
2221
			PTN='^[oOnNyY]$'
2215
			until [[ $(expr $response : $PTN) -gt 0 ]]
2222
			until [[ $(expr $response : $PTN) -gt 0 ]]
2216
			do
2223
			do
2217
				if [ $Lang == "fr" ]
2224
				if [ $Lang == "fr" ]
2218
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2225
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2219
					else echo -n "Do you want to use it (Y/n)?";
2226
					else echo -n "Do you want to use it (Y/n)?";
2220
				 fi
2227
				 fi
2221
				read response
2228
				read response
2222
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2229
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2223
				then rm -f /tmp/alcasar-conf*
2230
				then rm -f /tmp/alcasar-conf*
2224
				fi
2231
				fi
2225
			done
2232
			done
2226
		fi
2233
		fi
2227
# Test if update
2234
# Test if update
2228
		if [ -e /tmp/alcasar-conf* ]
2235
		if [ -e /tmp/alcasar-conf* ]
2229
		then
2236
		then
2230
			if [ $Lang == "fr" ]
2237
			if [ $Lang == "fr" ]
2231
				then echo "#### Installation avec mise à jour ####";
2238
				then echo "#### Installation avec mise à jour ####";
2232
				else echo "#### Installation with update     ####";
2239
				else echo "#### Installation with update     ####";
2233
			fi
2240
			fi
2234
# Extract the central configuration file
2241
# Extract the central configuration file
2235
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
2242
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
2236
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2243
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2237
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2244
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2238
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2245
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2239
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2246
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2240
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2247
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2241
			mode="update"
2248
			mode="update"
2242
		fi
2249
		fi
2243
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2250
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2244
		do
2251
		do
2245
			$func
2252
			$func
2246
			if [ $DEBUG_ALCASAR == "on" ]
2253
			if [ $DEBUG_ALCASAR == "on" ]
2247
				then
2254
				then
2248
				echo "*** 'debug' : end of install '$func' ***"
2255
				echo "*** 'debug' : end of install '$func' ***"
2249
				read a
2256
				read a
2250
			fi
2257
			fi
2251
		done
2258
		done
2252
		;;
2259
		;;
2253
	-u | --uninstall)
2260
	-u | --uninstall)
2254
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2261
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2255
		then
2262
		then
2256
			if [ $Lang == "fr" ]
2263
			if [ $Lang == "fr" ]
2257
				then echo "ALCASAR n'est pas installé!";
2264
				then echo "ALCASAR n'est pas installé!";
2258
				else echo "ALCASAR isn't installed!";
2265
				else echo "ALCASAR isn't installed!";
2259
			fi
2266
			fi
2260
			exit 0
2267
			exit 0
2261
		fi
2268
		fi
2262
		response=0
2269
		response=0
2263
		PTN='^[oOnN]$'
2270
		PTN='^[oOnN]$'
2264
		until [[ $(expr $response : $PTN) -gt 0 ]]
2271
		until [[ $(expr $response : $PTN) -gt 0 ]]
2265
		do
2272
		do
2266
			if [ $Lang == "fr" ]
2273
			if [ $Lang == "fr" ]
2267
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2274
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2268
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2275
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2269
			fi
2276
			fi
2270
			read response
2277
			read response
2271
		done
2278
		done
2272
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2279
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2273
		then
2280
		then
2274
			$DIR_SCRIPTS/alcasar-conf.sh --create
2281
			$DIR_SCRIPTS/alcasar-conf.sh --create
2275
		else
2282
		else
2276
			rm -f /tmp/alcasar-conf*
2283
			rm -f /tmp/alcasar-conf*
2277
		fi
2284
		fi
2278
# Uninstall the running version
2285
# Uninstall the running version
2279
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2286
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2280
		;;
2287
		;;
2281
	*)
2288
	*)
2282
		echo "Argument inconnu :$1";
2289
		echo "Argument inconnu :$1";
2283
		echo "Unknown argument :$1";
2290
		echo "Unknown argument :$1";
2284
		echo "$usage"
2291
		echo "$usage"
2285
		exit 1
2292
		exit 1
2286
		;;
2293
		;;
2287
esac
2294
esac
2288
# end of script
2295
# end of script
2289
 
2296
 
2290
 
2297