Subversion Repositories ALCASAR

Rev

Rev 2549 | Rev 2558 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2549 Rev 2552
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2549 2018-05-06 02:27:57Z tom.houdayer $
2
#  $Id: alcasar.sh 2552 2018-05-08 22:21:47Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 26... Line 26...
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC			: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA			: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
Line 39... Line 39...
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	dnsmasq			: Name server configuration
42
#	dnsmasq			: Name server configuration
43
#	vnstat			: little network stat daemon
43
#	vnstat			: little network stat daemon
44
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
45
#	cron			: Logs export + watchdog + connexion statistics
45
#	cron			: Logs export + watchdog + connexion statistics
46
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	msec			: Mandriva security package configuration
48
#	msec			: Mandriva security package configuration
49
#	letsencrypt		: Let's Encrypt client
49
#	letsencrypt		: Let's Encrypt client
50
#	post_install		: Security, log rotation, etc.
50
#	post_install	: Security, log rotation, etc.
51
 
51
 
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
53
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
55
Lang=`echo $LANG|cut -c 1-2`
55
Lang=`echo $LANG|cut -c 1-2`
56
mode="install"
56
mode="install"
57
# ******* Files parameters - paramètres fichiers *********
57
# ******* Files parameters - paramètres fichiers *********
58
DIR_INSTALL=`pwd`				# current directory
58
DIR_INSTALL=`pwd`						# current directory
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
62
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
62
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
63
DIR_WEB="/var/www/html"				# directory of Lighttpd
63
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_DG="/etc/e2guardian"			# directory of E2Guardian
64
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
65
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
71
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"				# database name used by FreeRadius server
72
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_USER="radius"				# user name allows to request the users database
73
DB_USER="radius"						# user name allows to request the users database
74
DB_GAMMU="gammu"				# database name used by Gammu-smsd
74
DB_GAMMU="gammu"						# database name used by Gammu-smsd
75
# ******* Network parameters - paramètres réseau *******
75
# ******* Network parameters - paramètres réseau *******
76
HOSTNAME="alcasar"				# default hostname
76
HOSTNAME="alcasar"						# default hostname
77
DOMAIN="localdomain"				# default local domain
77
DOMAIN="localdomain"					# default local domain
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`		# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
80
MTU="1500"
80
MTU="1500"
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
# ****** Paths - chemin des commandes *******
82
# ****** Paths - chemin des commandes *******
83
SED="/bin/sed -i"
83
SED="/bin/sed -i"
Line 114... Line 114...
114
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "-----------------------------------------------------------------------------"
116
	echo "-----------------------------------------------------------------------------"
117
}
117
}
118
 
118
 
119
##################################################################
119
########################################################
120
##			Function "testing"			##
120
##                  Function "testing"                ##
121
## - Test of Mageia version					##
121
## - Test Mageia version                              ##
122
## - Test of ALCASAR version (if already installed)		##
122
## - Test ALCASAR version (if already installed)      ##
123
## - Test of free space on /var  (>10G)				##
123
## - Test free space on /var  (>10G)                  ##
124
## - Test of Internet access					##
124
## - Test Internet access                             ##
125
##################################################################
125
########################################################
126
testing ()
126
testing ()
127
{
127
{
128
# Test of Mageia version
128
# Test of Mageia version
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
	fic=`cat /etc/product.id`
130
	fic=`cat /etc/product.id`
Line 357... Line 357...
357
	fi
357
	fi
358
	rm -rf /tmp/con_ok.html
358
	rm -rf /tmp/con_ok.html
359
	echo ". : ok"
359
	echo ". : ok"
360
} # end of testing ()
360
} # end of testing ()
361
 
361
 
362
##################################################################
362
#######################################################################
363
##			Function "init"				##
363
##                    Function "init"                                ##
364
## - Création du fichier "/root/ALCASAR_parametres.tx		##
364
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
365
## - Installation et modification des scripts du portail	##
365
## - Creation of random password for GRUB, mariadb (admin and user)  ##
366
##################################################################
366
#######################################################################
367
init ()
367
init ()
368
{
368
{
369
	if [ "$mode" != "update" ]
369
	if [ "$mode" != "update" ]
370
	then
370
	then
371
# On affecte le nom d'organisme
371
# On affecte le nom d'organisme
Line 435... Line 435...
435
DOMAIN=$DOMAIN
435
DOMAIN=$DOMAIN
436
EOF
436
EOF
437
	chmod o-rwx $CONF_FILE
437
	chmod o-rwx $CONF_FILE
438
} # End of init ()
438
} # End of init ()
439
 
439
 
440
##################################################################
440
#########################################################
441
##			Function "network"			##
441
##                    Function "network"               ##
442
## - Définition du plan d'adressage du réseau de consultation	##
442
## - Define the several network address                ##
443
## - Nommage DNS du système 					##
443
## - Define the DNS naming                             ##
444
## - Configuration de l'interface INTIF (réseau de consultation)##
444
## - INTIF parameters (consultation network)           ##
445
## - Modification du fichier /etc/hosts				##
445
## - Write "/etc/hosts" file                           ##
446
## - Renseignement des fichiers hosts.allow et hosts.deny	##
446
## - write "hosts.allow" & "hosts.deny" files          ##
447
##################################################################
447
#########################################################
448
network ()
448
network ()
449
{
449
{
450
	header_install
450
	header_install
451
	if [ "$mode" != "update" ]
451
	if [ "$mode" != "update" ]
452
		then
452
		then
Line 529... Line 529...
529
	DNS1=${DNS1:=208.67.220.220}
529
	DNS1=${DNS1:=208.67.220.220}
530
	DNS2=${DNS2:=208.67.222.222}
530
	DNS2=${DNS2:=208.67.222.222}
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
534
# Wrtie the conf file
534
# Write network parameters in the conf file
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
539
 
-
 
540
	for i in $INTERFACES
539
	for i in $INTERFACES
541
	do
540
	do
542
		SUB=`echo ${i:0:2}`
541
		SUB=`echo ${i:0:2}`
543
		if [ $SUB = "wl" ]
542
		if [ $SUB = "wl" ]
544
			then WIFIF=$i
543
			then WIFIF=$i
545
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
544
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
546
			then LANIF=$i
545
			then LANIF=$i
547
		fi
546
		fi
548
	done
547
	done
549
 
-
 
550
	if [ -n "$WIFIF" ]
548
	if [ -n "$WIFIF" ]
551
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
549
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
552
	elif [ -n "$LANIF" ]
550
	elif [ -n "$LANIF" ]
553
		then echo "LANIF=$LANIF" >> $CONF_FILE
551
		then echo "LANIF=$LANIF" >> $CONF_FILE
554
	fi
552
	fi
555
	#########################################################################################################
553
	#########################################################################################################
556
 
-
 
557
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
554
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
558
	if [ $IP_SETTING == "dhcp" ]
555
	if [ $IP_SETTING == "dhcp" ]
559
		then
556
		then
560
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
557
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
561
		echo "GW=dhcp" >> $CONF_FILE
558
		echo "GW=dhcp" >> $CONF_FILE
562
	else
559
	else
Line 578... Line 575...
578
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
575
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
579
	cat <<EOF > /etc/sysconfig/network
576
	cat <<EOF > /etc/sysconfig/network
580
NETWORKING=yes
577
NETWORKING=yes
581
FORWARD_IPV4=true
578
FORWARD_IPV4=true
582
EOF
579
EOF
583
# /etc/hosts config
580
# write "/etc/hosts"
584
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
581
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
585
	cat <<EOF > /etc/hosts
582
	cat <<EOF > /etc/hosts
586
127.0.0.1	localhost
583
127.0.0.1	localhost
587
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
584
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
588
EOF
585
EOF
589
# EXTIF (Internet) config
586
# write EXTIF (Internet) config
590
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
587
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
591
	if [ $IP_SETTING == "dhcp" ]
588
	if [ $IP_SETTING == "dhcp" ]
592
		then
589
		then
593
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
590
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
594
DEVICE=$EXTIF
591
DEVICE=$EXTIF
Line 624... Line 621...
624
ACCOUNTING=no
621
ACCOUNTING=no
625
USERCTL=no
622
USERCTL=no
626
MTU=$MTU
623
MTU=$MTU
627
EOF
624
EOF
628
	fi
625
	fi
629
# Config INTIF (consultation LAN) in normal mode
626
# write INTIF (consultation LAN) in normal mode
630
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
627
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
631
DEVICE=$INTIF
628
DEVICE=$INTIF
632
BOOTPROTO=static
629
BOOTPROTO=static
633
ONBOOT=yes
630
ONBOOT=yes
634
NOZEROCONF=yes
631
NOZEROCONF=yes
Line 637... Line 634...
637
IPV6TO4INIT=no
634
IPV6TO4INIT=no
638
ACCOUNTING=no
635
ACCOUNTING=no
639
USERCTL=no
636
USERCTL=no
640
EOF
637
EOF
641
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
638
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
642
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
639
# write INTIF in bypass mode (see "alcasar-bypass.sh")
643
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
640
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
644
DEVICE=$INTIF
641
DEVICE=$INTIF
645
BOOTPROTO=static
642
BOOTPROTO=static
646
IPADDR=$PRIVATE_IP
643
IPADDR=$PRIVATE_IP
647
NETMASK=$PRIVATE_NETMASK
644
NETMASK=$PRIVATE_NETMASK
Line 681... Line 678...
681
ACCOUNTING=no
678
ACCOUNTING=no
682
USERCTL=no
679
USERCTL=no
683
EOF
680
EOF
684
	fi
681
	fi
685
	#########################################################################################################
682
	#########################################################################################################
686
# Renseignement des fichiers hosts.allow et hosts.deny
683
# write hosts.allow & hosts.deny
687
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
684
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
688
	cat <<EOF > /etc/hosts.allow
685
	cat <<EOF > /etc/hosts.allow
689
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
686
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
690
sshd: ALL
687
sshd: ALL
691
ntpd: $PRIVATE_NETWORK_SHORT
688
ntpd: $PRIVATE_NETWORK_SHORT
Line 709... Line 706...
709
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
706
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
710
#
707
#
711
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
708
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
712
} # End of network ()
709
} # End of network ()
713
 
710
 
714
##################################################################
711
###################################################
715
##			Function "ACC"				##
712
##                  Function "ACC"               ##
716
## - installation of then ALCASAR Control Center (ACC)	)	##
713
## - copy ALCASAR Control Center (ACC) files     ##
717
## - configuration of the web server (Lighttpd)			##
714
## - configuration of the web server (Lighttpd)  ##
718
## - creation of the first ACC admin account 			##
715
## - creation of the first ACC admin account     ##
719
## - secure the access						##
716
## - secure the ACC access                       ##
720
##################################################################
717
###################################################
721
ACC ()
718
ACC ()
722
{
719
{
723
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
720
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
724
	mkdir $DIR_WEB
721
	mkdir $DIR_WEB
725
# Copy & adapt ACC files
722
# Copy & adapt ACC files
Line 794... Line 791...
794
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
791
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
795
 
792
 
796
	/usr/bin/systemctl start lighttpd
793
	/usr/bin/systemctl start lighttpd
797
	/usr/bin/systemctl start php-fpm
794
	/usr/bin/systemctl start php-fpm
798
 
795
 
799
# Définition du premier compte lié au profil 'admin'
796
# Creation of the first account (in 'admin' profile)
800
	if [ "$mode" = "install" ]
797
	if [ "$mode" = "install" ]
801
		then
798
		then
802
			header_install
799
			header_install
803
# Creation of keys file for the admin account ("admin")
800
# Creation of keys file for the admin account ("admin")
804
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
801
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
Line 816... Line 813...
816
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
813
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
817
	chown root:apache /var/Save/security/acc_access.log
814
	chown root:apache /var/Save/security/acc_access.log
818
	chmod 664 /var/Save/security/acc_access.log
815
	chmod 664 /var/Save/security/acc_access.log
819
} # End of ACC ()
816
} # End of ACC ()
820
 
817
 
821
##########################################################################
818
##################################################################
822
##				Fonction "CA"				##
819
##                               Fonction "CA"                  ##
823
## - Creating the CA and the server certificate (lighttpd)	 	##
820
## - Creating the CA and the server certificate (lighttpd)      ##
824
##########################################################################
821
##################################################################
825
CA ()
822
CA ()
826
{
823
{
827
	$DIR_DEST_BIN/alcasar-CA.sh
824
	$DIR_DEST_BIN/alcasar-CA.sh
828
 
825
 
829
	chown -R root:apache /etc/pki
826
	chown -R root:apache /etc/pki
830
	chmod -R 750 /etc/pki
827
	chmod -R 750 /etc/pki
831
} # End of CA ()
828
} # End of CA ()
832
 
829
 
833
##################################################################
830
#############################################################
834
##                    Function "time_server"                    ##
831
##               Function "time_server"                    ##
835
## - Configuring NTP server                                     ##
832
## - Configuring NTP server                                ##
836
##################################################################
833
#############################################################
837
time_server ()
834
time_server ()
838
{
835
{
839
# Set the Internet time server
836
# Set the Internet time server
840
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
837
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
841
	cat <<EOF > /etc/ntp/step-tickers
838
	cat <<EOF > /etc/ntp/step-tickers
Line 1024... Line 1021...
1024
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1021
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1025
 
1022
 
1026
} # End freeradius ()
1023
} # End freeradius ()
1027
 
1024
 
1028
#############################################################################
1025
#############################################################################
1029
##                              Function "chilli"                          ##
1026
##                           Function "chilli"                             ##
1030
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1027
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1031
## - Adapt the authentication web page (intercept.php)                     ##
1028
## - Adapt the authentication web page (intercept.php)                     ##
1032
#############################################################################
1029
#############################################################################
1033
chilli ()
1030
chilli ()
1034
{
1031
{
Line 1337... Line 1334...
1337
	/usr/bin/freshclam --no-warnings
1334
	/usr/bin/freshclam --no-warnings
1338
} # End of antivirus ()
1335
} # End of antivirus ()
1339
 
1336
 
1340
################################################################################
1337
################################################################################
1341
##                           Function "tinyproxy"                             ##
1338
##                           Function "tinyproxy"                             ##
1342
## - Set the parameters of tinyproxy (proxy between filterde users and havp)  ##
1339
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1343
################################################################################
1340
################################################################################
1344
tinyproxy ()
1341
tinyproxy ()
1345
{
1342
{
1346
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1343
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1347
	if [ "$tinyproxy_exist" == "1" ]
1344
	if [ "$tinyproxy_exist" == "1" ]
Line 1490... Line 1487...
1490
	cd $DirTmp
1487
	cd $DirTmp
1491
	rm -rf /tmp/nfsen-*
1488
	rm -rf /tmp/nfsen-*
1492
	rm -rf /tmp/SURFmap*
1489
	rm -rf /tmp/SURFmap*
1493
} # End of nfsen ()
1490
} # End of nfsen ()
1494
 
1491
 
1495
##################################################
1492
###########################################################
1496
##               Function "vnstat"              ##
1493
##                     Function "vnstat"                 ##
1497
## - Initialization of Vnstat and vnstat phpFE  ##
1494
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1498
##################################################
1495
###########################################################
1499
vnstat ()
1496
vnstat ()
1500
{
1497
{
1501
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1498
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1502
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1499
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1503
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1500
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
Line 1505... Line 1502...
1505
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1502
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1506
	/usr/bin/vnstat -u -i $EXTIF
1503
	/usr/bin/vnstat -u -i $EXTIF
1507
} # End of vnstat
1504
} # End of vnstat
1508
 
1505
 
1509
################################################################
1506
################################################################
1510
##            Function "dnsmasq"                              ##
1507
##                     Function "dnsmasq"                     ##
1511
## - creation of the conf files of the 4 intances of dnsmasq  ## 
1508
## - creation of the conf files of the 4 intances of dnsmasq  ## 
1512
################################################################
1509
################################################################
1513
dnsmasq ()
1510
dnsmasq ()
1514
{
1511
{
1515
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1512
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
Line 1614... Line 1611...
1614
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1611
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1615
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1612
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1616
	done
1613
	done
1617
} # End dnsmasq
1614
} # End dnsmasq
1618
 
1615
 
1619
#######################################################
1616
##########################################################
1620
##                   Function "BL"                   ##
1617
##                      Function "BL"                   ##
-
 
1618
## - copy Toulouse BL                                   ##
-
 
1619
## - adapt this BL to ALCASAR architecture              ##
-
 
1620
##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
-
 
1621
##     - URLs for E²guardian                            ##
-
 
1622
##     - IPs for NetFilter                              ##
1621
#######################################################
1623
##########################################################
1622
BL ()
1624
BL ()
1623
{
1625
{
1624
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1626
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1625
	rm -rf $DIR_DG/lists/blacklists
1627
	rm -rf $DIR_DG/lists/blacklists
1626
	mkdir -p /tmp/blacklists
1628
	mkdir -p /tmp/blacklists
Line 1673... Line 1675...
1673
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1675
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1674
# enable the default categories
1676
# enable the default categories
1675
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1677
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1676
} # End BL()
1678
} # End BL()
1677
 
1679
 
1678
##########################################################
1680
#######################################################
1679
##                     Function "cron"                  ##
1681
##                  Function "cron"                  ##
-
 
1682
## - write all cron & anacron files                  ##
1680
##########################################################
1683
#######################################################
1681
cron ()
1684
cron ()
1682
{
1685
{
1683
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1686
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1684
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1687
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1685
	cat <<EOF > /etc/crontab
1688
	cat <<EOF > /etc/crontab
Line 1762... Line 1765...
1762
 
1765
 
1763
# removing the users crons
1766
# removing the users crons
1764
	rm -f /var/spool/cron/*
1767
	rm -f /var/spool/cron/*
1765
} # End cron()
1768
} # End cron()
1766
 
1769
 
1767
##################################################################
1770
######################################################################
1768
## 			Fonction "Fail2Ban"			##
1771
##                      Fonction "Fail2Ban"                         ##
1769
##- Modification de la configuration de fail2ban		##
1772
##- Adapt conf file to ALCASAR                                      ##
1770
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1773
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1771
##################################################################
1774
######################################################################
1772
fail2ban()
1775
fail2ban()
1773
{
1776
{
1774
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1777
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1775
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1778
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1776
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1779
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
Line 1783... Line 1786...
1783
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1786
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1784
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1787
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1785
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1788
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1786
} # End fail2ban()
1789
} # End fail2ban()
1787
 
1790
 
1788
##################################################################
1791
#########################################################
1789
## 			Fonction "gammu_smsd"			##
1792
##                   Fonction "gammu_smsd"             ##
1790
## - Creation de la base de donnée Gammu			##
1793
## - Creating of SMS management database               ##
1791
## - Creation du fichier de config: gammu_smsd_conf		##
1794
## - Write the gammu a gammu_smsd conf files           ##
1792
##################################################################
1795
#########################################################
1793
gammu_smsd()
1796
gammu_smsd()
1794
{
1797
{
1795
# Create 'gammu' databse
1798
# Create 'gammu' databse
1796
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1799
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1797
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1800
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1798
# Add a gammu database structure
1801
# Add a gammu database structure
1799
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1802
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1800
 
1803
 
-
 
1804
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1801
# Config file for the daemon
1805
cat << EOF > /etc/gammurc
-
 
1806
[gammu]
-
 
1807
device = /dev/ttyUSB0
-
 
1808
connection = at115200
-
 
1809
EOF
-
 
1810
 
1802
cat << EOF > /etc/gammu_smsd_conf
1811
cat << EOF > /etc/gammu_smsd_conf
1803
[gammu]
1812
[gammu]
1804
port = /dev/ttyUSB0
1813
port = /dev/ttyUSB0
1805
connection = at115200
1814
connection = at115200
1806
 
1815
 
1807
;########################################################
-
 
1808
 
-
 
1809
[smsd]
1816
[smsd]
1810
 
-
 
1811
PIN = 1234
1817
PIN = 1234
1812
 
-
 
1813
logfile = /var/log/gammu-smsd/gammu-smsd.log
1818
logfile = /var/log/gammu-smsd/gammu-smsd.log
1814
logformat = textall
1819
logformat = textall
1815
debuglevel = 0
1820
debuglevel = 0
1816
 
1821
 
1817
service = sql
1822
service = sql
Line 1832... Line 1837...
1832
CheckSecurity = 1
1837
CheckSecurity = 1
1833
CheckSignal = 1
1838
CheckSignal = 1
1834
CheckBattery = 0
1839
CheckBattery = 0
1835
EOF
1840
EOF
1836
 
1841
 
1837
chmod 755 /etc/gammu_smsd_conf
1842
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1838
 
1843
 
1839
# Log folder for gammu-smsd
1844
# Log folder for gammu-smsd
1840
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1845
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1841
chmod 755 /var/log/gammu-smsd
1846
chmod 755 /var/log/gammu-smsd
1842
 
1847
 
1843
# Write radius credentials in the gammu script
1848
# Write radius credentials in the gammu script
1844
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1849
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1845
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1850
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1846
 
1851
 
1847
# Udev rule for Huawei GSM MODEM (idVendor: 12d1) --> run "modeswitch" to switch from "mass_storage" mode to "ttyUSB" (modem) mode
1852
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
1848
# normally not needed now since modeswitch is managed by udev (see RPM)
1853
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
1849
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
1854
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
1850
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1855
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1851
#EOF
1856
#EOF
1852
 
1857
 
-
 
1858
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
1853
} # End gammu_smsd()
1859
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
1854
 
1860
 
-
 
1861
} # End gammu_smsd()
1855
 
1862
 
1856
##################################################################
1863
############################################################
1857
##			Fonction "msec"				##
1864
##                 Fonction "msec"                        ##
1858
## - Apply the "fileserver" security level			##
1865
## - Apply the "fileserver" security level                ##
1859
## - remove the "system request" for rebboting			##
1866
## - remove the "system request" for rebboting            ##
1860
## - Fix several file permissions				##
1867
## - Fix several file permissions                         ##
1861
##################################################################
1868
############################################################
1862
msec()
1869
msec()
1863
{
1870
{
1864
 
1871
 
1865
# Apply fileserver security level
1872
# Apply fileserver security level
1866
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1873
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
Line 1888... Line 1895...
1888
 
1895
 
1889
} # End msec()
1896
} # End msec()
1890
 
1897
 
1891
 
1898
 
1892
##################################################################
1899
##################################################################
1893
##			Fonction "letsencrypt"			##
1900
##                   Fonction "letsencrypt"                     ##
1894
## - Install Let's Encrypt client				##
1901
## - Install Let's Encrypt client                               ##
1895
## - Prepare Let's Encrypt ALCASAR configuration file		##
1902
## - Prepare Let's Encrypt ALCASAR configuration file           ##
1896
##################################################################
1903
##################################################################
1897
letsencrypt()
1904
letsencrypt()
1898
{
1905
{
1899
	echo "Installing Let's Encrypt client..."
1906
	echo "Installing Let's Encrypt client..."
1900
 
1907
 
Line 1938... Line 1945...
1938
	rm -rf /tmp/acme.sh-*
1945
	rm -rf /tmp/acme.sh-*
1939
 
1946
 
1940
} # END letsencrypt()
1947
} # END letsencrypt()
1941
 
1948
 
1942
##################################################################
1949
##################################################################
1943
##		Fonction "post_install"			##
1950
##                    Fonction "post_install"                   ##
1944
## - Modifying banners (locals et ssh) & prompts	##
1951
## - Modifying banners (locals et ssh) & prompts                ##
1945
## - SSH config						##
1952
## - SSH config                                                 ##
1946
## - sudoers config & files security			##
1953
## - sudoers config & files security                            ##
1947
## - log rotate & ANSSI security parameters		##
1954
## - log rotate & ANSSI security parameters                     ##
1948
## - Apply former conf in case of an update		##
1955
## - Apply former conf in case of an update                     ##
1949
##########################################################
1956
##################################################################
1950
post_install()
1957
post_install()
1951
{
1958
{
1952
# change the SSH banner
1959
# change the SSH banner
1953
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1960
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1954
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1961
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
Line 2143... Line 2150...
2143
	fi
2150
	fi
2144
	clear
2151
	clear
2145
	reboot
2152
	reboot
2146
} # End post_install ()
2153
} # End post_install ()
2147
 
2154
 
2148
#################################
2155
#####################################################################################
2149
#  	Main Install loop  	#
2156
#                                   Main Install loop                               #
2150
#################################
2157
#####################################################################################
2151
dir_exec=`dirname "$0"`
2158
dir_exec=`dirname "$0"`
2152
if [ $dir_exec != "." ]
2159
if [ $dir_exec != "." ]
2153
then
2160
then
2154
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2161
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2155
	echo "Launch this program from the ALCASAR archive directory"
2162
	echo "Launch this program from the ALCASAR archive directory"