Subversion Repositories ALCASAR

Rev

Rev 2558 | Rev 2561 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2558 Rev 2560
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2558 2018-06-05 21:56:34Z rexy $
2
#  $Id: alcasar.sh 2560 2018-06-10 21:04:56Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC				: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA				: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	dnsmasq			: Name server configuration
42
#	dnsmasq			: Name server configuration
43
#	vnstat			: little network stat daemon
43
#	vnstat			: little network stat daemon
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
45
#	cron			: Logs export + watchdog + connexion statistics
45
#	cron			: Logs export + watchdog + connexion statistics
46
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	msec			: Mandriva security package configuration
48
#	msec			: Mandriva security package configuration
49
#	letsencrypt		: Let's Encrypt client
49
#	letsencrypt		: Let's Encrypt client
50
#	post_install	: Security, log rotation, etc.
50
#	post_install	: Security, log rotation, etc.
51
 
51
 
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
53
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
55
Lang=`echo $LANG|cut -c 1-2`
55
Lang=`echo $LANG|cut -c 1-2`
56
mode="install"
56
mode="install"
57
# ******* Files parameters - paramètres fichiers *********
57
# ******* Files parameters - paramètres fichiers *********
58
DIR_INSTALL=`pwd`						# current directory
58
DIR_INSTALL=`pwd`						# current directory
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
62
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
62
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
63
DIR_WEB="/var/www/html"					# directory of Lighttpd
63
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
64
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
65
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
71
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"						# database name used by FreeRadius server
72
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_USER="radius"						# user name allows to request the users database
73
DB_USER="radius"						# user name allows to request the users database
74
DB_GAMMU="gammu"						# database name used by Gammu-smsd
74
DB_GAMMU="gammu"						# database name used by Gammu-smsd
75
# ******* Network parameters - paramètres réseau *******
75
# ******* Network parameters - paramètres réseau *******
76
HOSTNAME="alcasar"						# default hostname
76
HOSTNAME="alcasar"						# default hostname
77
DOMAIN="localdomain"					# default local domain
77
DOMAIN="localdomain"					# default local domain
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`		# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`		# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
80
MTU="1500"
80
MTU="1500"
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
# ****** Paths - chemin des commandes *******
82
# ****** Paths - chemin des commandes *******
83
SED="/bin/sed -i"
83
SED="/bin/sed -i"
84
# ****************** End of global parameters *********************
84
# ****************** End of global parameters *********************
85
 
85
 
86
license ()
86
license ()
87
{
87
{
88
	if [ $Lang == "fr" ]
88
	if [ $Lang == "fr" ]
89
	then
89
	then
90
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
	else
91
	else
92
		cat $DIR_INSTALL/gpl-warning.txt | more
92
		cat $DIR_INSTALL/gpl-warning.txt | more
93
	fi
93
	fi
94
	response=0
94
	response=0
95
	PTN='^[oOyYnN]$'
95
	PTN='^[oOyYnN]$'
96
	until [[ $(expr $response : $PTN) -gt 0 ]]
96
	until [[ $(expr $response : $PTN) -gt 0 ]]
97
	do
97
	do
98
		if [ $Lang == "fr" ]
98
		if [ $Lang == "fr" ]
99
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
			else echo -n "Do you accept the terms of this license (Y/n)? : "
101
		fi
101
		fi
102
		read response
102
		read response
103
	done
103
	done
104
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	if [ "$response" = "n" ] || [ "$response" = "N" ]
105
	then
105
	then
106
		exit 1
106
		exit 1
107
	fi
107
	fi
108
}
108
}
109
 
109
 
110
header_install ()
110
header_install ()
111
{
111
{
112
	clear
112
	clear
113
	echo "-----------------------------------------------------------------------------"
113
	echo "-----------------------------------------------------------------------------"
114
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "-----------------------------------------------------------------------------"
116
	echo "-----------------------------------------------------------------------------"
117
}
117
}
118
 
118
 
119
########################################################
119
########################################################
120
##                  Function "testing"                ##
120
##                  Function "testing"                ##
121
## - Test Mageia version                              ##
121
## - Test Mageia version                              ##
122
## - Test ALCASAR version (if already installed)      ##
122
## - Test ALCASAR version (if already installed)      ##
123
## - Test free space on /var  (>10G)                  ##
123
## - Test free space on /var  (>10G)                  ##
124
## - Test Internet access                             ##
124
## - Test Internet access                             ##
125
########################################################
125
########################################################
126
testing ()
126
testing ()
127
{
127
{
128
# Test of Mageia version
128
# Test of Mageia version
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
	fic=`cat /etc/product.id`
130
	fic=`cat /etc/product.id`
131
	unknown_os=0
131
	unknown_os=0
132
	old="$IFS"
132
	old="$IFS"
133
	IFS=","
133
	IFS=","
134
	set $fic
134
	set $fic
135
	for i in $*
135
	for i in $*
136
	do
136
	do
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
			then
138
			then
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			unknown_os=`expr $unknown_os + 1`
140
			unknown_os=`expr $unknown_os + 1`
141
		fi
141
		fi
142
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
			then
143
			then
144
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
			unknown_os=`expr $unknown_os + 1`
145
			unknown_os=`expr $unknown_os + 1`
146
		fi
146
		fi
147
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
			then
148
			then
149
			ARCH=`echo $i|cut -d"=" -f2`
149
			ARCH=`echo $i|cut -d"=" -f2`
150
			unknown_os=`expr $unknown_os + 1`
150
			unknown_os=`expr $unknown_os + 1`
151
		fi
151
		fi
152
	done
152
	done
153
	if [ "$ARCH" == "i586" ]
153
	if [ "$ARCH" == "i586" ]
154
		then
154
		then
155
		if [ $Lang == "fr" ]
155
		if [ $Lang == "fr" ]
156
			then echo -n "Votre architecture matérielle doit être en 64bits"
156
			then echo -n "Votre architecture matérielle doit être en 64bits"
157
			else echo -n "You hardware architecture must be 64bits"
157
			else echo -n "You hardware architecture must be 64bits"
158
		fi
158
		fi
159
		exit 1
159
		exit 1
160
	fi
160
	fi
161
	IFS="$old"
161
	IFS="$old"
162
# Test if ALCASAR is already installed
162
# Test if ALCASAR is already installed
163
	if [ -e $CONF_FILE ]
163
	if [ -e $CONF_FILE ]
164
	then
164
	then
165
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
165
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
166
		if [ $Lang == "fr" ]
166
		if [ $Lang == "fr" ]
167
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
167
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
168
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
168
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
169
		fi
169
		fi
170
		response=0
170
		response=0
171
		PTN='^[12]$'
171
		PTN='^[12]$'
172
		until [[ $(expr $response : $PTN) -gt 0 ]]
172
		until [[ $(expr $response : $PTN) -gt 0 ]]
173
		do
173
		do
174
			if [ $Lang == "fr" ]
174
			if [ $Lang == "fr" ]
175
			then
175
			then
176
				echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
176
				echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
177
			else
177
			else
178
				echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
178
				echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
179
			fi
179
			fi
180
			read response
180
			read response
181
		done
181
		done
182
		if [ "$response" = "2" ]
182
		if [ "$response" = "2" ]
183
		then
183
		then
184
			rm -f /tmp/alcasar-conf*
184
			rm -f /var/tmp/alcasar-conf*
185
		else
185
		else
186
# Retrieve former NICname
186
# Retrieve former NICname
187
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
187
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
188
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
188
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
189
			[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
189
			[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
190
			[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
190
			[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
191
# Create the current conf file
191
# Create the current conf file
192
			$DIR_SCRIPTS/alcasar-conf.sh --create
192
			$DIR_SCRIPTS/alcasar-conf.sh --create
193
			mode="update"
193
			mode="update"
194
		fi
194
		fi
195
	fi
195
	fi
196
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
196
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
197
		then
197
		then
198
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
198
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
199
			then
199
			then
200
			echo
200
			echo
201
			if [ $Lang == "fr" ]
201
			if [ $Lang == "fr" ]
202
				then
202
				then
203
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
203
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
204
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
204
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
205
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
205
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
206
				echo "3 - Importez votre base des usagers"
206
				echo "3 - Importez votre base des usagers"
207
			else
207
			else
208
				echo "The automatic update of ALCASAR can't be performed."
208
				echo "The automatic update of ALCASAR can't be performed."
209
				echo "1 - Save your traceability files and the user database"
209
				echo "1 - Save your traceability files and the user database"
210
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
210
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
211
				echo "3 - Import your users database"
211
				echo "3 - Import your users database"
212
			fi
212
			fi
213
		else
213
		else
214
			if [ $Lang == "fr" ]
214
			if [ $Lang == "fr" ]
215
				then
215
				then
216
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
216
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
217
			else
217
			else
218
				echo "The installation of ALCASAR can't be performed."
218
				echo "The installation of ALCASAR can't be performed."
219
			fi
219
			fi
220
		fi
220
		fi
221
		echo
221
		echo
222
		if [ $Lang == "fr" ]
222
		if [ $Lang == "fr" ]
223
			then
223
			then
224
			echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
224
			echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
225
		else
225
		else
226
			echo "The OS must be replaced (Mageia6-64bits)"
226
			echo "The OS must be replaced (Mageia6-64bits)"
227
		fi
227
		fi
228
		exit 0
228
		exit 0
229
	fi
229
	fi
230
	if [ ! -d /var/log/netflow/porttracker ]
230
	if [ ! -d /var/log/netflow/porttracker ]
231
		then
231
		then
232
# Test free space on /var
232
# Test free space on /var
233
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
233
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
234
		if [ $free_space -lt 10 ]
234
		if [ $free_space -lt 10 ]
235
			then
235
			then
236
			if [ $Lang == "fr" ]
236
			if [ $Lang == "fr" ]
237
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
237
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
238
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
238
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
239
			fi
239
			fi
240
		exit 0
240
		exit 0
241
		fi
241
		fi
242
	fi
242
	fi
243
	if [ $Lang == "fr" ]
243
	if [ $Lang == "fr" ]
244
		then echo -n "Tests des paramètres réseau : "
244
		then echo -n "Tests des paramètres réseau : "
245
		else echo -n "Network parameters tests: "
245
		else echo -n "Network parameters tests: "
246
	fi
246
	fi
247
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
247
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
248
	cd /etc/sysconfig/network-scripts/
248
	cd /etc/sysconfig/network-scripts/
249
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
249
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
250
	for i in $IF_INTERFACES
250
	for i in $IF_INTERFACES
251
	do
251
	do
252
		if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
252
		if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
253
			rm -f ifcfg-$i
253
			rm -f ifcfg-$i
254
 
254
 
255
			if [ $Lang == "fr" ]
255
			if [ $Lang == "fr" ]
256
				then echo "Suppression : ifcfg-$i"
256
				then echo "Suppression : ifcfg-$i"
257
				else echo "Deleting: ifcfg-$i"
257
				else echo "Deleting: ifcfg-$i"
258
			fi
258
			fi
259
		fi
259
		fi
260
	done
260
	done
261
	cd $DIR_INSTALL
261
	cd $DIR_INSTALL
262
	echo -n "."
262
	echo -n "."
263
# Test Ethernet NIC links state
263
# Test Ethernet NIC links state
264
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
264
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
265
	for i in $DOWN_IF
265
	for i in $DOWN_IF
266
	do
266
	do
267
		echo $i
267
		echo $i
268
		if [ $Lang == "fr" ]
268
		if [ $Lang == "fr" ]
269
		then
269
		then
270
			echo "Échec"
270
			echo "Échec"
271
			echo "Le lien réseau de la carte $i n'est pas actif."
271
			echo "Le lien réseau de la carte $i n'est pas actif."
272
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
272
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
273
		else
273
		else
274
			echo "Failed"
274
			echo "Failed"
275
			echo "The link state of $i interface is down."
275
			echo "The link state of $i interface is down."
276
			echo "Make sure that this network card is connected to a switch or an A.P."
276
			echo "Make sure that this network card is connected to a switch or an A.P."
277
		fi
277
		fi
278
		exit 0
278
		exit 0
279
	done
279
	done
280
	echo -n "."
280
	echo -n "."
281
# Test EXTIF config files
281
# Test EXTIF config files
282
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
282
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
283
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
283
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
284
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
284
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
285
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
285
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
286
	then
286
	then
287
		if [ $Lang == "fr" ]
287
		if [ $Lang == "fr" ]
288
		then
288
		then
289
			echo "Échec"
289
			echo "Échec"
290
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
290
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
291
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
291
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
292
			echo "Appliquez les changements : 'systemctl restart network'"
292
			echo "Appliquez les changements : 'systemctl restart network'"
293
		else
293
		else
294
			echo "Failed"
294
			echo "Failed"
295
			echo "The Internet connected network card ($EXTIF) isn't well configured."
295
			echo "The Internet connected network card ($EXTIF) isn't well configured."
296
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
296
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
297
			echo "Apply the new configuration 'systemctl restart network'"
297
			echo "Apply the new configuration 'systemctl restart network'"
298
		fi
298
		fi
299
		echo "DEVICE=$EXTIF"
299
		echo "DEVICE=$EXTIF"
300
		echo "IPADDR="
300
		echo "IPADDR="
301
		echo "NETMASK="
301
		echo "NETMASK="
302
		echo "GATEWAY="
302
		echo "GATEWAY="
303
		echo "DNS1="
303
		echo "DNS1="
304
		echo "DNS2="
304
		echo "DNS2="
305
		echo "ONBOOT=yes"
305
		echo "ONBOOT=yes"
306
		exit 0
306
		exit 0
307
	fi
307
	fi
308
	echo -n "."
308
	echo -n "."
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
310
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
310
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
311
		if [ $Lang == "fr" ]
311
		if [ $Lang == "fr" ]
312
		then
312
		then
313
			echo "Échec"
313
			echo "Échec"
314
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
314
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
315
			echo "Réglez ce problème puis relancez ce script."
315
			echo "Réglez ce problème puis relancez ce script."
316
		else
316
		else
317
			echo "Failed"
317
			echo "Failed"
318
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
318
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
319
			echo "Resolv this problem, then restart this script."
319
			echo "Resolv this problem, then restart this script."
320
		fi
320
		fi
321
		exit 0
321
		exit 0
322
	fi
322
	fi
323
	echo -n "."
323
	echo -n "."
324
# Test if default GW is alive
324
# Test if default GW is alive
325
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
325
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
326
	if [ $(expr $arp_reply) -eq 0 ]
326
	if [ $(expr $arp_reply) -eq 0 ]
327
		then
327
		then
328
		if [ $Lang == "fr" ]
328
		if [ $Lang == "fr" ]
329
		then
329
		then
330
			echo "Échec"
330
			echo "Échec"
331
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
331
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
332
			echo "Réglez ce problème puis relancez ce script."
332
			echo "Réglez ce problème puis relancez ce script."
333
		else
333
		else
334
			echo "Failed"
334
			echo "Failed"
335
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
335
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
336
			echo "Resolv this problem, then restart this script."
336
			echo "Resolv this problem, then restart this script."
337
		fi
337
		fi
338
		exit 0
338
		exit 0
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test Internet connectivity
341
# Test Internet connectivity
342
	rm -rf /tmp/con_ok.html
342
	rm -rf /tmp/con_ok.html
343
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
343
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
344
	if [ ! -e /tmp/con_ok.html ]
344
	if [ ! -e /tmp/con_ok.html ]
345
	then
345
	then
346
		if [ $Lang == "fr" ]
346
		if [ $Lang == "fr" ]
347
		then
347
		then
348
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
348
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
349
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
349
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
350
			echo "Vérifiez la validité des adresses IP des DNS."
350
			echo "Vérifiez la validité des adresses IP des DNS."
351
		else
351
		else
352
			echo "The Internet connection try failed (google.fr)."
352
			echo "The Internet connection try failed (google.fr)."
353
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
353
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
354
			echo "Verify the DNS IP addresses"
354
			echo "Verify the DNS IP addresses"
355
		fi
355
		fi
356
		exit 0
356
		exit 0
357
	fi
357
	fi
358
	rm -rf /tmp/con_ok.html
358
	rm -rf /tmp/con_ok.html
359
	echo ". : ok"
359
	echo ". : ok"
360
} # end of testing ()
360
} # end of testing ()
361
 
361
 
362
#######################################################################
362
#######################################################################
363
##                    Function "init"                                ##
363
##                    Function "init"                                ##
364
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
364
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
365
## - Creation of random password for GRUB, mariadb (admin and user)  ##
365
## - Creation of random password for GRUB, mariadb (admin and user)  ##
366
#######################################################################
366
#######################################################################
367
init ()
367
init ()
368
{
368
{
369
	if [ "$mode" != "update" ]
369
	if [ "$mode" != "update" ]
370
	then
370
	then
371
# On affecte le nom d'organisme
371
# On affecte le nom d'organisme
372
		header_install
372
		header_install
373
		ORGANISME=!
373
		ORGANISME=!
374
		PTN='^[a-zA-Z0-9-]*$'
374
		PTN='^[a-zA-Z0-9-]*$'
375
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
375
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
376
		do
376
		do
377
			if [ $Lang == "fr" ]
377
			if [ $Lang == "fr" ]
378
				then echo -n "Entrez le nom de votre organisme : "
378
				then echo -n "Entrez le nom de votre organisme : "
379
				else echo -n "Enter the name of your organism : "
379
				else echo -n "Enter the name of your organism : "
380
			fi
380
			fi
381
			read ORGANISME
381
			read ORGANISME
382
			if [ "$ORGANISME" == "" ]
382
			if [ "$ORGANISME" == "" ]
383
				then
383
				then
384
				ORGANISME=!
384
				ORGANISME=!
385
			fi
385
			fi
386
		done
386
		done
387
	fi
387
	fi
388
# On crée aléatoirement les mots de passe et les secrets partagés
388
# On crée aléatoirement les mots de passe et les secrets partagés
389
# We create random passwords and shared secrets
389
# We create random passwords and shared secrets
390
	rm -f $PASSWD_FILE
390
	rm -f $PASSWD_FILE
391
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
391
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
392
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
392
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
393
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
393
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
394
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
394
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
395
		grep -v '[eE]nter password:' | \
395
		grep -v '[eE]nter password:' | \
396
		sed -e "s/PBKDF2 hash of your password is //"`
396
		sed -e "s/PBKDF2 hash of your password is //"`
397
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
397
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
398
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
398
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
399
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
399
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
400
	chmod 0600 /boot/grub2/user.cfg
400
	chmod 0600 /boot/grub2/user.cfg
401
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
401
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
402
	echo "GRUB2_user=root" >> $PASSWD_FILE
402
	echo "GRUB2_user=root" >> $PASSWD_FILE
403
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
403
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
404
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
404
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
405
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
405
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
406
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
406
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
407
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
407
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
408
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
408
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
409
	echo "db_user=$DB_USER" >> $PASSWD_FILE
409
	echo "db_user=$DB_USER" >> $PASSWD_FILE
410
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
410
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
411
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
411
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
412
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
412
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
413
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
413
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
414
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
414
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
415
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
415
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
416
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
416
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
417
	chmod 640 $PASSWD_FILE
417
	chmod 640 $PASSWD_FILE
418
#  copy scripts in in /usr/local/bin
418
#  copy scripts in in /usr/local/bin
419
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
419
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
420
#  copy conf files in /usr/local/etc
420
#  copy conf files in /usr/local/etc
421
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
421
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
422
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
422
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
423
# generate central conf file
423
# generate central conf file
424
	cat <<EOF > $CONF_FILE
424
	cat <<EOF > $CONF_FILE
425
##########################################
425
##########################################
426
##                                      ##
426
##                                      ##
427
##          ALCASAR Parameters          ##
427
##          ALCASAR Parameters          ##
428
##                                      ##
428
##                                      ##
429
##########################################
429
##########################################
430
 
430
 
431
INSTALL_DATE=$DATE
431
INSTALL_DATE=$DATE
432
VERSION=$VERSION
432
VERSION=$VERSION
433
ORGANISM=$ORGANISME
433
ORGANISM=$ORGANISME
434
HOSTNAME=$HOSTNAME
434
HOSTNAME=$HOSTNAME
435
DOMAIN=$DOMAIN
435
DOMAIN=$DOMAIN
436
EOF
436
EOF
437
	chmod o-rwx $CONF_FILE
437
	chmod o-rwx $CONF_FILE
438
} # End of init ()
438
} # End of init ()
439
 
439
 
440
#########################################################
440
#########################################################
441
##                    Function "network"               ##
441
##                    Function "network"               ##
442
## - Define the several network address                ##
442
## - Define the several network address                ##
443
## - Define the DNS naming                             ##
443
## - Define the DNS naming                             ##
444
## - INTIF parameters (consultation network)           ##
444
## - INTIF parameters (consultation network)           ##
445
## - Write "/etc/hosts" file                           ##
445
## - Write "/etc/hosts" file                           ##
446
## - write "hosts.allow" & "hosts.deny" files          ##
446
## - write "hosts.allow" & "hosts.deny" files          ##
447
#########################################################
447
#########################################################
448
network ()
448
network ()
449
{
449
{
450
	header_install
450
	header_install
451
	if [ "$mode" != "update" ]
451
	if [ "$mode" != "update" ]
452
		then
452
		then
453
		if [ $Lang == "fr" ]
453
		if [ $Lang == "fr" ]
454
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
454
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
455
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
455
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
456
		fi
456
		fi
457
		response=0
457
		response=0
458
		PTN='^[oOyYnN]$'
458
		PTN='^[oOyYnN]$'
459
		until [[ $(expr $response : $PTN) -gt 0 ]]
459
		until [[ $(expr $response : $PTN) -gt 0 ]]
460
		do
460
		do
461
			if [ $Lang == "fr" ]
461
			if [ $Lang == "fr" ]
462
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
462
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
463
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
463
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
464
			fi
464
			fi
465
			read response
465
			read response
466
		done
466
		done
467
		if [ "$response" = "n" ] || [ "$response" = "N" ]
467
		if [ "$response" = "n" ] || [ "$response" = "N" ]
468
		then
468
		then
469
			PRIVATE_IP_MASK="0"
469
			PRIVATE_IP_MASK="0"
470
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
470
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
471
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
471
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
472
			do
472
			do
473
				if [ $Lang == "fr" ]
473
				if [ $Lang == "fr" ]
474
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
474
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
475
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
475
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
476
				fi
476
				fi
477
				read PRIVATE_IP_MASK
477
				read PRIVATE_IP_MASK
478
			done
478
			done
479
		else
479
		else
480
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
480
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
481
		fi
481
		fi
482
	else
482
	else
483
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
483
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
484
		rm -rf conf/etc/alcasar.conf
484
		rm -rf conf/etc/alcasar.conf
485
	fi
485
	fi
486
# Define LAN side global parameters
486
# Define LAN side global parameters
487
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
487
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
488
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
488
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
489
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
489
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
490
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
490
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
491
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
491
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
492
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
492
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
493
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
493
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
494
		then
494
		then
495
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
495
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
496
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
496
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
497
	fi
497
	fi
498
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
498
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
499
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
499
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
500
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
500
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
501
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
501
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
502
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
502
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
503
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
503
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
504
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
504
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
505
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
505
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
506
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
506
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
507
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
507
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
508
# Define Internet parameters
508
# Define Internet parameters
509
	if [ "$mode" != "update" ]
509
	if [ "$mode" != "update" ]
510
	then
510
	then
511
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
511
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
512
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
512
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
513
	else
513
	else
514
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
514
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
515
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
515
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
516
	fi
516
	fi
517
	if [ "$DNS1" == "" ]
517
	if [ "$DNS1" == "" ]
518
	then
518
	then
519
		if [ $Lang == "fr" ]
519
		if [ $Lang == "fr" ]
520
		then
520
		then
521
			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
521
			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
522
			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
522
			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
523
		else
523
		else
524
			echo "The IP address of DNS servers are not set correctly"
524
			echo "The IP address of DNS servers are not set correctly"
525
			echo "Check the extern network card configuration ($EXTIF)"
525
			echo "Check the extern network card configuration ($EXTIF)"
526
		fi
526
		fi
527
		exit 0
527
		exit 0
528
	fi
528
	fi
529
	DNS1=${DNS1:=208.67.220.220}
529
	DNS1=${DNS1:=208.67.220.220}
530
	DNS2=${DNS2:=208.67.222.222}
530
	DNS2=${DNS2:=208.67.222.222}
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
531
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
532
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
533
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
534
# Write network parameters in the conf file
534
# Write network parameters in the conf file
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
535
	echo "EXTIF=$EXTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
536
	echo "INTIF=$INTIF" >> $CONF_FILE
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
537
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
538
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
539
	for i in $INTERFACES
539
	for i in $INTERFACES
540
	do
540
	do
541
		SUB=`echo ${i:0:2}`
541
		SUB=`echo ${i:0:2}`
542
		if [ $SUB = "wl" ]
542
		if [ $SUB = "wl" ]
543
			then WIFIF=$i
543
			then WIFIF=$i
544
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
544
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
545
			then LANIF=$i
545
			then LANIF=$i
546
		fi
546
		fi
547
	done
547
	done
548
	if [ -n "$WIFIF" ]
548
	if [ -n "$WIFIF" ]
549
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
549
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
550
	elif [ -n "$LANIF" ]
550
	elif [ -n "$LANIF" ]
551
		then echo "LANIF=$LANIF" >> $CONF_FILE
551
		then echo "LANIF=$LANIF" >> $CONF_FILE
552
	fi
552
	fi
553
	#########################################################################################################
553
	#########################################################################################################
554
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
554
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
555
	if [ $IP_SETTING == "dhcp" ]
555
	if [ $IP_SETTING == "dhcp" ]
556
		then
556
		then
557
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
557
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
558
		echo "GW=dhcp" >> $CONF_FILE
558
		echo "GW=dhcp" >> $CONF_FILE
559
	else
559
	else
560
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
560
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
561
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
561
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
562
	fi
562
	fi
563
	echo "DNS1=$DNS1" >> $CONF_FILE
563
	echo "DNS1=$DNS1" >> $CONF_FILE
564
	echo "DNS2=$DNS2" >> $CONF_FILE
564
	echo "DNS2=$DNS2" >> $CONF_FILE
565
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
565
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
566
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
566
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
567
	echo "DHCP=on" >> $CONF_FILE
567
	echo "DHCP=on" >> $CONF_FILE
568
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
568
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
569
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
569
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
570
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
570
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
571
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
571
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
572
	echo "INT_DNS_IP=none" >> $CONF_FILE
572
	echo "INT_DNS_IP=none" >> $CONF_FILE
573
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
573
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
574
# network default
574
# network default
575
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
575
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
576
	cat <<EOF > /etc/sysconfig/network
576
	cat <<EOF > /etc/sysconfig/network
577
NETWORKING=yes
577
NETWORKING=yes
578
FORWARD_IPV4=true
578
FORWARD_IPV4=true
579
EOF
579
EOF
580
# write "/etc/hosts"
580
# write "/etc/hosts"
581
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
581
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
582
	cat <<EOF > /etc/hosts
582
	cat <<EOF > /etc/hosts
583
127.0.0.1	localhost
583
127.0.0.1	localhost
584
$PRIVATE_IP	$HOSTNAME
584
$PRIVATE_IP	$HOSTNAME
585
EOF
585
EOF
586
# write EXTIF (Internet) config
586
# write EXTIF (Internet) config
587
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
587
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
588
	if [ $IP_SETTING == "dhcp" ]
588
	if [ $IP_SETTING == "dhcp" ]
589
		then
589
		then
590
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
590
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
591
DEVICE=$EXTIF
591
DEVICE=$EXTIF
592
BOOTPROTO=dhcp
592
BOOTPROTO=dhcp
593
DNS1=127.0.0.1
593
DNS1=127.0.0.1
594
PEERDNS=no
594
PEERDNS=no
595
RESOLV_MODS=yes
595
RESOLV_MODS=yes
596
ONBOOT=yes
596
ONBOOT=yes
597
NOZEROCONF=yes
597
NOZEROCONF=yes
598
METRIC=10
598
METRIC=10
599
MII_NOT_SUPPORTED=yes
599
MII_NOT_SUPPORTED=yes
600
IPV6INIT=no
600
IPV6INIT=no
601
IPV6TO4INIT=no
601
IPV6TO4INIT=no
602
ACCOUNTING=no
602
ACCOUNTING=no
603
USERCTL=no
603
USERCTL=no
604
MTU=$MTU
604
MTU=$MTU
605
EOF
605
EOF
606
		else
606
		else
607
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
607
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
608
DEVICE=$EXTIF
608
DEVICE=$EXTIF
609
BOOTPROTO=static
609
BOOTPROTO=static
610
IPADDR=$PUBLIC_IP
610
IPADDR=$PUBLIC_IP
611
NETMASK=$PUBLIC_NETMASK
611
NETMASK=$PUBLIC_NETMASK
612
GATEWAY=$PUBLIC_GATEWAY
612
GATEWAY=$PUBLIC_GATEWAY
613
DNS1=127.0.0.1
613
DNS1=127.0.0.1
614
RESOLV_MODS=yes
614
RESOLV_MODS=yes
615
ONBOOT=yes
615
ONBOOT=yes
616
METRIC=10
616
METRIC=10
617
NOZEROCONF=yes
617
NOZEROCONF=yes
618
MII_NOT_SUPPORTED=yes
618
MII_NOT_SUPPORTED=yes
619
IPV6INIT=no
619
IPV6INIT=no
620
IPV6TO4INIT=no
620
IPV6TO4INIT=no
621
ACCOUNTING=no
621
ACCOUNTING=no
622
USERCTL=no
622
USERCTL=no
623
MTU=$MTU
623
MTU=$MTU
624
EOF
624
EOF
625
	fi
625
	fi
626
# write INTIF (consultation LAN) in normal mode
626
# write INTIF (consultation LAN) in normal mode
627
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
627
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
628
DEVICE=$INTIF
628
DEVICE=$INTIF
629
BOOTPROTO=static
629
BOOTPROTO=static
630
ONBOOT=yes
630
ONBOOT=yes
631
NOZEROCONF=yes
631
NOZEROCONF=yes
632
MII_NOT_SUPPORTED=yes
632
MII_NOT_SUPPORTED=yes
633
IPV6INIT=no
633
IPV6INIT=no
634
IPV6TO4INIT=no
634
IPV6TO4INIT=no
635
ACCOUNTING=no
635
ACCOUNTING=no
636
USERCTL=no
636
USERCTL=no
637
EOF
637
EOF
638
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
638
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
639
# write INTIF in bypass mode (see "alcasar-bypass.sh")
639
# write INTIF in bypass mode (see "alcasar-bypass.sh")
640
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
640
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
641
DEVICE=$INTIF
641
DEVICE=$INTIF
642
BOOTPROTO=static
642
BOOTPROTO=static
643
IPADDR=$PRIVATE_IP
643
IPADDR=$PRIVATE_IP
644
NETMASK=$PRIVATE_NETMASK
644
NETMASK=$PRIVATE_NETMASK
645
ONBOOT=yes
645
ONBOOT=yes
646
METRIC=10
646
METRIC=10
647
NOZEROCONF=yes
647
NOZEROCONF=yes
648
MII_NOT_SUPPORTED=yes
648
MII_NOT_SUPPORTED=yes
649
IPV6INIT=no
649
IPV6INIT=no
650
IPV6TO4INIT=no
650
IPV6TO4INIT=no
651
ACCOUNTING=no
651
ACCOUNTING=no
652
USERCTL=no
652
USERCTL=no
653
EOF
653
EOF
654
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
654
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
655
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
655
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
656
	then
656
	then
657
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
657
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
658
DEVICE=$WIFIF
658
DEVICE=$WIFIF
659
BOOTPROTO=static
659
BOOTPROTO=static
660
ONBOOT=yes
660
ONBOOT=yes
661
NOZEROCONF=yes
661
NOZEROCONF=yes
662
MII_NOT_SUPPORTED=yes
662
MII_NOT_SUPPORTED=yes
663
IPV6INIT=no
663
IPV6INIT=no
664
IPV6TO4INIT=no
664
IPV6TO4INIT=no
665
ACCOUNTING=no
665
ACCOUNTING=no
666
USERCTL=no
666
USERCTL=no
667
EOF
667
EOF
668
	elif [ -n "$LANIF" ]
668
	elif [ -n "$LANIF" ]
669
	then
669
	then
670
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
670
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
671
DEVICE=$LANIF
671
DEVICE=$LANIF
672
BOOTPROTO=static
672
BOOTPROTO=static
673
ONBOOT=yes
673
ONBOOT=yes
674
NOZEROCONF=yes
674
NOZEROCONF=yes
675
MII_NOT_SUPPORTED=yes
675
MII_NOT_SUPPORTED=yes
676
IPV6INIT=no
676
IPV6INIT=no
677
IPV6TO4INIT=no
677
IPV6TO4INIT=no
678
ACCOUNTING=no
678
ACCOUNTING=no
679
USERCTL=no
679
USERCTL=no
680
EOF
680
EOF
681
	fi
681
	fi
682
	#########################################################################################################
682
	#########################################################################################################
683
# write hosts.allow & hosts.deny
683
# write hosts.allow & hosts.deny
684
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
684
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
685
	cat <<EOF > /etc/hosts.allow
685
	cat <<EOF > /etc/hosts.allow
686
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
686
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
687
sshd: ALL
687
sshd: ALL
688
ntpd: $PRIVATE_NETWORK_SHORT
688
ntpd: $PRIVATE_NETWORK_SHORT
689
EOF
689
EOF
690
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
690
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
691
	cat <<EOF > /etc/hosts.deny
691
	cat <<EOF > /etc/hosts.deny
692
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
692
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
693
EOF
693
EOF
694
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
694
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
695
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
695
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
696
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
696
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
697
# load conntrack ftp module
697
# load conntrack ftp module
698
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
698
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
699
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
699
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
700
# load ipt_NETFLOW module
700
# load ipt_NETFLOW module
701
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
701
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
702
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
702
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
703
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
703
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
704
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
704
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
705
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
705
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
706
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
706
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
707
#
707
#
708
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
708
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
709
} # End of network ()
709
} # End of network ()
710
 
710
 
711
###################################################
711
###################################################
712
##                  Function "ACC"               ##
712
##                  Function "ACC"               ##
713
## - copy ALCASAR Control Center (ACC) files     ##
713
## - copy ALCASAR Control Center (ACC) files     ##
714
## - configuration of the web server (Lighttpd)  ##
714
## - configuration of the web server (Lighttpd)  ##
715
## - creation of the first ACC admin account     ##
715
## - creation of the first ACC admin account     ##
716
## - secure the ACC access                       ##
716
## - secure the ACC access                       ##
717
###################################################
717
###################################################
718
ACC ()
718
ACC ()
719
{
719
{
720
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
720
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
721
	mkdir $DIR_WEB
721
	mkdir $DIR_WEB
722
# Copy & adapt ACC files
722
# Copy & adapt ACC files
723
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
723
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
724
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
724
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
725
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
725
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
726
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
726
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
727
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
727
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
728
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
728
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
729
	chown -R apache:apache $DIR_WEB/*
729
	chown -R apache:apache $DIR_WEB/*
730
# copy & adapt "freeradius-web" files
730
# copy & adapt "freeradius-web" files
731
	cp -rf $DIR_CONF/freeradius-web/ /etc/
731
	cp -rf $DIR_CONF/freeradius-web/ /etc/
732
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
732
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
733
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
733
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
734
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
734
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
735
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
735
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
736
	cat <<EOF > /etc/freeradius-web/naslist.conf
736
	cat <<EOF > /etc/freeradius-web/naslist.conf
737
nas1_name: alcasar-$ORGANISME
737
nas1_name: alcasar-$ORGANISME
738
nas1_model: Network Access Controler
738
nas1_model: Network Access Controler
739
nas1_ip: $PRIVATE_IP
739
nas1_ip: $PRIVATE_IP
740
nas1_port_num: 0
740
nas1_port_num: 0
741
nas1_community: public
741
nas1_community: public
742
EOF
742
EOF
743
	chown -R apache:apache /etc/freeradius-web/
743
	chown -R apache:apache /etc/freeradius-web/
744
# create the log & backup structure :
744
# create the log & backup structure :
745
# - base = users database
745
# - base = users database
746
# - archive = tarball of "base + http firewall + netflow"
746
# - archive = tarball of "base + http firewall + netflow"
747
# - security = watchdog log
747
# - security = watchdog log
748
	for i in base archive security activity_report;
748
	for i in base archive security activity_report;
749
	do
749
	do
750
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
750
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
751
	done
751
	done
752
	chown -R root:apache $DIR_SAVE
752
	chown -R root:apache $DIR_SAVE
753
# Configuring & securing php
753
# Configuring & securing php
754
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
754
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
755
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
755
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
756
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
756
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
757
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
757
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
758
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
758
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
759
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
759
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
760
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
760
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
761
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
761
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
762
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
762
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
763
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
763
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
764
# Configuring & securing Lighttpd
764
# Configuring & securing Lighttpd
765
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
765
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
766
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
766
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
767
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
767
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
768
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
768
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
769
	[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
769
	[ -e /etc/php-fpm.conf ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
770
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
770
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
771
 
771
 
772
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
772
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
773
	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
773
	cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
774
 
774
 
775
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
775
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
776
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
776
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
777
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
777
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
778
 
778
 
779
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
779
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
780
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
780
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
781
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
781
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
782
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
782
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
783
 
783
 
784
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
784
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
785
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
785
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
786
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
786
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
787
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
787
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
788
 
788
 
789
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
789
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
790
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
790
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
791
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
791
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
792
 
792
 
793
	/usr/bin/systemctl start lighttpd
793
	/usr/bin/systemctl start lighttpd
794
	/usr/bin/systemctl start php-fpm
794
	/usr/bin/systemctl start php-fpm
795
 
795
 
796
# Creation of the first account (in 'admin' profile)
796
# Creation of the first account (in 'admin' profile)
797
	if [ "$mode" = "install" ]
797
	if [ "$mode" = "install" ]
798
		then
798
		then
799
			header_install
799
			header_install
800
# Creation of keys file for the admin account ("admin")
800
# Creation of keys file for the admin account ("admin")
801
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
801
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
802
			mkdir -p $DIR_DEST_ETC/digest
802
			mkdir -p $DIR_DEST_ETC/digest
803
			chmod 755 $DIR_DEST_ETC/digest
803
			chmod 755 $DIR_DEST_ETC/digest
804
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
804
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
805
			do
805
			do
806
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
806
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
807
			done
807
			done
808
	fi
808
	fi
809
 
809
 
810
	# Launch after coova (in order to wait tun0 to be up)
810
	# Launch after coova (in order to wait tun0 to be up)
811
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
811
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
812
	# Log file for ACC access imputability
812
	# Log file for ACC access imputability
813
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
813
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
814
	chown root:apache /var/Save/security/acc_access.log
814
	chown root:apache /var/Save/security/acc_access.log
815
	chmod 664 /var/Save/security/acc_access.log
815
	chmod 664 /var/Save/security/acc_access.log
816
} # End of ACC ()
816
} # End of ACC ()
817
 
817
 
818
##################################################################
818
##################################################################
819
##                               Fonction "CA"                  ##
819
##                               Fonction "CA"                  ##
820
## - Creating the CA and the server certificate (lighttpd)      ##
820
## - Creating the CA and the server certificate (lighttpd)      ##
821
##################################################################
821
##################################################################
822
CA ()
822
CA ()
823
{
823
{
824
	$DIR_DEST_BIN/alcasar-CA.sh
824
	$DIR_DEST_BIN/alcasar-CA.sh
825
 
825
 
826
	chown -R root:apache /etc/pki
826
	chown -R root:apache /etc/pki
827
	chmod -R 750 /etc/pki
827
	chmod -R 750 /etc/pki
828
} # End of CA ()
828
} # End of CA ()
829
 
829
 
830
#############################################################
830
#############################################################
831
##               Function "time_server"                    ##
831
##               Function "time_server"                    ##
832
## - Configuring NTP server                                ##
832
## - Configuring NTP server                                ##
833
#############################################################
833
#############################################################
834
time_server ()
834
time_server ()
835
{
835
{
836
# Set the Internet time server
836
# Set the Internet time server
837
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
837
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
838
	cat <<EOF > /etc/ntp/step-tickers
838
	cat <<EOF > /etc/ntp/step-tickers
839
0.fr.pool.ntp.org	# adapt to your country
839
0.fr.pool.ntp.org	# adapt to your country
840
1.fr.pool.ntp.org
840
1.fr.pool.ntp.org
841
2.fr.pool.ntp.org
841
2.fr.pool.ntp.org
842
EOF
842
EOF
843
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
843
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
844
	cat <<EOF > /etc/ntp.conf
844
	cat <<EOF > /etc/ntp.conf
845
server 0.fr.pool.ntp.org	# adapt to your country
845
server 0.fr.pool.ntp.org	# adapt to your country
846
server 1.fr.pool.ntp.org
846
server 1.fr.pool.ntp.org
847
server 2.fr.pool.ntp.org
847
server 2.fr.pool.ntp.org
848
server 127.127.1.0   		# local clock si NTP internet indisponible ...
848
server 127.127.1.0   		# local clock si NTP internet indisponible ...
849
fudge 127.127.1.0 stratum 10
849
fudge 127.127.1.0 stratum 10
850
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
850
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
851
restrict 127.0.0.1
851
restrict 127.0.0.1
852
driftfile /var/lib/ntp/drift
852
driftfile /var/lib/ntp/drift
853
logfile /var/log/ntp.log
853
logfile /var/log/ntp.log
854
disable monitor
854
disable monitor
855
EOF
855
EOF
856
	chown -R ntp:ntp /var/lib/ntp
856
	chown -R ntp:ntp /var/lib/ntp
857
# Synchronize now
857
# Synchronize now
858
	ntpd -q -g &
858
	ntpd -q -g &
859
} # End of time_server ()
859
} # End of time_server ()
860
 
860
 
861
#####################################################################
861
#####################################################################
862
##                     Function "init_db"                          ##
862
##                     Function "init_db"                          ##
863
## - Mysql initialization                                          ##
863
## - Mysql initialization                                          ##
864
## - Set admin (root) password                                     ##
864
## - Set admin (root) password                                     ##
865
## - Remove unused users & databases                               ##
865
## - Remove unused users & databases                               ##
866
## - Radius database creation                                      ##
866
## - Radius database creation                                      ##
867
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
867
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
868
#####################################################################
868
#####################################################################
869
init_db ()
869
init_db ()
870
{
870
{
871
	if [ `systemctl is-active mysqld` == "active" ]
871
	if [ `systemctl is-active mysqld` == "active" ]
872
	then
872
	then
873
		systemctl stop mysqld
873
		systemctl stop mysqld
874
	fi
874
	fi
875
	rm -rf /var/lib/mysql # to be sure that there is no former installation
875
	rm -rf /var/lib/mysql # to be sure that there is no former installation
876
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
876
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
877
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
877
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
878
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
878
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
879
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
879
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
880
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
880
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
881
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
881
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
882
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
882
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
883
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
883
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
884
	/usr/bin/systemctl start mysqld
884
	/usr/bin/systemctl start mysqld
885
	nb_round=1
885
	nb_round=1
886
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
886
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
887
	do
887
	do
888
		nb_round=`expr $nb_round + 1`
888
		nb_round=`expr $nb_round + 1`
889
		sleep 2
889
		sleep 2
890
	done
890
	done
891
	if [ ! -S /var/lib/mysql/mysql.sock ]
891
	if [ ! -S /var/lib/mysql/mysql.sock ]
892
	then
892
	then
893
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
893
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
894
		exit
894
		exit
895
	fi
895
	fi
896
	MYSQL="/usr/bin/mysql --execute"
896
	MYSQL="/usr/bin/mysql --execute"
897
# Secure the server
897
# Secure the server
898
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
898
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
899
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
899
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
900
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
900
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
901
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
901
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
902
# Create 'radius' database
902
# Create 'radius' database
903
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
903
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
904
# Add an empty radius database structure
904
# Add an empty radius database structure
905
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
905
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
906
# modify the start script in order to close accounting connexion when the system is comming down or up
906
# modify the start script in order to close accounting connexion when the system is comming down or up
907
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
907
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
908
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
908
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
909
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
909
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
910
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
910
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
911
	/usr/bin/systemctl daemon-reload
911
	/usr/bin/systemctl daemon-reload
912
} # End of init_db ()
912
} # End of init_db ()
913
 
913
 
914
###################################################################
914
###################################################################
915
##                       Function "freeradius"                   ##
915
##                       Function "freeradius"                   ##
916
## - Set the configuration files                                 ##
916
## - Set the configuration files                                 ##
917
## - Set the shared secret between coova-chilli and freeradius   ##
917
## - Set the shared secret between coova-chilli and freeradius   ##
918
## - Adapt the Mysql conf file and counters                      ##
918
## - Adapt the Mysql conf file and counters                      ##
919
###################################################################
919
###################################################################
920
freeradius ()
920
freeradius ()
921
{
921
{
922
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
922
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
923
	chown -R radius:radius /etc/raddb
923
	chown -R radius:radius /etc/raddb
924
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
924
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
925
# Set radius global parameters (radius.conf)
925
# Set radius global parameters (radius.conf)
926
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
926
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
927
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
927
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
928
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
928
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
929
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
929
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
930
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
930
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
931
 
931
 
932
# Add ALCASAR dictionary
932
# Add ALCASAR dictionary
933
	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
933
	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
934
	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
934
	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
935
# Add CoovaChilli dictionary
935
# Add CoovaChilli dictionary
936
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
936
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
937
	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
937
	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
938
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
938
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
939
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
939
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
940
	cat << EOF > /etc/raddb/clients.conf
940
	cat << EOF > /etc/raddb/clients.conf
941
client localhost {
941
client localhost {
942
	ipaddr = 127.0.0.1
942
	ipaddr = 127.0.0.1
943
	secret = $secretradius
943
	secret = $secretradius
944
	shortname = chilli
944
	shortname = chilli
945
	nas_type = other
945
	nas_type = other
946
}
946
}
947
EOF
947
EOF
948
# Set Virtual server (remvove all except "alcasar virtual site")
948
# Set Virtual server (remvove all except "alcasar virtual site")
949
	rm -f /etc/raddb/sites-enabled/*
949
	rm -f /etc/raddb/sites-enabled/*
950
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
950
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
951
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
951
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
952
	chown radius:apache /etc/raddb/sites-available/alcasar*
952
	chown radius:apache /etc/raddb/sites-available/alcasar*
953
	chmod 660 /etc/raddb/sites-available/alcasar*
953
	chmod 660 /etc/raddb/sites-available/alcasar*
954
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
954
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
955
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
955
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
956
 
956
 
957
# Set modules
957
# Set modules
958
# Add custom LDAP "available module"
958
# Add custom LDAP "available module"
959
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
959
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
960
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
960
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
961
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
961
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
962
	rm -rf  /etc/raddb/mods-enabled/*
962
	rm -rf  /etc/raddb/mods-enabled/*
963
	for mods in sql sqlcounter attr_filter expiration logintime pap expr
963
	for mods in sql sqlcounter attr_filter expiration logintime pap expr
964
	do
964
	do
965
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
965
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
966
	done
966
	done
967
# Configure SQL mod
967
# Configure SQL mod
968
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
968
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
969
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
969
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
970
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
970
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
971
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
971
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
972
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
972
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
973
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
973
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
974
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
974
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
975
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
975
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
976
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
976
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
977
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
977
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
978
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
978
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
979
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
979
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
980
# sqlcounter modifications
980
# sqlcounter modifications
981
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
981
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
982
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
982
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
983
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
983
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
984
	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
984
	[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
985
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
985
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
986
query = "\
986
query = "\
987
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
987
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
988
    FROM radacct \
988
    FROM radacct \
989
    WHERE username = '%{\${key}}' \
989
    WHERE username = '%{\${key}}' \
990
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
990
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
991
EOF
991
EOF
992
	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
992
	[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
993
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
993
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
994
query = "\
994
query = "\
995
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
995
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
996
    FROM radacct \
996
    FROM radacct \
997
    WHERE username='%{\${key}}' \
997
    WHERE username='%{\${key}}' \
998
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
998
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
999
EOF
999
EOF
1000
	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1000
	[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1001
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1001
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1002
query = "\
1002
query = "\
1003
    SELECT IFNULL(SUM(AcctSessionTime),0) \
1003
    SELECT IFNULL(SUM(AcctSessionTime),0) \
1004
    FROM radacct \
1004
    FROM radacct \
1005
    WHERE username='%{\${key}}'"
1005
    WHERE username='%{\${key}}'"
1006
EOF
1006
EOF
1007
	[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
1007
	[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
1008
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
1008
	cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
1009
query = "\
1009
query = "\
1010
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1010
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1011
    FROM radacct \
1011
    FROM radacct \
1012
    WHERE username='%{\${key}}' \
1012
    WHERE username='%{\${key}}' \
1013
    ORDER BY acctstarttime \
1013
    ORDER BY acctstarttime \
1014
    LIMIT 1),0)"
1014
    LIMIT 1),0)"
1015
EOF
1015
EOF
1016
# make certain that mysql is up before freeradius start
1016
# make certain that mysql is up before freeradius start
1017
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1017
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1018
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1018
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1019
	/usr/bin/systemctl daemon-reload
1019
	/usr/bin/systemctl daemon-reload
1020
 # Allow apache to change some conf files (ie : ldap on/off)
1020
 # Allow apache to change some conf files (ie : ldap on/off)
1021
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1021
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1022
 
1022
 
1023
} # End freeradius ()
1023
} # End freeradius ()
1024
 
1024
 
1025
#############################################################################
1025
#############################################################################
1026
##                           Function "chilli"                             ##
1026
##                           Function "chilli"                             ##
1027
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1027
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1028
## - Adapt the authentication web page (intercept.php)                     ##
1028
## - Adapt the authentication web page (intercept.php)                     ##
1029
#############################################################################
1029
#############################################################################
1030
chilli ()
1030
chilli ()
1031
{
1031
{
1032
# chilli unit for systemd
1032
# chilli unit for systemd
1033
	cat << EOF > /lib/systemd/system/chilli.service
1033
	cat << EOF > /lib/systemd/system/chilli.service
1034
#  This file is part of systemd.
1034
#  This file is part of systemd.
1035
#
1035
#
1036
#  systemd is free software; you can redistribute it and/or modify it
1036
#  systemd is free software; you can redistribute it and/or modify it
1037
#  under the terms of the GNU General Public License as published by
1037
#  under the terms of the GNU General Public License as published by
1038
#  the Free Software Foundation; either version 2 of the License, or
1038
#  the Free Software Foundation; either version 2 of the License, or
1039
#  (at your option) any later version.
1039
#  (at your option) any later version.
1040
[Unit]
1040
[Unit]
1041
Description=chilli is a captive portal daemon
1041
Description=chilli is a captive portal daemon
1042
After=network.target
1042
After=network.target
1043
 
1043
 
1044
[Service]
1044
[Service]
1045
Type=forking
1045
Type=forking
1046
ExecStart=/usr/libexec/chilli start
1046
ExecStart=/usr/libexec/chilli start
1047
ExecStop=/usr/libexec/chilli stop
1047
ExecStop=/usr/libexec/chilli stop
1048
ExecReload=/usr/libexec/chilli reload
1048
ExecReload=/usr/libexec/chilli reload
1049
PIDFile=/var/run/chilli.pid
1049
PIDFile=/var/run/chilli.pid
1050
 
1050
 
1051
[Install]
1051
[Install]
1052
WantedBy=multi-user.target
1052
WantedBy=multi-user.target
1053
EOF
1053
EOF
1054
# init file creation
1054
# init file creation
1055
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1055
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1056
	cat <<EOF > /etc/init.d/chilli
1056
	cat <<EOF > /etc/init.d/chilli
1057
#!/bin/sh
1057
#!/bin/sh
1058
#
1058
#
1059
# chilli CoovaChilli init
1059
# chilli CoovaChilli init
1060
#
1060
#
1061
# chkconfig: 2345 65 35
1061
# chkconfig: 2345 65 35
1062
# description: CoovaChilli
1062
# description: CoovaChilli
1063
### BEGIN INIT INFO
1063
### BEGIN INIT INFO
1064
# Provides:       chilli
1064
# Provides:       chilli
1065
# Required-Start: network
1065
# Required-Start: network
1066
# Should-Start:
1066
# Should-Start:
1067
# Required-Stop:  network
1067
# Required-Stop:  network
1068
# Should-Stop:
1068
# Should-Stop:
1069
# Default-Start:  2 3 5
1069
# Default-Start:  2 3 5
1070
# Default-Stop:
1070
# Default-Stop:
1071
# Description:    CoovaChilli access controller
1071
# Description:    CoovaChilli access controller
1072
### END INIT INFO
1072
### END INIT INFO
1073
 
1073
 
1074
[ -f /usr/sbin/chilli ] || exit 0
1074
[ -f /usr/sbin/chilli ] || exit 0
1075
. /etc/init.d/functions
1075
. /etc/init.d/functions
1076
CONFIG=/etc/chilli.conf
1076
CONFIG=/etc/chilli.conf
1077
pidfile=/var/run/chilli.pid
1077
pidfile=/var/run/chilli.pid
1078
[ -f \$CONFIG ] || {
1078
[ -f \$CONFIG ] || {
1079
	echo "\$CONFIG Not found"
1079
	echo "\$CONFIG Not found"
1080
	exit 0
1080
	exit 0
1081
}
1081
}
1082
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1082
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1083
RETVAL=0
1083
RETVAL=0
1084
prog="chilli"
1084
prog="chilli"
1085
case \$1 in
1085
case \$1 in
1086
	start)
1086
	start)
1087
		if [ -f \$pidfile ] ; then
1087
		if [ -f \$pidfile ] ; then
1088
			gprintf "chilli is already running"
1088
			gprintf "chilli is already running"
1089
		else
1089
		else
1090
			gprintf "Starting \$prog: "
1090
			gprintf "Starting \$prog: "
1091
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1091
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1092
			rm -f /var/run/chilli* # cleaning
1092
			rm -f /var/run/chilli* # cleaning
1093
			/usr/sbin/modprobe tun >/dev/null 2>&1
1093
			/usr/sbin/modprobe tun >/dev/null 2>&1
1094
			echo 1 > /proc/sys/net/ipv4/ip_forward
1094
			echo 1 > /proc/sys/net/ipv4/ip_forward
1095
			[ -e /dev/net/tun ] || {
1095
			[ -e /dev/net/tun ] || {
1096
				(cd /dev;
1096
				(cd /dev;
1097
				mkdir net;
1097
				mkdir net;
1098
				cd net;
1098
				cd net;
1099
				mknod tun c 10 200)
1099
				mknod tun c 10 200)
1100
			}
1100
			}
1101
			ifconfig $INTIF 0.0.0.0
1101
			ifconfig $INTIF 0.0.0.0
1102
			/usr/sbin/ethtool -K $INTIF gro off
1102
			/usr/sbin/ethtool -K $INTIF gro off
1103
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1103
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1104
			RETVAL=\$?
1104
			RETVAL=\$?
1105
		fi
1105
		fi
1106
		;;
1106
		;;
1107
 
1107
 
1108
	reload)
1108
	reload)
1109
		killall -HUP chilli
1109
		killall -HUP chilli
1110
		;;
1110
		;;
1111
 
1111
 
1112
	restart)
1112
	restart)
1113
		\$0 stop
1113
		\$0 stop
1114
		sleep 2
1114
		sleep 2
1115
		\$0 start
1115
		\$0 start
1116
		;;
1116
		;;
1117
 
1117
 
1118
	status)
1118
	status)
1119
		status chilli
1119
		status chilli
1120
		RETVAL=0
1120
		RETVAL=0
1121
		;;
1121
		;;
1122
 
1122
 
1123
	stop)
1123
	stop)
1124
		if [ -f \$pidfile ] ; then
1124
		if [ -f \$pidfile ] ; then
1125
			gprintf "Shutting down \$prog: "
1125
			gprintf "Shutting down \$prog: "
1126
			killproc /usr/sbin/chilli
1126
			killproc /usr/sbin/chilli
1127
			RETVAL=\$?
1127
			RETVAL=\$?
1128
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1128
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1129
			[ -e \$current_users_file ] && rm -f \$current_users_file
1129
			[ -e \$current_users_file ] && rm -f \$current_users_file
1130
		else
1130
		else
1131
			gprintf "chilli is not running"
1131
			gprintf "chilli is not running"
1132
		fi
1132
		fi
1133
		;;
1133
		;;
1134
 
1134
 
1135
	*)
1135
	*)
1136
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1136
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1137
		exit 1
1137
		exit 1
1138
esac
1138
esac
1139
echo
1139
echo
1140
EOF
1140
EOF
1141
	chmod a+x /etc/init.d/chilli
1141
	chmod a+x /etc/init.d/chilli
1142
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1142
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1143
# conf file creation
1143
# conf file creation
1144
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1144
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1145
	#NTP Option configuration for DHCP
1145
	#NTP Option configuration for DHCP
1146
	#DHCP Options : rfc2132
1146
	#DHCP Options : rfc2132
1147
		#dhcp option value will be convert in hexa.
1147
		#dhcp option value will be convert in hexa.
1148
		#NTP option (or 'option 42') is like :
1148
		#NTP option (or 'option 42') is like :
1149
		#
1149
		#
1150
		#    Code   Len         Address 1               Address 2
1150
		#    Code   Len         Address 1               Address 2
1151
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1151
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1152
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1152
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1153
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1153
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1154
		#
1154
		#
1155
		#Code : 42 => 2a
1155
		#Code : 42 => 2a
1156
		#Len : 4 => 04
1156
		#Len : 4 => 04
1157
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1157
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1158
	cat <<EOF > /etc/chilli.conf
1158
	cat <<EOF > /etc/chilli.conf
1159
# coova config for ALCASAR
1159
# coova config for ALCASAR
1160
cmdsocket	/var/run/chilli.sock
1160
cmdsocket	/var/run/chilli.sock
1161
unixipc		chilli.$INTIF.ipc
1161
unixipc		chilli.$INTIF.ipc
1162
pidfile		/var/run/chilli.pid
1162
pidfile		/var/run/chilli.pid
1163
net		$PRIVATE_NETWORK_MASK
1163
net		$PRIVATE_NETWORK_MASK
1164
dhcpif		$INTIF
1164
dhcpif		$INTIF
1165
ethers		$DIR_DEST_ETC/alcasar-ethers
1165
ethers		$DIR_DEST_ETC/alcasar-ethers
1166
#nodynip
1166
#nodynip
1167
#statip
1167
#statip
1168
dynip		$PRIVATE_NETWORK_MASK
1168
dynip		$PRIVATE_NETWORK_MASK
1169
domain		$DOMAIN
1169
domain		$DOMAIN
1170
dns1		$PRIVATE_IP
1170
dns1		$PRIVATE_IP
1171
dns2		$PRIVATE_IP
1171
dns2		$PRIVATE_IP
1172
uamlisten	$PRIVATE_IP
1172
uamlisten	$PRIVATE_IP
1173
uamport		3990
1173
uamport		3990
1174
uamuiport	3991
1174
uamuiport	3991
1175
macauth
1175
macauth
1176
macpasswd	password
1176
macpasswd	password
1177
strictmacauth
1177
strictmacauth
1178
locationname	$HOSTNAME.$DOMAIN
1178
locationname	$HOSTNAME.$DOMAIN
1179
radiusserver1	127.0.0.1
1179
radiusserver1	127.0.0.1
1180
radiusserver2	127.0.0.1
1180
radiusserver2	127.0.0.1
1181
radiussecret	$secretradius
1181
radiussecret	$secretradius
1182
radiusauthport	1812
1182
radiusauthport	1812
1183
radiusacctport	1813
1183
radiusacctport	1813
1184
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1184
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1185
redirurl
1185
redirurl
1186
radiusnasid	$HOSTNAME.$DOMAIN
1186
radiusnasid	$HOSTNAME.$DOMAIN
1187
uamsecret	$secretuam
1187
uamsecret	$secretuam
1188
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1188
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1189
coaport		3799
1189
coaport		3799
1190
conup		$DIR_DEST_BIN/alcasar-conup.sh
1190
conup		$DIR_DEST_BIN/alcasar-conup.sh
1191
condown		$DIR_DEST_BIN/alcasar-condown.sh
1191
condown		$DIR_DEST_BIN/alcasar-condown.sh
1192
include		$DIR_DEST_ETC/alcasar-uamallowed
1192
include		$DIR_DEST_ETC/alcasar-uamallowed
1193
include		$DIR_DEST_ETC/alcasar-uamdomain
1193
include		$DIR_DEST_ETC/alcasar-uamdomain
1194
dhcpopt		2a04$PRIVATE_IP_HEXA
1194
dhcpopt		2a04$PRIVATE_IP_HEXA
1195
#dhcpgateway		none
1195
#dhcpgateway		none
1196
#dhcprelayagent		none
1196
#dhcprelayagent		none
1197
#dhcpgatewayport	none
1197
#dhcpgatewayport	none
1198
sslkeyfile	/etc/pki/tls/private/alcasar.key
1198
sslkeyfile	/etc/pki/tls/private/alcasar.key
1199
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1199
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1200
redirssl
1200
redirssl
1201
uamuissl
1201
uamuissl
1202
EOF
1202
EOF
1203
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1203
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1204
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1204
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1205
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1205
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1206
# create files for trusted domains and urls
1206
# create files for trusted domains and urls
1207
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1207
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1208
	chown root:apache $DIR_DEST_ETC/alcasar-*
1208
	chown root:apache $DIR_DEST_ETC/alcasar-*
1209
	chmod 660 $DIR_DEST_ETC/alcasar-*
1209
	chmod 660 $DIR_DEST_ETC/alcasar-*
1210
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1210
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1211
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1211
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1212
# user 'chilli' creation (in order to run conup/off and up/down scripts
1212
# user 'chilli' creation (in order to run conup/off and up/down scripts
1213
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1213
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1214
	if [ "$chilli_exist" == "1" ]
1214
	if [ "$chilli_exist" == "1" ]
1215
	then
1215
	then
1216
		userdel -r chilli 2>/dev/null
1216
		userdel -r chilli 2>/dev/null
1217
	fi
1217
	fi
1218
	groupadd -f chilli
1218
	groupadd -f chilli
1219
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1219
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1220
}  # End of chilli ()
1220
}  # End of chilli ()
1221
 
1221
 
1222
################################################################
1222
################################################################
1223
##                   Function "e2guardian"                    ##
1223
##                   Function "e2guardian"                    ##
1224
## - Set the parameters of this HTML proxy (as controler)     ##
1224
## - Set the parameters of this HTML proxy (as controler)     ##
1225
################################################################
1225
################################################################
1226
e2guardian ()
1226
e2guardian ()
1227
{
1227
{
1228
	mkdir -p /var/e2guardian /var/log/e2guardian
1228
	mkdir -p /var/e2guardian /var/log/e2guardian
1229
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1229
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1230
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1230
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1231
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1231
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1232
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1232
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1233
# By default the filter is off
1233
# By default the filter is off
1234
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1234
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1235
# French deny HTML page
1235
# French deny HTML page
1236
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1236
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1237
# Listen only on LAN side
1237
# Listen only on LAN side
1238
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1238
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1239
# DG send its flow to HAVP
1239
# DG send its flow to HAVP
1240
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1240
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1241
# replace the default deny HTML page
1241
# replace the default deny HTML page
1242
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1242
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1243
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1243
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1244
# Don't log
1244
# Don't log
1245
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1245
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1246
# # Change the default report page
1246
# # Change the default report page
1247
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1247
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1248
# Disable HTML content control
1248
# Disable HTML content control
1249
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1249
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1250
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1250
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1251
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1251
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1252
# Disable URL control with regex
1252
# Disable URL control with regex
1253
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1253
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1254
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1254
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1255
# Configure E2guardian for large site
1255
# Configure E2guardian for large site
1256
# Minimum number of processus to handle connections
1256
# Minimum number of processus to handle connections
1257
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1257
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1258
# Maximum number of processus to handle connections
1258
# Maximum number of processus to handle connections
1259
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1259
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1260
# Run at least 8 daemons
1260
# Run at least 8 daemons
1261
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1261
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1262
# minimum number of processes to spawn
1262
# minimum number of processes to spawn
1263
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1263
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1264
# maximum age of a child process before it croaks it
1264
# maximum age of a child process before it croaks it
1265
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1265
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1266
# Disable download files control
1266
# Disable download files control
1267
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1267
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1268
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1268
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1269
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1269
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1270
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1270
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1271
	touch $DIR_DG/lists/bannedextensionlist
1271
	touch $DIR_DG/lists/bannedextensionlist
1272
	touch $DIR_DG/lists/bannedmimetypelist
1272
	touch $DIR_DG/lists/bannedmimetypelist
1273
# 'Safesearch' regex actualisation
1273
# 'Safesearch' regex actualisation
1274
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1274
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1275
# empty LAN IP list that won't be WEB filtered
1275
# empty LAN IP list that won't be WEB filtered
1276
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1276
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1277
	touch $DIR_DG/lists/exceptioniplist
1277
	touch $DIR_DG/lists/exceptioniplist
1278
# Keep a copy of URL & domain filter configuration files
1278
# Keep a copy of URL & domain filter configuration files
1279
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1279
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1280
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1280
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1281
} # End of e2guardian ()
1281
} # End of e2guardian ()
1282
 
1282
 
1283
##################################################################
1283
##################################################################
1284
##                     Function "antivirus"                     ##
1284
##                     Function "antivirus"                     ##
1285
## - Set the parameters of havp, libclamav and freshclam        ##
1285
## - Set the parameters of havp, libclamav and freshclam        ##
1286
##################################################################
1286
##################################################################
1287
antivirus ()
1287
antivirus ()
1288
{
1288
{
1289
# create 'havp' user
1289
# create 'havp' user
1290
	havp_exist=`grep -c ^havp: /etc/passwd`
1290
	havp_exist=`grep -c ^havp: /etc/passwd`
1291
	if [ "$havp_exist" == "1" ]
1291
	if [ "$havp_exist" == "1" ]
1292
	then
1292
	then
1293
		userdel -r havp 2>/dev/null
1293
		userdel -r havp 2>/dev/null
1294
		groupdel havp 2>/dev/null
1294
		groupdel havp 2>/dev/null
1295
	fi
1295
	fi
1296
	groupadd -f havp
1296
	groupadd -f havp
1297
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1297
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1298
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1298
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1299
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1299
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1300
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1300
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1301
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1301
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1302
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1302
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1303
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1303
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1304
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1304
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1305
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1305
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1306
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1306
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1307
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1307
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1308
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1308
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1309
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1309
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1310
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1310
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1311
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1311
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1312
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1312
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1313
# skip checking of youtube flow (too heavy load / risk too low)
1313
# skip checking of youtube flow (too heavy load / risk too low)
1314
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1314
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1315
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1315
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1316
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1316
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1317
# adapt init script and systemd unit
1317
# adapt init script and systemd unit
1318
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1318
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1319
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1319
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1320
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1320
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1321
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1321
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1322
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1322
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1323
# replace of the intercept page (template)
1323
# replace of the intercept page (template)
1324
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1324
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1325
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1325
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1326
# update virus database every 4 hours (24h/6)
1326
# update virus database every 4 hours (24h/6)
1327
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1327
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1328
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1328
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1329
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1329
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1330
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1330
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1331
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1331
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1332
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1332
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1333
# update now
1333
# update now
1334
	/usr/bin/freshclam --no-warnings
1334
	/usr/bin/freshclam --no-warnings
1335
} # End of antivirus ()
1335
} # End of antivirus ()
1336
 
1336
 
1337
################################################################################
1337
################################################################################
1338
##                           Function "tinyproxy"                             ##
1338
##                           Function "tinyproxy"                             ##
1339
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1339
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1340
################################################################################
1340
################################################################################
1341
tinyproxy ()
1341
tinyproxy ()
1342
{
1342
{
1343
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1343
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1344
	if [ "$tinyproxy_exist" == "1" ]
1344
	if [ "$tinyproxy_exist" == "1" ]
1345
	then
1345
	then
1346
		userdel -r tinyproxy 2>/dev/null
1346
		userdel -r tinyproxy 2>/dev/null
1347
		groupdel tinyproxy 2>/dev/null
1347
		groupdel tinyproxy 2>/dev/null
1348
	fi
1348
	fi
1349
	groupadd -f tinyproxy
1349
	groupadd -f tinyproxy
1350
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1350
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1351
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1351
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1352
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1352
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1353
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1353
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1354
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1354
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1355
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1355
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1356
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1356
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1357
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1357
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1358
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1358
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1359
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1359
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1360
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1360
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1361
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1361
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1362
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1362
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1363
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1363
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1364
# Create the systemd unit
1364
# Create the systemd unit
1365
cat << EOF > /lib/systemd/system/tinyproxy.service
1365
cat << EOF > /lib/systemd/system/tinyproxy.service
1366
#  This file is part of systemd.
1366
#  This file is part of systemd.
1367
#
1367
#
1368
#  systemd is free software; you can redistribute it and/or modify it
1368
#  systemd is free software; you can redistribute it and/or modify it
1369
#  under the terms of the GNU General Public License as published by
1369
#  under the terms of the GNU General Public License as published by
1370
#  the Free Software Foundation; either version 2 of the License, or
1370
#  the Free Software Foundation; either version 2 of the License, or
1371
#  (at your option) any later version.
1371
#  (at your option) any later version.
1372
 
1372
 
1373
# This unit launches tinyproxy (a very light proxy).
1373
# This unit launches tinyproxy (a very light proxy).
1374
# The "sleep 2" is needed because the pid file isn't ready for systemd
1374
# The "sleep 2" is needed because the pid file isn't ready for systemd
1375
[Unit]
1375
[Unit]
1376
Description=Tinyproxy Web Proxy Server
1376
Description=Tinyproxy Web Proxy Server
1377
After=network.target iptables.service
1377
After=network.target iptables.service
1378
 
1378
 
1379
[Service]
1379
[Service]
1380
Type=forking
1380
Type=forking
1381
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1381
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1382
ExecStartPre=/bin/sleep 2
1382
ExecStartPre=/bin/sleep 2
1383
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1383
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1384
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1384
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1385
 
1385
 
1386
[Install]
1386
[Install]
1387
WantedBy=multi-user.target
1387
WantedBy=multi-user.target
1388
EOF
1388
EOF
1389
 
1389
 
1390
} # end of tinyproxy
1390
} # end of tinyproxy
1391
##############################################################################
1391
##############################################################################
1392
##                            function "ulogd"                              ##
1392
##                            function "ulogd"                              ##
1393
## - Ulog config for multi-log files                                        ##
1393
## - Ulog config for multi-log files                                        ##
1394
##############################################################################
1394
##############################################################################
1395
ulogd ()
1395
ulogd ()
1396
{
1396
{
1397
# Three instances of ulogd (three different logfiles)
1397
# Three instances of ulogd (three different logfiles)
1398
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1398
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1399
	nl=1
1399
	nl=1
1400
	for log_type in traceability ssh ext-access
1400
	for log_type in traceability ssh ext-access
1401
	do
1401
	do
1402
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1402
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1403
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1403
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1404
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1404
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1405
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1405
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1406
		cat << EOF >> /etc/ulogd-$log_type.conf
1406
		cat << EOF >> /etc/ulogd-$log_type.conf
1407
[emu1]
1407
[emu1]
1408
file="/var/log/firewall/$log_type.log"
1408
file="/var/log/firewall/$log_type.log"
1409
sync=1
1409
sync=1
1410
EOF
1410
EOF
1411
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1411
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1412
		nl=`expr $nl + 1`
1412
		nl=`expr $nl + 1`
1413
	done
1413
	done
1414
	chown -R root:apache /var/log/firewall
1414
	chown -R root:apache /var/log/firewall
1415
	chmod 750 /var/log/firewall
1415
	chmod 750 /var/log/firewall
1416
	chmod 640 /var/log/firewall/*
1416
	chmod 640 /var/log/firewall/*
1417
}  # End of ulogd ()
1417
}  # End of ulogd ()
1418
 
1418
 
1419
 
1419
 
1420
##########################################################
1420
##########################################################
1421
##                    Function "nfsen"                  ##
1421
##                    Function "nfsen"                  ##
1422
## - install the nfsen grapher                          ##
1422
## - install the nfsen grapher                          ##
1423
## - install the two plugins porttracker & surfmap      ##
1423
## - install the two plugins porttracker & surfmap      ##
1424
##########################################################
1424
##########################################################
1425
nfsen()
1425
nfsen()
1426
{
1426
{
1427
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1427
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1428
# Add PortTracker plugin
1428
# Add PortTracker plugin
1429
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1429
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1430
	do
1430
	do
1431
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1431
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1432
	done
1432
	done
1433
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1433
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1434
# use of our conf file and init unit
1434
# use of our conf file and init unit
1435
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1435
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1436
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1436
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1437
	DirTmp=$(pwd)
1437
	DirTmp=$(pwd)
1438
	cd /tmp/nfsen-*/
1438
	cd /tmp/nfsen-*/
1439
	/usr/bin/perl install.pl etc/nfsen.conf
1439
	/usr/bin/perl install.pl etc/nfsen.conf
1440
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1440
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1441
# Create RRD DB for porttracker (only in it still doesn't exist)
1441
# Create RRD DB for porttracker (only in it still doesn't exist)
1442
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1442
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1443
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1443
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1444
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1444
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1445
	chmod -R 770 /var/log/netflow/porttracker
1445
	chmod -R 770 /var/log/netflow/porttracker
1446
# nfsen unit for systemd
1446
# nfsen unit for systemd
1447
	cat << EOF > /lib/systemd/system/nfsen.service
1447
	cat << EOF > /lib/systemd/system/nfsen.service
1448
#  This file is part of systemd.
1448
#  This file is part of systemd.
1449
#
1449
#
1450
#  systemd is free software; you can redistribute it and/or modify it
1450
#  systemd is free software; you can redistribute it and/or modify it
1451
#  under the terms of the GNU General Public License as published by
1451
#  under the terms of the GNU General Public License as published by
1452
#  the Free Software Foundation; either version 2 of the License, or
1452
#  the Free Software Foundation; either version 2 of the License, or
1453
#  (at your option) any later version.
1453
#  (at your option) any later version.
1454
 
1454
 
1455
# This unit launches nfsen (a Netflow grapher).
1455
# This unit launches nfsen (a Netflow grapher).
1456
[Unit]
1456
[Unit]
1457
Description= NfSen init script
1457
Description= NfSen init script
1458
After=network.target iptables.service
1458
After=network.target iptables.service
1459
 
1459
 
1460
[Service]
1460
[Service]
1461
Type=oneshot
1461
Type=oneshot
1462
RemainAfterExit=yes
1462
RemainAfterExit=yes
1463
PIDFile=/var/run/nfsen/nfsen.pid
1463
PIDFile=/var/run/nfsen/nfsen.pid
1464
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1464
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1465
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1465
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1466
ExecStart=/usr/bin/nfsen start
1466
ExecStart=/usr/bin/nfsen start
1467
ExecStop=/usr/bin/nfsen stop
1467
ExecStop=/usr/bin/nfsen stop
1468
ExecReload=/usr/bin/nfsen restart
1468
ExecReload=/usr/bin/nfsen restart
1469
TimeoutSec=0
1469
TimeoutSec=0
1470
 
1470
 
1471
[Install]
1471
[Install]
1472
WantedBy=multi-user.target
1472
WantedBy=multi-user.target
1473
EOF
1473
EOF
1474
# Add the listen port to collect netflow packet (nfcapd)
1474
# Add the listen port to collect netflow packet (nfcapd)
1475
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1475
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1476
# expire delay for the profile "live"
1476
# expire delay for the profile "live"
1477
	/usr/bin/systemctl start nfsen
1477
	/usr/bin/systemctl start nfsen
1478
	/bin/nfsen -m live -e 62d 2>/dev/null
1478
	/bin/nfsen -m live -e 62d 2>/dev/null
1479
# add SURFmap plugin
1479
# add SURFmap plugin
1480
	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1480
	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1481
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1481
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1482
	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1482
	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1483
	cd /tmp/
1483
	cd /tmp/
1484
	/usr/bin/sh SURFmap/install.sh
1484
	/usr/bin/sh SURFmap/install.sh
1485
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1485
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1486
# clear the installation
1486
# clear the installation
1487
	cd $DirTmp
1487
	cd $DirTmp
1488
	rm -rf /tmp/nfsen-*
1488
	rm -rf /tmp/nfsen-*
1489
	rm -rf /tmp/SURFmap*
1489
	rm -rf /tmp/SURFmap*
1490
} # End of nfsen ()
1490
} # End of nfsen ()
1491
 
1491
 
1492
###########################################################
1492
###########################################################
1493
##                     Function "vnstat"                 ##
1493
##                     Function "vnstat"                 ##
1494
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1494
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1495
###########################################################
1495
###########################################################
1496
vnstat ()
1496
vnstat ()
1497
{
1497
{
1498
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1498
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1499
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1499
	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1500
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1500
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1501
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1501
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1502
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1502
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1503
	/usr/bin/vnstat -u -i $EXTIF
1503
	/usr/bin/vnstat -u -i $EXTIF
1504
} # End of vnstat
1504
} # End of vnstat
1505
 
1505
 
1506
##################################################################
1506
##################################################################
1507
##                     Function "dnsmasq"                       ##
1507
##                     Function "dnsmasq"                       ##
1508
## - creation of the conf files of the 4 intances of dnsmasq    ##
1508
## - creation of the conf files of the 4 intances of dnsmasq    ##
1509
## - creation of the file managing domain name (local & remote) ##
1509
## - creation of the file managing domain name (local & remote) ##
1510
##################################################################
1510
##################################################################
1511
dnsmasq ()
1511
dnsmasq ()
1512
{
1512
{
1513
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1513
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1514
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1514
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1515
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1515
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1516
	cat << EOF > /etc/dnsmasq.conf
1516
	cat << EOF > /etc/dnsmasq.conf
1517
# Configuration file for "dnsmasq in forward mode"
1517
# Configuration file for "dnsmasq in forward mode"
1518
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1518
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1519
listen-address=$PRIVATE_IP
1519
listen-address=$PRIVATE_IP
1520
pid-file=/var/run/dnsmasq.pid
1520
pid-file=/var/run/dnsmasq.pid
1521
listen-address=127.0.0.1
1521
listen-address=127.0.0.1
1522
no-dhcp-interface=$INTIF
1522
no-dhcp-interface=$INTIF
1523
no-dhcp-interface=tun0
1523
no-dhcp-interface=tun0
1524
no-dhcp-interface=lo
1524
no-dhcp-interface=lo
1525
bind-interfaces
1525
bind-interfaces
1526
cache-size=2048
1526
cache-size=2048
1527
domain-needed
1527
domain-needed
1528
expand-hosts
1528
expand-hosts
1529
bogus-priv
1529
bogus-priv
1530
filterwin2k
1530
filterwin2k
1531
server=$DNS1
1531
server=$DNS1
1532
server=$DNS2
1532
server=$DNS2
1533
# DHCP service is configured. It will be enabled in "bypass" mode
1533
# DHCP service is configured. It will be enabled in "bypass" mode
1534
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1534
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1535
#dhcp-option=option:router,$PRIVATE_IP
1535
#dhcp-option=option:router,$PRIVATE_IP
1536
#dhcp-option=option:ntp-server,$PRIVATE_IP
1536
#dhcp-option=option:ntp-server,$PRIVATE_IP
1537
 
1537
 
1538
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1538
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1539
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1539
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1540
EOF
1540
EOF
1541
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1541
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1542
	cat << EOF > /etc/dnsmasq-blacklist.conf
1542
	cat << EOF > /etc/dnsmasq-blacklist.conf
1543
# Configuration file for "dnsmasq with blacklist"
1543
# Configuration file for "dnsmasq with blacklist"
1544
# Add Toulouse University blacklist domains
1544
# Add Toulouse University blacklist domains
1545
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1545
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1546
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1546
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1547
pid-file=/var/run/dnsmasq-blacklist.pid
1547
pid-file=/var/run/dnsmasq-blacklist.pid
1548
listen-address=$PRIVATE_IP
1548
listen-address=$PRIVATE_IP
1549
port=54
1549
port=54
1550
no-dhcp-interface=$INTIF
1550
no-dhcp-interface=$INTIF
1551
no-dhcp-interface=tun0
1551
no-dhcp-interface=tun0
1552
no-dhcp-interface=lo
1552
no-dhcp-interface=lo
1553
bind-interfaces
1553
bind-interfaces
1554
cache-size=2048
1554
cache-size=2048
1555
domain-needed
1555
domain-needed
1556
expand-hosts
1556
expand-hosts
1557
bogus-priv
1557
bogus-priv
1558
filterwin2k
1558
filterwin2k
1559
log-queries
1559
log-queries
1560
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1560
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1561
server=$DNS1
1561
server=$DNS1
1562
server=$DNS2
1562
server=$DNS2
1563
EOF
1563
EOF
1564
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1564
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1565
	cat << EOF > /etc/dnsmasq-whitelist.conf
1565
	cat << EOF > /etc/dnsmasq-whitelist.conf
1566
# Configuration file for "dnsmasq with whitelist"
1566
# Configuration file for "dnsmasq with whitelist"
1567
# ADD Toulouse university whitelist domains
1567
# ADD Toulouse university whitelist domains
1568
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1568
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1569
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1569
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1570
pid-file=/var/run/dnsmasq-whitelist.pid
1570
pid-file=/var/run/dnsmasq-whitelist.pid
1571
listen-address=$PRIVATE_IP
1571
listen-address=$PRIVATE_IP
1572
port=55
1572
port=55
1573
no-dhcp-interface=$INTIF
1573
no-dhcp-interface=$INTIF
1574
no-dhcp-interface=tun0
1574
no-dhcp-interface=tun0
1575
no-dhcp-interface=lo
1575
no-dhcp-interface=lo
1576
bind-interfaces
1576
bind-interfaces
1577
cache-size=1024
1577
cache-size=1024
1578
domain-needed
1578
domain-needed
1579
expand-hosts
1579
expand-hosts
1580
bogus-priv
1580
bogus-priv
1581
filterwin2k
1581
filterwin2k
1582
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1582
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1583
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
1583
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
1584
EOF
1584
EOF
1585
# 4th dnsmasq listen on udp 56 ("blackhole")
1585
# 4th dnsmasq listen on udp 56 ("blackhole")
1586
	cat << EOF > /etc/dnsmasq-blackhole.conf
1586
	cat << EOF > /etc/dnsmasq-blackhole.conf
1587
# Configuration file for "dnsmasq as a blackhole"
1587
# Configuration file for "dnsmasq as a blackhole"
1588
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1588
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
1589
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1589
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1590
pid-file=/var/run/dnsmasq-blackhole.pid
1590
pid-file=/var/run/dnsmasq-blackhole.pid
1591
listen-address=$PRIVATE_IP
1591
listen-address=$PRIVATE_IP
1592
port=56
1592
port=56
1593
no-dhcp-interface=$INTIF
1593
no-dhcp-interface=$INTIF
1594
no-dhcp-interface=tun0
1594
no-dhcp-interface=tun0
1595
no-dhcp-interface=lo
1595
no-dhcp-interface=lo
1596
bind-interfaces
1596
bind-interfaces
1597
cache-size=256
1597
cache-size=256
1598
domain-needed
1598
domain-needed
1599
expand-hosts
1599
expand-hosts
1600
bogus-priv
1600
bogus-priv
1601
filterwin2k
1601
filterwin2k
1602
EOF
1602
EOF
1603
# file managing domain name resolution (local & remote)
1603
# file managing domain name resolution (local & remote)
1604
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
1604
cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
1605
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
1605
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
1606
# Here you can define your local domain name ('localdomain' by default)
1606
# Here you can define your local domain name ('localdomain' by default)
1607
local=/$DOMAIN/
1607
local=/$DOMAIN/
1608
domain=$DOMAIN
1608
domain=$DOMAIN
1609
 
1609
 
1610
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
1610
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
1611
## Add one line for each domain name managed by an other DNS server
1611
## Add one line for each domain name managed by an other DNS server
1612
## server=/<your_domain>/<@IP_domain_server>
1612
## server=/<your_domain>/<@IP_domain_server>
1613
## Exemple for an A.D. domain :  server=/Your.Domain.AD/110.120.100.100
1613
## Exemple for an A.D. domain :  server=/Your.Domain.AD/110.120.100.100
1614
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
1614
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
1615
 
1615
 
1616
## INFO : local hostnames are resolved in /etc/hosts file
1616
## INFO : local hostnames are resolved in /etc/hosts file
1617
EOF
1617
EOF
1618
 
1618
 
1619
# the main instance should start after network and chilli (which create tun0)
1619
# the main instance should start after network and chilli (which create tun0)
1620
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1620
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1621
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1621
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1622
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1622
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1623
	for list in blacklist whitelist blackhole
1623
	for list in blacklist whitelist blackhole
1624
	do
1624
	do
1625
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1625
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1626
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1626
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1627
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1627
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1628
	done
1628
	done
1629
} # End dnsmasq
1629
} # End dnsmasq
1630
 
1630
 
1631
##########################################################
1631
##########################################################
1632
##                      Function "BL"                   ##
1632
##                      Function "BL"                   ##
1633
## - copy Toulouse BL                                   ##
1633
## - copy Toulouse BL                                   ##
1634
## - adapt this BL to ALCASAR architecture              ##
1634
## - adapt this BL to ALCASAR architecture              ##
1635
##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
1635
##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
1636
##     - URLs for E²guardian                            ##
1636
##     - URLs for E²guardian                            ##
1637
##     - IPs for NetFilter                              ##
1637
##     - IPs for NetFilter                              ##
1638
##########################################################
1638
##########################################################
1639
BL ()
1639
BL ()
1640
{
1640
{
1641
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1641
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1642
	rm -rf $DIR_DG/lists/blacklists
1642
	rm -rf $DIR_DG/lists/blacklists
1643
	mkdir -p /tmp/blacklists
1643
	mkdir -p /tmp/blacklists
1644
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1644
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1645
# creation of file for the rehabilited domains and urls
1645
# creation of file for the rehabilited domains and urls
1646
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1646
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1647
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1647
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1648
	touch $DIR_DG/lists/exceptionsitelist
1648
	touch $DIR_DG/lists/exceptionsitelist
1649
	touch $DIR_DG/lists/exceptionurllist
1649
	touch $DIR_DG/lists/exceptionurllist
1650
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1650
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1651
	cat <<EOF > $DIR_DG/lists/bannedurllist
1651
	cat <<EOF > $DIR_DG/lists/bannedurllist
1652
# E2guardian filter config for ALCASAR
1652
# E2guardian filter config for ALCASAR
1653
EOF
1653
EOF
1654
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1654
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1655
# E2guardian domain filter config for ALCASAR
1655
# E2guardian domain filter config for ALCASAR
1656
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1656
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1657
#**
1657
#**
1658
# block all SSL and CONNECT tunnels
1658
# block all SSL and CONNECT tunnels
1659
**s
1659
**s
1660
# block all SSL and CONNECT tunnels specified only as an IP
1660
# block all SSL and CONNECT tunnels specified only as an IP
1661
*ips
1661
*ips
1662
# block all sites specified only by an IP
1662
# block all sites specified only by an IP
1663
*ip
1663
*ip
1664
EOF
1664
EOF
1665
# Add Bing to the safesearch url regext list (parental control)
1665
# Add Bing to the safesearch url regext list (parental control)
1666
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1666
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1667
# Bing - add 'adlt=strict'
1667
# Bing - add 'adlt=strict'
1668
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1668
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1669
EOF
1669
EOF
1670
# change the google safesearch ("safe=strict" instead of "safe=vss")
1670
# change the google safesearch ("safe=strict" instead of "safe=vss")
1671
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1671
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1672
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1672
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1673
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1673
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1674
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1674
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1675
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1675
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1676
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1676
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1677
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1677
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1678
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1678
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1679
# add custom ALCASAR BL files
1679
# add custom ALCASAR BL files
1680
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1680
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1681
	do
1681
	do
1682
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1682
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1683
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1683
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1684
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1684
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1685
	done
1685
	done
1686
	chown -R e2guardian:apache $DIR_DG
1686
	chown -R e2guardian:apache $DIR_DG
1687
	chown -R root:apache $DIR_DEST_SHARE
1687
	chown -R root:apache $DIR_DEST_SHARE
1688
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1688
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1689
# adapt the Toulouse BL to ALCASAR architecture
1689
# adapt the Toulouse BL to ALCASAR architecture
1690
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1690
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1691
# enable the default categories
1691
# enable the default categories
1692
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1692
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
-
 
1693
	rm -rf /tmp/blacklists
1693
} # End BL()
1694
} # End BL()
1694
 
1695
 
1695
#######################################################
1696
#######################################################
1696
##                  Function "cron"                  ##
1697
##                  Function "cron"                  ##
1697
## - write all cron & anacron files                  ##
1698
## - write all cron & anacron files                  ##
1698
#######################################################
1699
#######################################################
1699
cron ()
1700
cron ()
1700
{
1701
{
1701
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1702
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1702
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1703
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1703
	cat <<EOF > /etc/crontab
1704
	cat <<EOF > /etc/crontab
1704
SHELL=/usr/bin/bash
1705
SHELL=/usr/bin/bash
1705
PATH=/usr/sbin:/usr/bin
1706
PATH=/usr/sbin:/usr/bin
1706
MAILTO=root
1707
MAILTO=root
1707
HOME=/
1708
HOME=/
1708
 
1709
 
1709
# run-parts
1710
# run-parts
1710
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1711
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1711
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1712
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1712
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1713
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1713
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1714
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1714
EOF
1715
EOF
1715
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1716
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1716
	cat <<EOF >> /etc/anacrontab
1717
	cat <<EOF >> /etc/anacrontab
1717
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1718
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1718
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1719
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1719
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1720
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1720
EOF
1721
EOF
1721
 
1722
 
1722
	cat <<EOF > /etc/cron.d/alcasar-mysql
1723
	cat <<EOF > /etc/cron.d/alcasar-mysql
1723
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1724
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1724
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1725
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1725
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1726
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1726
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1727
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1727
EOF
1728
EOF
1728
	cat <<EOF > /etc/cron.d/alcasar-archive
1729
	cat <<EOF > /etc/cron.d/alcasar-archive
1729
# Archive des logs et de la base de données (tous les lundi à 5h35)
1730
# Archive des logs et de la base de données (tous les lundi à 5h35)
1730
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1731
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1731
EOF
1732
EOF
1732
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1733
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1733
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1734
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1734
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1735
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1735
EOF
1736
EOF
1736
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1737
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1737
# mise à jour automatique de la distribution tous les jours 3h30
1738
# mise à jour automatique de la distribution tous les jours 3h30
1738
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1739
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1739
EOF
1740
EOF
1740
 
1741
 
1741
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1742
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1742
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1743
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1743
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1744
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1744
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1745
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1745
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1746
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1746
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1747
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1747
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1748
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1748
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1749
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1749
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1750
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1750
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1751
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1751
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1752
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1752
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1753
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1753
EOF
1754
EOF
1754
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1755
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1755
# run the "watchdog" every 3'
1756
# run the "watchdog" every 3'
1756
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1757
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1757
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1758
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1758
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1759
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1759
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1760
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1760
EOF
1761
EOF
1761
# Enabling the watchdog every 18'
1762
# Enabling the watchdog every 18'
1762
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1763
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1763
# activate  the daemon-watchdog after boot process
1764
# activate  the daemon-watchdog after boot process
1764
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1765
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1765
# activate the daemon-watchdog every 18'
1766
# activate the daemon-watchdog every 18'
1766
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1767
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1767
EOF
1768
EOF
1768
 
1769
 
1769
# Enabling category update from rsync
1770
# Enabling category update from rsync
1770
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1771
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1771
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1772
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
1772
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1773
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1773
EOF
1774
EOF
1774
 
1775
 
1775
# Renew the Let's Encrypt certificate
1776
# Renew the Let's Encrypt certificate
1776
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1777
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1777
# Automatic renew of the Let's Encrypt certificate
1778
# Automatic renew of the Let's Encrypt certificate
1778
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1779
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1779
EOF
1780
EOF
1780
 
1781
 
1781
# removing the users crons
1782
# removing the users crons
1782
	rm -f /var/spool/cron/*
1783
	rm -f /var/spool/cron/*
1783
} # End cron()
1784
} # End cron()
1784
 
1785
 
1785
######################################################################
1786
######################################################################
1786
##                      Fonction "Fail2Ban"                         ##
1787
##                      Fonction "Fail2Ban"                         ##
1787
##- Adapt conf file to ALCASAR                                      ##
1788
##- Adapt conf file to ALCASAR                                      ##
1788
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1789
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1789
######################################################################
1790
######################################################################
1790
fail2ban()
1791
fail2ban()
1791
{
1792
{
1792
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1793
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1793
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1794
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1794
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1795
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1795
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1796
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1796
	chmod 644 /var/log/fail2ban.log
1797
	chmod 644 /var/log/fail2ban.log
1797
	chmod 644 /var/Save/security/watchdog.log
1798
	chmod 644 /var/Save/security/watchdog.log
1798
	/usr/bin/touch /var/log/auth.log
1799
	/usr/bin/touch /var/log/auth.log
1799
# fail2ban unit
1800
# fail2ban unit
1800
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1801
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1801
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1802
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1802
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1803
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1803
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1804
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1804
} # End fail2ban()
1805
} # End fail2ban()
1805
 
1806
 
1806
#########################################################
1807
#########################################################
1807
##                   Fonction "gammu_smsd"             ##
1808
##                   Fonction "gammu_smsd"             ##
1808
## - Creating of SMS management database               ##
1809
## - Creating of SMS management database               ##
1809
## - Write the gammu a gammu_smsd conf files           ##
1810
## - Write the gammu a gammu_smsd conf files           ##
1810
#########################################################
1811
#########################################################
1811
gammu_smsd()
1812
gammu_smsd()
1812
{
1813
{
1813
# Create 'gammu' databse
1814
# Create 'gammu' databse
1814
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1815
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1815
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1816
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1816
# Add a gammu database structure
1817
# Add a gammu database structure
1817
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1818
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1818
 
1819
 
1819
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1820
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1820
cat << EOF > /etc/gammurc
1821
cat << EOF > /etc/gammurc
1821
[gammu]
1822
[gammu]
1822
device = /dev/ttyUSB0
1823
device = /dev/ttyUSB0
1823
connection = at115200
1824
connection = at115200
1824
EOF
1825
EOF
1825
 
1826
 
1826
cat << EOF > /etc/gammu_smsd_conf
1827
cat << EOF > /etc/gammu_smsd_conf
1827
[gammu]
1828
[gammu]
1828
port = /dev/ttyUSB0
1829
port = /dev/ttyUSB0
1829
connection = at115200
1830
connection = at115200
1830
 
1831
 
1831
[smsd]
1832
[smsd]
1832
PIN = 1234
1833
PIN = 1234
1833
logfile = /var/log/gammu-smsd/gammu-smsd.log
1834
logfile = /var/log/gammu-smsd/gammu-smsd.log
1834
logformat = textall
1835
logformat = textall
1835
debuglevel = 0
1836
debuglevel = 0
1836
 
1837
 
1837
service = sql
1838
service = sql
1838
driver = native_mysql
1839
driver = native_mysql
1839
user = $DB_USER
1840
user = $DB_USER
1840
password = $radiuspwd
1841
password = $radiuspwd
1841
pc = localhost
1842
pc = localhost
1842
database = $DB_GAMMU
1843
database = $DB_GAMMU
1843
 
1844
 
1844
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1845
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1845
 
1846
 
1846
StatusFrequency = 30
1847
StatusFrequency = 30
1847
;LoopSleep = 2
1848
;LoopSleep = 2
1848
 
1849
 
1849
;ResetFrequency = 300
1850
;ResetFrequency = 300
1850
;HardResetFrequency = 120
1851
;HardResetFrequency = 120
1851
 
1852
 
1852
CheckSecurity = 1
1853
CheckSecurity = 1
1853
CheckSignal = 1
1854
CheckSignal = 1
1854
CheckBattery = 0
1855
CheckBattery = 0
1855
EOF
1856
EOF
1856
 
1857
 
1857
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1858
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
1858
 
1859
 
1859
# Log folder for gammu-smsd
1860
# Log folder for gammu-smsd
1860
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1861
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1861
chmod 755 /var/log/gammu-smsd
1862
chmod 755 /var/log/gammu-smsd
1862
 
1863
 
1863
# Write radius credentials in the gammu script
1864
# Write radius credentials in the gammu script
1864
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1865
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1865
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1866
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1866
 
1867
 
1867
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
1868
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
1868
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
1869
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
1869
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
1870
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
1870
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1871
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1871
#EOF
1872
#EOF
1872
 
1873
 
1873
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
1874
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
1874
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
1875
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
1875
 
1876
 
1876
} # End gammu_smsd()
1877
} # End gammu_smsd()
1877
 
1878
 
1878
############################################################
1879
############################################################
1879
##                 Fonction "msec"                        ##
1880
##                 Fonction "msec"                        ##
1880
## - Apply the "fileserver" security level                ##
1881
## - Apply the "fileserver" security level                ##
1881
## - remove the "system request" for rebboting            ##
1882
## - remove the "system request" for rebboting            ##
1882
## - Fix several file permissions                         ##
1883
## - Fix several file permissions                         ##
1883
############################################################
1884
############################################################
1884
msec()
1885
msec()
1885
{
1886
{
1886
 
1887
 
1887
# Apply fileserver security level
1888
# Apply fileserver security level
1888
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1889
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1889
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1890
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1890
 
1891
 
1891
# Set permissions monitoring and enforcement
1892
# Set permissions monitoring and enforcement
1892
cat <<EOF > /etc/security/msec/perm.local
1893
cat <<EOF > /etc/security/msec/perm.local
1893
/var/log/firefwall/                     root.apache     750
1894
/var/log/firefwall/                     root.apache     750
1894
/var/log/firewall/*                     root.apache     640
1895
/var/log/firewall/*                     root.apache     640
1895
/etc/security/msec/perm.local           root.root       640
1896
/etc/security/msec/perm.local           root.root       640
1896
/etc/security/msec/level.local          root.root       640
1897
/etc/security/msec/level.local          root.root       640
1897
/etc/freeradius-web                     root.apache     750
1898
/etc/freeradius-web                     root.apache     750
1898
/etc/freeradius-web/admin.conf          root.apache     640
1899
/etc/freeradius-web/admin.conf          root.apache     640
1899
/etc/raddb/client.conf                  radius.radius   640
1900
/etc/raddb/client.conf                  radius.radius   640
1900
/etc/raddb/radius.conf                  radius.radius   640
1901
/etc/raddb/radius.conf                  radius.radius   640
1901
/etc/raddb/mods-available/ldap          radius.apache   660
1902
/etc/raddb/mods-available/ldap          radius.apache   660
1902
/etc/raddb/sites-available/alcasar      radius.apache   660
1903
/etc/raddb/sites-available/alcasar      radius.apache   660
1903
/etc/pki/*                              root.apache     750
1904
/etc/pki/*                              root.apache     750
1904
/var/log/netflow/porttracker            root.apache     770
1905
/var/log/netflow/porttracker            root.apache     770
1905
/var/log/netflow/porttracker/*          root.apache     660
1906
/var/log/netflow/porttracker/*          root.apache     660
1906
EOF
1907
EOF
1907
# apply now hourly & daily checks
1908
# apply now hourly & daily checks
1908
/usr/sbin/msec
1909
/usr/sbin/msec
1909
/etc/cron.weekly/msec
1910
/etc/cron.weekly/msec
1910
 
1911
 
1911
} # End msec()
1912
} # End msec()
1912
 
1913
 
1913
 
1914
 
1914
##################################################################
1915
##################################################################
1915
##                   Fonction "letsencrypt"                     ##
1916
##                   Fonction "letsencrypt"                     ##
1916
## - Install Let's Encrypt client                               ##
1917
## - Install Let's Encrypt client                               ##
1917
## - Prepare Let's Encrypt ALCASAR configuration file           ##
1918
## - Prepare Let's Encrypt ALCASAR configuration file           ##
1918
##################################################################
1919
##################################################################
1919
letsencrypt()
1920
letsencrypt()
1920
{
1921
{
1921
	echo "Installing Let's Encrypt client..."
1922
	echo "Installing Let's Encrypt client..."
1922
 
1923
 
1923
	# Extract acme.sh
1924
	# Extract acme.sh
1924
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1925
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1925
 
1926
 
1926
	pwdInstall=$(pwd)
1927
	pwdInstall=$(pwd)
1927
	cd /tmp/acme.sh-*
1928
	cd /tmp/acme.sh-*
1928
 
1929
 
1929
	acmesh_installDir="/opt/acme.sh"
1930
	acmesh_installDir="/opt/acme.sh"
1930
	acmesh_confDir="/usr/local/etc/letsencrypt"
1931
	acmesh_confDir="/usr/local/etc/letsencrypt"
1931
	acmesh_userAgent="ALCASAR"
1932
	acmesh_userAgent="ALCASAR"
1932
 
1933
 
1933
	# Install acme.sh
1934
	# Install acme.sh
1934
	./acme.sh --install \
1935
	./acme.sh --install \
1935
		--home $acmesh_installDir \
1936
		--home $acmesh_installDir \
1936
		--config-home $acmesh_confDir/data \
1937
		--config-home $acmesh_confDir/data \
1937
		--certhome $acmesh_confDir/certs \
1938
		--certhome $acmesh_confDir/certs \
1938
		--accountkey $acmesh_confDir/ca/account.key \
1939
		--accountkey $acmesh_confDir/ca/account.key \
1939
		--accountconf $acmesh_confDir/data/account.conf \
1940
		--accountconf $acmesh_confDir/data/account.conf \
1940
		--useragent $acmesh_userAgent \
1941
		--useragent $acmesh_userAgent \
1941
		--nocron \
1942
		--nocron \
1942
		> /dev/null
1943
		> /dev/null
1943
 
1944
 
1944
	if [ $? -ne 0 ]; then
1945
	if [ $? -ne 0 ]; then
1945
		echo "Error during installation of Let's Encrypt client (acme.sh)."
1946
		echo "Error during installation of Let's Encrypt client (acme.sh)."
1946
	fi
1947
	fi
1947
 
1948
 
1948
	# Create configuration file
1949
	# Create configuration file
1949
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
1950
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
1950
email=
1951
email=
1951
dateIssueRequest=
1952
dateIssueRequest=
1952
domainRequest=
1953
domainRequest=
1953
challenge=
1954
challenge=
1954
dateIssued=
1955
dateIssued=
1955
dnsapi=
1956
dnsapi=
1956
dateNextRenewal=
1957
dateNextRenewal=
1957
EOF
1958
EOF
1958
 
1959
 
1959
	cd $pwdInstall
1960
	cd $pwdInstall
1960
	rm -rf /tmp/acme.sh-*
1961
	rm -rf /tmp/acme.sh-*
1961
 
1962
 
1962
} # END letsencrypt()
1963
} # END letsencrypt()
1963
 
1964
 
1964
##################################################################
1965
##################################################################
1965
##                    Fonction "post_install"                   ##
1966
##                    Fonction "post_install"                   ##
1966
## - Modifying banners (locals et ssh) & prompts                ##
1967
## - Modifying banners (locals et ssh) & prompts                ##
1967
## - SSH config                                                 ##
1968
## - SSH config                                                 ##
1968
## - sudoers config & files security                            ##
1969
## - sudoers config & files security                            ##
1969
## - log rotate & ANSSI security parameters                     ##
1970
## - log rotate & ANSSI security parameters                     ##
1970
## - Apply former conf in case of an update                     ##
1971
## - Apply former conf in case of an update                     ##
1971
##################################################################
1972
##################################################################
1972
post_install()
1973
post_install()
1973
{
1974
{
1974
# change the SSH banner
1975
# change the SSH banner
1975
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1976
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1976
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1977
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1977
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1978
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1978
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1979
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1979
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1980
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1980
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1981
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1981
# postfix banner anonymisation
1982
# postfix banner anonymisation
1982
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1983
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1983
	chown -R postfix:postfix /var/lib/postfix
1984
	chown -R postfix:postfix /var/lib/postfix
1984
# sshd liste on EXTIF & INTIF
1985
# sshd liste on EXTIF & INTIF
1985
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1986
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1986
# sshd authorized certificate for root login
1987
# sshd authorized certificate for root login
1987
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1988
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1988
# ALCASAR conf file
1989
# ALCASAR conf file
1989
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
1990
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
1990
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1991
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
1991
	echo "SSH=on" >> $CONF_FILE
1992
	echo "SSH=on" >> $CONF_FILE
1992
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1993
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1993
	echo "LDAP=off" >> $CONF_FILE
1994
	echo "LDAP=off" >> $CONF_FILE
1994
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
1995
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
1995
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
1996
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
1996
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
1997
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
1997
	echo "LDAP_FILTER=" >> $CONF_FILE
1998
	echo "LDAP_FILTER=" >> $CONF_FILE
1998
	echo "LDAP_USER=alcasar" >> $CONF_FILE
1999
	echo "LDAP_USER=alcasar" >> $CONF_FILE
1999
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2000
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2000
	echo "MULTIWAN=off" >> $CONF_FILE
2001
	echo "MULTIWAN=off" >> $CONF_FILE
2001
	echo "FAILOVER=30" >> $CONF_FILE
2002
	echo "FAILOVER=30" >> $CONF_FILE
2002
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2003
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2003
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2004
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2004
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2005
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2005
# Prompt customisation (colors)
2006
# Prompt customisation (colors)
2006
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2007
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2007
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2008
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2008
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2009
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2009
# sudoers configuration for "apache" & "sysadmin"
2010
# sudoers configuration for "apache" & "sysadmin"
2010
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2011
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2011
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2012
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2012
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2013
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2013
# Modify some logrotate files (gammu, ulogd)
2014
# Modify some logrotate files (gammu, ulogd)
2014
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2015
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2015
	chmod 644 /etc/logrotate.d/*
2016
	chmod 644 /etc/logrotate.d/*
2016
# Log compression
2017
# Log compression
2017
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2018
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2018
# actualisation des fichiers logs compressés
2019
# actualisation des fichiers logs compressés
2019
	for dir in firewall e2guardian lighttpd
2020
	for dir in firewall e2guardian lighttpd
2020
	do
2021
	do
2021
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2022
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2022
	done
2023
	done
2023
# create the alcasar-load_balancing unit
2024
# create the alcasar-load_balancing unit
2024
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2025
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2025
#  This file is part of systemd.
2026
#  This file is part of systemd.
2026
#
2027
#
2027
#  systemd is free software; you can redistribute it and/or modify it
2028
#  systemd is free software; you can redistribute it and/or modify it
2028
#  under the terms of the GNU General Public License as published by
2029
#  under the terms of the GNU General Public License as published by
2029
#  the Free Software Foundation; either version 2 of the License, or
2030
#  the Free Software Foundation; either version 2 of the License, or
2030
#  (at your option) any later version.
2031
#  (at your option) any later version.
2031
 
2032
 
2032
# This unit lauches alcasar-load-balancing.sh script.
2033
# This unit lauches alcasar-load-balancing.sh script.
2033
[Unit]
2034
[Unit]
2034
Description=alcasar-load_balancing.sh execution
2035
Description=alcasar-load_balancing.sh execution
2035
After=network.target iptables.service
2036
After=network.target iptables.service
2036
 
2037
 
2037
[Service]
2038
[Service]
2038
Type=oneshot
2039
Type=oneshot
2039
RemainAfterExit=yes
2040
RemainAfterExit=yes
2040
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2041
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2041
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2042
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2042
TimeoutSec=0
2043
TimeoutSec=0
2043
SysVStartPriority=99
2044
SysVStartPriority=99
2044
 
2045
 
2045
[Install]
2046
[Install]
2046
WantedBy=multi-user.target
2047
WantedBy=multi-user.target
2047
EOF
2048
EOF
2048
# processes launched at boot time (Systemctl)
2049
# processes launched at boot time (Systemctl)
2049
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2050
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2050
	do
2051
	do
2051
		/usr/bin/systemctl -q enable $i.service
2052
		/usr/bin/systemctl -q enable $i.service
2052
	done
2053
	done
2053
 
2054
 
2054
# disable processes at boot time (Systemctl)
2055
# disable processes at boot time (Systemctl)
2055
	for i in ulogd gpm
2056
	for i in ulogd gpm
2056
	do
2057
	do
2057
		/usr/bin/systemctl -q disable $i.service
2058
		/usr/bin/systemctl -q disable $i.service
2058
	done
2059
	done
2059
 
2060
 
2060
# Apply French Security Agency (ANSSI) rules
2061
# Apply French Security Agency (ANSSI) rules
2061
# ignore ICMP broadcast (smurf attack)
2062
# ignore ICMP broadcast (smurf attack)
2062
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2063
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2063
# ignore ICMP errors bogus
2064
# ignore ICMP errors bogus
2064
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2065
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2065
# remove ICMP redirects responces
2066
# remove ICMP redirects responces
2066
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2067
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2067
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2068
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2068
# enable SYN Cookies (Syn flood attacks)
2069
# enable SYN Cookies (Syn flood attacks)
2069
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2070
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2070
# enable kernel antispoofing
2071
# enable kernel antispoofing
2071
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2072
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2072
# ignore source routing
2073
# ignore source routing
2073
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2074
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2074
# set conntrack timer to 1h (3600s) instead of 5 weeks
2075
# set conntrack timer to 1h (3600s) instead of 5 weeks
2075
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2076
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2076
# disable log_martians (ALCASAR is often installed between two private network addresses)
2077
# disable log_martians (ALCASAR is often installed between two private network addresses)
2077
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2078
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2078
# disable iptables_helpers
2079
# disable iptables_helpers
2079
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2080
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2080
# Switch to the router mode
2081
# Switch to the router mode
2081
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2082
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2082
# Remove unused service ipv6
2083
# Remove unused service ipv6
2083
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2084
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2084
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2085
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2085
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2086
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2086
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2087
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2087
# switch to multi-users runlevel (instead of x11)
2088
# switch to multi-users runlevel (instead of x11)
2088
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2089
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2089
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2090
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2090
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2091
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2091
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2092
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2092
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2093
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2093
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2094
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2094
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2095
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2095
	if [ $vm_vga == 0 ] # is not a VM
2096
	if [ $vm_vga == 0 ] # is not a VM
2096
	then
2097
	then
2097
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2098
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2098
		echo >> /etc/mageia-release
2099
		echo >> /etc/mageia-release
2099
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2100
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2100
	fi
2101
	fi
2101
	if [ $Lang == "fr" ]
2102
	if [ $Lang == "fr" ]
2102
	then
2103
	then
2103
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2104
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2104
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2105
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2105
	else
2106
	else
2106
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2107
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2107
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2108
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2108
	fi
2109
	fi
2109
	/usr/bin/update-grub2
2110
	/usr/bin/update-grub2
2110
# Load and apply the previous conf file
2111
# Load and apply the previous conf file
2111
	if [ "$mode" = "update" ]
2112
	if [ "$mode" = "update" ]
2112
	then
2113
	then
2113
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2114
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2114
		$DIR_DEST_BIN/alcasar-conf.sh --load
2115
		$DIR_DEST_BIN/alcasar-conf.sh --load
2115
		PARENT_SCRIPT=`basename $0`
2116
		PARENT_SCRIPT=`basename $0`
2116
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2117
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2117
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2118
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2118
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2119
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2119
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2120
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2120
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2121
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2121
	fi
2122
	fi
2122
	rm -f /tmp/alcasar-conf*
2123
	rm -f /var/tmp/alcasar-conf*
2123
	chown -R root:apache $DIR_DEST_ETC/*
2124
	chown -R root:apache $DIR_DEST_ETC/*
2124
	chmod -R 660 $DIR_DEST_ETC/*
2125
	chmod -R 660 $DIR_DEST_ETC/*
2125
	chmod ug+x $DIR_DEST_ETC/digest
2126
	chmod ug+x $DIR_DEST_ETC/digest
2126
	cd $DIR_INSTALL
2127
	cd $DIR_INSTALL
2127
	echo ""
2128
	echo ""
2128
	echo "#############################################################################"
2129
	echo "#############################################################################"
2129
	if [ $Lang == "fr" ]
2130
	if [ $Lang == "fr" ]
2130
		then
2131
		then
2131
		echo "#                        Fin d'installation d'ALCASAR                       #"
2132
		echo "#                        Fin d'installation d'ALCASAR                       #"
2132
		echo "#                                                                           #"
2133
		echo "#                                                                           #"
2133
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2134
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2134
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2135
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2135
		echo "#                                                                           #"
2136
		echo "#                                                                           #"
2136
		echo "#############################################################################"
2137
		echo "#############################################################################"
2137
		echo
2138
		echo
2138
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2139
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2139
		echo
2140
		echo
2140
		echo "- Lisez attentivement la documentation d'exploitation"
2141
		echo "- Lisez attentivement la documentation d'exploitation"
2141
		echo
2142
		echo
2142
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2143
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2143
		echo
2144
		echo
2144
		echo "                   Appuyez sur 'Entrée' pour continuer"
2145
		echo "                   Appuyez sur 'Entrée' pour continuer"
2145
	else
2146
	else
2146
		echo "#                        End of ALCASAR install process                     #"
2147
		echo "#                        End of ALCASAR install process                     #"
2147
		echo "#                                                                           #"
2148
		echo "#                                                                           #"
2148
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2149
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2149
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2150
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2150
		echo "#                                                                           #"
2151
		echo "#                                                                           #"
2151
		echo "#############################################################################"
2152
		echo "#############################################################################"
2152
		echo
2153
		echo
2153
		echo "- The system will be rebooted in order to operate ALCASAR"
2154
		echo "- The system will be rebooted in order to operate ALCASAR"
2154
		echo
2155
		echo
2155
		echo "- Read the exploitation documentation"
2156
		echo "- Read the exploitation documentation"
2156
		echo
2157
		echo
2157
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2158
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2158
		echo
2159
		echo
2159
		echo "                   Hit 'Enter' to continue"
2160
		echo "                   Hit 'Enter' to continue"
2160
	fi
2161
	fi
2161
	sleep 2
2162
	sleep 2
2162
	if [ "$mode" != "update" ] && [ "$DEBUG_ALCASAR" != "on" ]
2163
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2163
	then
2164
	then
2164
		read a
2165
		read a
2165
	fi
2166
	fi
2166
	clear
2167
	clear
2167
	reboot
2168
	reboot
2168
} # End post_install ()
2169
} # End post_install ()
2169
 
2170
 
2170
#####################################################################################
2171
#####################################################################################
2171
#                                   Main Install loop                               #
2172
#                                   Main Install loop                               #
2172
#####################################################################################
2173
#####################################################################################
2173
dir_exec=`dirname "$0"`
2174
dir_exec=`dirname "$0"`
2174
if [ $dir_exec != "." ]
2175
if [ $dir_exec != "." ]
2175
then
2176
then
2176
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2177
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2177
	echo "Launch this program from the ALCASAR archive directory"
2178
	echo "Launch this program from the ALCASAR archive directory"
2178
	exit 0
2179
	exit 0
2179
fi
2180
fi
2180
if [[ $EUID > 0 ]]
2181
if [[ $EUID > 0 ]]
2181
then
2182
then
2182
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2183
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2183
	echo "You must be "root" to install ALCASAR ('su' command)"
2184
	echo "You must be "root" to install ALCASAR ('su' command)"
2184
	exit 0
2185
	exit 0
2185
fi
2186
fi
2186
VERSION=`cat $DIR_INSTALL/VERSION`
2187
VERSION=`cat $DIR_INSTALL/VERSION`
2187
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2188
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2188
nb_args=$#
2189
nb_args=$#
2189
args=$1
2190
args=$1
2190
if [ $nb_args -eq 0 ]
2191
if [ $nb_args -eq 0 ]
2191
then
2192
then
2192
	nb_args=1
2193
	nb_args=1
2193
	args="-h"
2194
	args="-h"
2194
fi
2195
fi
2195
chmod -R u+x $DIR_SCRIPTS/*
2196
chmod -R u+x $DIR_SCRIPTS/*
2196
case $args in
2197
case $args in
2197
	-\? | -h* | --h*)
2198
	-\? | -h* | --h*)
2198
		echo "$usage"
2199
		echo "$usage"
2199
		exit 0
2200
		exit 0
2200
		;;
2201
		;;
2201
	-i | --install)
2202
	-i | --install)
2202
		header_install
2203
		header_install
2203
		license
2204
		license
2204
		header_install
2205
		header_install
2205
		testing
2206
		testing
2206
# RPMs install
2207
# RPMs install
2207
		$DIR_SCRIPTS/alcasar-urpmi.sh
2208
		$DIR_SCRIPTS/alcasar-urpmi.sh
2208
		if [ "$?" != "0" ]
2209
		if [ "$?" != "0" ]
2209
		then
2210
		then
2210
			exit 0
2211
			exit 0
2211
		fi
2212
		fi
2212
		if [ -e $CONF_FILE ]
2213
		if [ -e $CONF_FILE ]
2213
		then
2214
		then
2214
# Uninstall or update the running version
2215
# Uninstall or update the running version
2215
			if [ "$mode" == "update" ]
2216
			if [ "$mode" == "update" ]
2216
			then
2217
			then
2217
				$DIR_SCRIPTS/alcasar-uninstall.sh -update
2218
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2218
			else
2219
			else
2219
				$DIR_SCRIPTS/alcasar-uninstall.sh -full
2220
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2220
			fi
2221
			fi
2221
		fi
2222
		fi
2222
	if [ $DEBUG_ALCASAR == "on" ]
2223
	if [ $DEBUG_ALCASAR == "on" ]
2223
	then
2224
	then
2224
		echo "*** 'debug' : end of cleaning ***"
2225
		echo "*** 'debug' : end of cleaning ***"
2225
		read a
2226
		read a
2226
	fi
2227
	fi
2227
# Test if manual update
2228
# Test if manual update
2228
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2229
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2229
		then
2230
		then
2230
			header_install
2231
			header_install
2231
			if [ $Lang == "fr" ]
2232
			if [ $Lang == "fr" ]
2232
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2233
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2233
				else echo "The configuration file of an old version has been found";
2234
				else echo "The configuration file of an old version has been found";
2234
			fi
2235
			fi
2235
			response=0
2236
			response=0
2236
			PTN='^[oOnNyY]$'
2237
			PTN='^[oOnNyY]$'
2237
			until [[ $(expr $response : $PTN) -gt 0 ]]
2238
			until [[ $(expr $response : $PTN) -gt 0 ]]
2238
			do
2239
			do
2239
				if [ $Lang == "fr" ]
2240
				if [ $Lang == "fr" ]
2240
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2241
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2241
					else echo -n "Do you want to use it (Y/n)?";
2242
					else echo -n "Do you want to use it (Y/n)?";
2242
				 fi
2243
				 fi
2243
				read response
2244
				read response
2244
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2245
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2245
				then rm -f /tmp/alcasar-conf*
2246
				then rm -f /var/tmp/alcasar-conf*
2246
				fi
2247
				fi
2247
			done
2248
			done
2248
		fi
2249
		fi
2249
# Test if update
2250
# Test if update
2250
		if [ -e /tmp/alcasar-conf* ]
2251
		if [ -e /var/tmp/alcasar-conf* ]
2251
		then
2252
		then
2252
			if [ $Lang == "fr" ]
2253
			if [ $Lang == "fr" ]
2253
				then echo "#### Installation avec mise à jour ####";
2254
				then echo "#### Installation avec mise à jour ####";
2254
				else echo "#### Installation with update     ####";
2255
				else echo "#### Installation with update     ####";
2255
			fi
2256
			fi
2256
# Extract the central configuration file
2257
# Extract some info from the previous configuration file
2257
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
2258
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2258
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2259
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2259
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2260
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2260
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2261
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2261
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2262
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2262
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2263
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2263
			mode="update"
2264
			mode="update"
2264
		fi
2265
		fi
2265
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2266
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2266
		do
2267
		do
2267
			$func
2268
			$func
2268
			if [ $DEBUG_ALCASAR == "on" ]
2269
			if [ $DEBUG_ALCASAR == "on" ]
2269
				then
2270
				then
2270
				echo "*** 'debug' : end of install '$func' ***"
2271
				echo "*** 'debug' : end of install '$func' ***"
2271
				read a
2272
				read a
2272
			fi
2273
			fi
2273
		done
2274
		done
2274
		;;
2275
		;;
2275
	-u | --uninstall)
2276
	-u | --uninstall)
2276
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2277
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2277
		then
2278
		then
2278
			if [ $Lang == "fr" ]
2279
			if [ $Lang == "fr" ]
2279
				then echo "ALCASAR n'est pas installé!";
2280
				then echo "ALCASAR n'est pas installé!";
2280
				else echo "ALCASAR isn't installed!";
2281
				else echo "ALCASAR isn't installed!";
2281
			fi
2282
			fi
2282
			exit 0
2283
			exit 0
2283
		fi
2284
		fi
2284
		response=0
2285
		response=0
2285
		PTN='^[oOnN]$'
2286
		PTN='^[oOnN]$'
2286
		until [[ $(expr $response : $PTN) -gt 0 ]]
2287
		until [[ $(expr $response : $PTN) -gt 0 ]]
2287
		do
2288
		do
2288
			if [ $Lang == "fr" ]
2289
			if [ $Lang == "fr" ]
2289
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2290
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2290
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2291
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2291
			fi
2292
			fi
2292
			read response
2293
			read response
2293
		done
2294
		done
2294
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2295
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2295
		then
2296
		then
2296
			$DIR_SCRIPTS/alcasar-conf.sh --create
2297
			$DIR_SCRIPTS/alcasar-conf.sh --create
2297
		else
2298
		else
2298
			rm -f /tmp/alcasar-conf*
2299
			rm -f /var/tmp/alcasar-conf*
2299
		fi
2300
		fi
2300
# Uninstall the running version
2301
# Uninstall the running version
2301
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2302
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2302
		;;
2303
		;;
2303
	*)
2304
	*)
2304
		echo "Argument inconnu :$1";
2305
		echo "Argument inconnu :$1";
2305
		echo "Unknown argument :$1";
2306
		echo "Unknown argument :$1";
2306
		echo "$usage"
2307
		echo "$usage"
2307
		exit 1
2308
		exit 1
2308
		;;
2309
		;;
2309
esac
2310
esac
2310
# end of script
2311
# end of script
2311
 
2312
 
2312
 
2313