Subversion Repositories ALCASAR

Rev

Rev 2681 | Rev 2689 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2681 Rev 2688
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2681 2019-01-02 14:58:43Z tom.houdayer $
2
#  $Id: alcasar.sh 2688 2019-01-18 23:15:49Z lucas.echard $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 16... Line 16...
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
Line 37... Line 37...
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	dnsmasq			: Name server configuration
42
#	unbound			: Name server configuration
-
 
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
43
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
44
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
45
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	msec			: Mandriva security package configuration
49
#	msec			: Mandriva security package configuration
49
#	letsencrypt		: Let's Encrypt client
50
#	letsencrypt		: Let's Encrypt client
Line 63... Line 64...
63
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
72
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_USER="radius"						# user name allows to request the users database
74
DB_USER="radius"						# user name allows to request the users database
Line 130... Line 131...
130
	fic=`cat /etc/product.id`
131
	fic=`cat /etc/product.id`
131
	unknown_os=0
132
	unknown_os=0
132
	old="$IFS"
133
	old="$IFS"
133
	IFS=","
134
	IFS=","
134
	set $fic
135
	set $fic
135
	for i in $*
136
	for i in "$@"
136
	do
137
	do
137
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
			then
139
			then
139
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			unknown_os=`expr $unknown_os + 1`
141
			unknown_os=`expr $unknown_os + 1`
Line 158... Line 159...
158
		fi
159
		fi
159
		exit 1
160
		exit 1
160
	fi
161
	fi
161
	IFS="$old"
162
	IFS="$old"
162
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
163
		then
164
	then
164
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
165
			then
166
			then
166
			echo
167
			echo
167
			if [ $Lang == "fr" ]
168
			if [ $Lang == "fr" ]
168
				then
169
				then
Line 185... Line 186...
185
		echo
186
		echo
186
		if [ $Lang == "fr" ]
187
		if [ $Lang == "fr" ]
187
			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
188
			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
188
			else echo "The OS must be replaced (Mageia6-64bits)"
189
			else echo "The OS must be replaced (Mageia6-64bits)"
189
		fi
190
		fi
190
		exit 0
191
		exit 1
191
	fi
192
	fi
192
 
193
 
193
# Test if ALCASAR is already installed
194
# Test if ALCASAR is already installed
194
	if [ -e $CONF_FILE ]
195
	if [ -e $CONF_FILE ]
195
	then
196
	then
Line 213... Line 214...
213
			rm -f /var/tmp/alcasar-conf*
214
			rm -f /var/tmp/alcasar-conf*
214
		else
215
		else
215
# Retrieve former NICname
216
# Retrieve former NICname
216
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
217
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
218
			[ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
			[ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
# Create the current conf file
221
# Create the current conf file
221
			$DIR_SCRIPTS/alcasar-conf.sh --create
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
222
			mode="update"
223
			mode="update"
223
		fi
224
		fi
224
	fi
225
	fi
225
# Test free space on /var
226
# Test free space on /var
226
	if [ ! -d /var/log/netflow/porttracker ]
227
	if [ ! -d /var/log/netflow/porttracker ]
227
		then
228
		then
228
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
229
		if [ $free_space -lt 10 ]
230
		if [ $free_space -lt 10 ]
230
			then
231
			then
231
			if [ $Lang == "fr" ]
232
			if [ $Lang == "fr" ]
232
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
Line 281... Line 282...
281
				read response
282
				read response
282
 
283
 
283
				[ -z "$response" ] && response="$interfacePreferred"
284
				[ -z "$response" ] && response="$interfacePreferred"
284
 
285
 
285
				# Check if interface exist
286
				# Check if interface exist
286
				if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then
287
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
					INTIF="$response"
288
					INTIF="$response"
288
					break
289
					break
289
				else
290
				else
290
					if [ "$Lang" == 'fr' ]
291
					if [ "$Lang" == 'fr' ]
291
						then echo "Interface \"$response\" introuvable"
292
						then echo "Interface \"$response\" introuvable"
Line 303... Line 304...
303
	if [ $Lang == "fr" ]
304
	if [ $Lang == "fr" ]
304
		then echo -n "Tests des paramètres réseau : "
305
		then echo -n "Tests des paramètres réseau : "
305
		else echo -n "Network parameters tests: "
306
		else echo -n "Network parameters tests: "
306
	fi
307
	fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
	cd /etc/sysconfig/network-scripts/
309
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	for i in $IF_INTERFACES
311
	for i in $IF_INTERFACES
311
	do
312
	do
312
		if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
313
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
			rm -f ifcfg-$i
314
			rm -f ifcfg-$i
314
 
315
 
315
			if [ $Lang == "fr" ]
316
			if [ $Lang == "fr" ]
316
				then echo "Suppression : ifcfg-$i"
317
				then echo "Suppression : ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
318
				else echo "Deleting: ifcfg-$i"
318
			fi
319
			fi
319
		fi
320
		fi
320
	done
321
	done
321
	cd $DIR_INSTALL
322
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	echo -n "."
323
	echo -n "."
323
# Test Ethernet NIC links state
324
# Test Ethernet NIC links state
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	if [ ! -z "$interfacesDown" ]; then
326
	if [ ! -z "$interfacesDown" ]; then
326
		for i in $interfacesDown; do
327
		for i in $interfacesDown; do
Line 340... Line 341...
340
	echo -n "."
341
	echo -n "."
341
# Test EXTIF config files
342
# Test EXTIF config files
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
346
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	then
347
	then
347
		if [ $Lang == "fr" ]
348
		if [ $Lang == "fr" ]
348
		then
349
		then
349
			echo -e "\nÉchec"
350
			echo -e "\nÉchec"
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
Line 365... Line 366...
365
		echo "ONBOOT=yes"
366
		echo "ONBOOT=yes"
366
		exit 1
367
		exit 1
367
	fi
368
	fi
368
	echo -n "."
369
	echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
	if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then
371
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
		if [ $Lang == "fr" ]
372
		if [ $Lang == "fr" ]
372
		then
373
		then
373
			echo -e "\nÉchec"
374
			echo -e "\nÉchec"
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Réglez ce problème puis relancez ce script."
376
			echo "Réglez ce problème puis relancez ce script."
Line 381... Line 382...
381
		exit 1
382
		exit 1
382
	fi
383
	fi
383
	echo -n "."
384
	echo -n "."
384
# Test if default GW is alive
385
# Test if default GW is alive
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	if [ $(expr $arp_reply) -eq 0 ]
387
	if [ "$(expr $arp_reply)" -eq 0 ]
387
		then
388
		then
388
		if [ $Lang == "fr" ]
389
		if [ $Lang == "fr" ]
389
		then
390
		then
390
			echo -e "\nÉchec"
391
			echo -e "\nÉchec"
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
Line 436... Line 437...
436
				then echo -n "Entrez le nom de votre organisme : "
437
				then echo -n "Entrez le nom de votre organisme : "
437
				else echo -n "Enter the name of your organism : "
438
				else echo -n "Enter the name of your organism : "
438
			fi
439
			fi
439
			read ORGANISME
440
			read ORGANISME
440
			if [ "$ORGANISME" == "" ]
441
			if [ "$ORGANISME" == "" ]
441
				then
442
			then
442
				ORGANISME=!
443
				ORGANISME=!
443
			fi
444
			fi
444
		done
445
		done
445
	fi
446
	fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
448
# We create random passwords and shared secrets
448
	rm -f $PASSWD_FILE
449
	rm -f $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
451
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		grep -v '[eE]nter password:' | \
454
		grep -v '[eE]nter password:' | \
454
		sed -e "s/PBKDF2 hash of your password is //"`
455
		sed -e "s/PBKDF2 hash of your password is //"`
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
Line 457... Line 458...
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	chmod 0600 /boot/grub2/user.cfg
459
	chmod 0600 /boot/grub2/user.cfg
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
463
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
466
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
470
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
473
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
476
	chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
477
#  copy scripts in in /usr/local/bin
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
Line 533... Line 534...
533
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
534
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
534
				fi
535
				fi
535
				read PRIVATE_IP_MASK
536
				read PRIVATE_IP_MASK
536
			done
537
			done
537
		else
538
		else
538
	   			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
539
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
539
		fi
540
		fi
540
	else
541
	else
541
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
542
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
542
		rm -rf conf/etc/alcasar.conf
543
		rm -rf conf/etc/alcasar.conf
543
	fi
544
	fi
Line 547... Line 548...
547
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
548
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
548
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
549
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
549
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
550
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
550
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
551
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
551
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
552
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
552
		then
553
	then
553
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
554
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
554
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
555
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
555
	fi
556
	fi
556
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
557
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
557
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
558
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
558
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
559
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
559
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
560
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
560
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
561
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
561
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
-
 
562
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
-
 
563
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
-
 
564
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
-
 
565
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
562
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
566
# Define Internet parameters
563
# Define Internet parameters
567
	if [ "$mode" != "update" ]
564
	if [ "$mode" != "update" ]
568
	then
565
	then
569
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
566
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
Line 609... Line 606...
609
		then echo "LANIF=$LANIF" >> $CONF_FILE
606
		then echo "LANIF=$LANIF" >> $CONF_FILE
610
	fi
607
	fi
611
	#########################################################################################################
608
	#########################################################################################################
612
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
609
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
613
	if [ $IP_SETTING == "dhcp" ]
610
	if [ $IP_SETTING == "dhcp" ]
614
		then
611
	then
615
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
612
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
616
		echo "GW=dhcp" >> $CONF_FILE
613
		echo "GW=dhcp" >> $CONF_FILE
617
	else
614
	else
618
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
615
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
619
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
616
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
Line 642... Line 639...
642
$PRIVATE_IP	$HOSTNAME
639
$PRIVATE_IP	$HOSTNAME
643
EOF
640
EOF
644
# write EXTIF (Internet) config
641
# write EXTIF (Internet) config
645
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
642
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
646
	if [ $IP_SETTING == "dhcp" ]
643
	if [ $IP_SETTING == "dhcp" ]
647
		then
644
	then
648
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
645
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
649
DEVICE=$EXTIF
646
DEVICE=$EXTIF
650
BOOTPROTO=dhcp
647
BOOTPROTO=dhcp
651
DNS1=127.0.0.1
648
DNS1=127.0.0.1
652
PEERDNS=no
649
PEERDNS=no
Line 659... Line 656...
659
IPV6TO4INIT=no
656
IPV6TO4INIT=no
660
ACCOUNTING=no
657
ACCOUNTING=no
661
USERCTL=no
658
USERCTL=no
662
MTU=$MTU
659
MTU=$MTU
663
EOF
660
EOF
664
		else
661
	else
665
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
662
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
666
DEVICE=$EXTIF
663
DEVICE=$EXTIF
667
BOOTPROTO=static
664
BOOTPROTO=static
668
IPADDR=$PUBLIC_IP
665
IPADDR=$PUBLIC_IP
669
NETMASK=$PUBLIC_NETMASK
666
NETMASK=$PUBLIC_NETMASK
Line 756... Line 753...
756
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
753
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
757
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
754
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
758
# load ipt_NETFLOW module
755
# load ipt_NETFLOW module
759
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
756
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
760
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
757
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
761
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
758
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
762
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
759
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
763
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
760
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
764
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
761
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
765
#
762
#
766
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
763
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
767
} # End of network ()
764
} # End of network ()
768
 
765
 
769
###################################################
766
###################################################
Line 821... Line 818...
821
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
818
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
822
# Configuring & securing Lighttpd
819
# Configuring & securing Lighttpd
823
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
820
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
824
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
821
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
825
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
826
	$SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
823
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
827
	$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
824
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
828
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
825
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
829
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
826
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
830
 
827
 
831
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
828
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
832
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
829
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
Line 843... Line 840...
843
 
840
 
844
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
841
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
845
 
842
 
846
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
843
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
847
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
844
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
848
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
849
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
850
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
847
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
851
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
848
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
852
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
849
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
853
 
850
 
854
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
851
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
855
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
852
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
856
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
853
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
-
 
854
 
857
	chown -R apache:apache /var/log/lighttpd
855
	chown -R apache:apache /var/log/lighttpd
858
	/usr/bin/systemctl start lighttpd
856
	/usr/bin/systemctl start lighttpd
859
	/usr/bin/systemctl start php-fpm
857
	/usr/bin/systemctl start php-fpm
860
 
858
 
861
# Creation of the first account (in 'admin' profile)
859
# Creation of the first account (in 'admin' profile)
862
	if [ "$mode" = "install" ]
860
	if [ "$mode" = "install" ]
863
		then
861
	then
864
			header_install
862
		header_install
865
# Creation of keys file for the admin account ("admin")
863
# Creation of keys file for the admin account ("admin")
866
			[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
864
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
867
			mkdir -p $DIR_DEST_ETC/digest
865
		mkdir -p $DIR_DEST_ETC/digest
868
			chmod 755 $DIR_DEST_ETC/digest
866
		chmod 755 $DIR_DEST_ETC/digest
869
			until [ -s $DIR_DEST_ETC/digest/key_admin ]
867
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
870
			do
868
		do
871
				$DIR_DEST_BIN/alcasar-profil.sh --add admin
869
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
872
			done
870
		done
873
	fi
871
	fi
874
 
872
 
875
	# Run after coova (in order to wait tun0 to be up)
873
	# Run after coova (in order to wait tun0 to be up)
876
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
874
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
877
	# Log file for ACC access imputability
875
	# Log file for ACC access imputability
Line 917... Line 915...
917
logfile /var/log/ntp.log
915
logfile /var/log/ntp.log
918
disable monitor
916
disable monitor
919
EOF
917
EOF
920
	chown -R ntp:ntp /var/lib/ntp
918
	chown -R ntp:ntp /var/lib/ntp
921
# Synchronize now
919
# Synchronize now
922
	ntpd -q -g &
920
	ntpd -4 -q -g &
923
} # End of time_server ()
921
} # End of time_server ()
924
 
922
 
925
#####################################################################
923
#####################################################################
926
##                     Function "init_db"                          ##
924
##                     Function "init_db"                          ##
927
## - Mysql initialization                                          ##
925
## - Mysql initialization                                          ##
Line 930... Line 928...
930
## - Radius database creation                                      ##
928
## - Radius database creation                                      ##
931
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
929
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
932
#####################################################################
930
#####################################################################
933
init_db ()
931
init_db ()
934
{
932
{
935
	if [ `systemctl is-active mysqld` == "active" ]
933
	if [ "`systemctl is-active mysqld`" == "active" ]
936
	then
934
	then
937
		systemctl stop mysqld
935
		systemctl stop mysqld
938
	fi
936
	fi
939
	rm -rf /var/lib/mysql # to be sure that there is no former installation
937
	rm -rf /var/lib/mysql # to be sure that there is no former installation
940
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
938
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
Line 955... Line 953...
955
	if [ ! -S /var/lib/mysql/mysql.sock ]
953
	if [ ! -S /var/lib/mysql/mysql.sock ]
956
	then
954
	then
957
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
955
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
958
		exit
956
		exit
959
	fi
957
	fi
960
	MYSQL="/usr/bin/mysql --execute"
-
 
961
# Secure the server
958
# Secure the server
962
	$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
959
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
-
 
960
 
963
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
961
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
964
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
962
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
965
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
963
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
966
# Create 'radius' database
964
# Create 'radius' database
967
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
965
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
968
# Add an empty radius database structure
966
# Add an empty radius database structure
969
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
967
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
970
# modify the start script in order to close accounting connexion when the system is comming down or up
968
# modify the start script in order to close accounting connexion when the system is comming down or up
971
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
972
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
970
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
973
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
971
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
974
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
972
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
Line 1049... Line 1047...
1049
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1050
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1051
	/usr/bin/systemctl daemon-reload
1049
	/usr/bin/systemctl daemon-reload
1052
# Allow apache to change some conf files (ie : ldap on/off)
1050
# Allow apache to change some conf files (ie : ldap on/off)
1053
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1054
 
-
 
1055
} # End freeradius ()
1052
} # End freeradius ()
1056
 
1053
 
1057
#############################################################################
1054
#############################################################################
1058
##                           Function "chilli"                             ##
1055
##                           Function "chilli"                             ##
1059
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1056
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
Line 1184... Line 1181...
1184
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1181
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1185
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1182
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1186
		#
1183
		#
1187
		#Code : 42 => 2a
1184
		#Code : 42 => 2a
1188
		#Len : 4 => 04
1185
		#Len : 4 => 04
1189
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1186
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1190
	cat <<EOF > /etc/chilli.conf
1187
	cat <<EOF > /etc/chilli.conf
1191
# coova config for ALCASAR
1188
# coova config for ALCASAR
1192
cmdsocket	/var/run/chilli.sock
1189
cmdsocket	/var/run/chilli.sock
1193
unixipc		chilli.$INTIF.ipc
1190
unixipc		chilli.$INTIF.ipc
1194
pidfile		/var/run/chilli.pid
1191
pidfile		/var/run/chilli.pid
Line 1466... Line 1463...
1466
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1463
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1467
# use of our conf file and init unit
1464
# use of our conf file and init unit
1468
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1465
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1469
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1466
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1470
	DirTmp=$(pwd)
1467
	DirTmp=$(pwd)
1471
	cd /tmp/nfsen-*/
1468
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1472
	/usr/bin/perl install.pl etc/nfsen.conf
1469
	/usr/bin/perl install.pl etc/nfsen.conf
1473
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1470
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1474
# Create RRD DB for porttracker (only in it still doesn't exist)
1471
# Create RRD DB for porttracker (only in it still doesn't exist)
1475
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1472
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1476
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1473
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
Line 1503... Line 1500...
1503
 
1500
 
1504
[Install]
1501
[Install]
1505
WantedBy=multi-user.target
1502
WantedBy=multi-user.target
1506
EOF
1503
EOF
1507
# Add the listen port to collect netflow packet (nfcapd)
1504
# Add the listen port to collect netflow packet (nfcapd)
1508
	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1505
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1509
# expire delay for the profile "live"
1506
# expire delay for the profile "live"
1510
	/usr/bin/systemctl start nfsen
1507
	/usr/bin/systemctl start nfsen
1511
	/bin/nfsen -m live -e 62d 2>/dev/null
1508
	/bin/nfsen -m live -e 62d 2>/dev/null
1512
# add SURFmap plugin (waiting for new technical solution)
1509
# add SURFmap plugin (waiting for new technical solution)
1513
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1510
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1514
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1511
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1515
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1512
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1516
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1513
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1517
#	cd /tmp/
1514
#	cd /tmp/
1518
#	/usr/bin/sh SURFmap/install.sh 
1515
#	/usr/bin/sh SURFmap/install.sh
1519
# clear the installation
1516
# clear the installation
1520
#	rm -rf /tmp/SURFmap*
1517
#	rm -rf /tmp/SURFmap*
1521
	rm -rf /tmp/nfsen-*
1518
	rm -rf /tmp/nfsen-*
1522
	cd $DirTmp
1519
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1523
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1520
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1524
} # End of nfsen ()
1521
} # End of nfsen ()
1525
 
1522
 
1526
###########################################################
1523
###########################################################
1527
##                     Function "vnstat"                 ##
1524
##                     Function "vnstat"                 ##
Line 1529... Line 1526...
1529
###########################################################
1526
###########################################################
1530
vnstat ()
1527
vnstat ()
1531
{
1528
{
1532
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1529
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1533
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1530
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1534
    $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1531
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1535
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1532
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1536
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1533
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1537
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1534
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1538
	/usr/bin/vnstat -i $EXTIF -u --force
1535
	/usr/bin/vnstat -i $EXTIF -u --force
1539
} # End of vnstat
1536
} # End of vnstat
Line 1544... Line 1541...
1544
## - creation of the file managing domain name (local & remote) ##
1541
## - creation of the file managing domain name (local & remote) ##
1545
##################################################################
1542
##################################################################
1546
dnsmasq ()
1543
dnsmasq ()
1547
{
1544
{
1548
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1545
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1549
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
-
 
1550
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1546
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1551
	cat << EOF > /etc/dnsmasq.conf
-
 
1552
# Configuration file for "dnsmasq in forward mode"
-
 
1553
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-
 
1554
listen-address=$PRIVATE_IP
-
 
1555
pid-file=/var/run/dnsmasq.pid
-
 
1556
listen-address=127.0.0.1
-
 
1557
no-dhcp-interface=$INTIF
-
 
1558
no-dhcp-interface=tun0
-
 
1559
no-dhcp-interface=lo
-
 
1560
bind-interfaces
-
 
1561
cache-size=2048
-
 
1562
domain-needed
-
 
1563
expand-hosts
-
 
1564
bogus-priv
-
 
1565
filterwin2k
-
 
1566
server=$DNS1
-
 
1567
server=$DNS2
-
 
1568
# DHCP service is configured. It will be enabled in "bypass" mode
-
 
1569
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
-
 
1570
#dhcp-option=option:router,$PRIVATE_IP
-
 
1571
#dhcp-option=option:ntp-server,$PRIVATE_IP
-
 
1572
 
-
 
1573
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
-
 
1574
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
-
 
1575
EOF
-
 
1576
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
-
 
1577
	cat << EOF > /etc/dnsmasq-blacklist.conf
-
 
1578
# Configuration file for "dnsmasq with blacklist"
-
 
1579
# Add Toulouse University blacklist domains
-
 
1580
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-
 
1581
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
-
 
1582
pid-file=/var/run/dnsmasq-blacklist.pid
-
 
1583
listen-address=$PRIVATE_IP
-
 
1584
port=54
-
 
1585
no-dhcp-interface=$INTIF
-
 
1586
no-dhcp-interface=tun0
-
 
1587
no-dhcp-interface=lo
-
 
1588
bind-interfaces
-
 
1589
cache-size=2048
-
 
1590
domain-needed
-
 
1591
expand-hosts
-
 
1592
bogus-priv
-
 
1593
filterwin2k
-
 
1594
log-queries
-
 
1595
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
-
 
1596
server=$DNS1
-
 
1597
server=$DNS2
-
 
1598
EOF
-
 
1599
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1547
	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1600
	cat << EOF > /etc/dnsmasq-whitelist.conf
1548
	cat << EOF > /etc/dnsmasq-whitelist.conf
1601
# Configuration file for "dnsmasq with whitelist"
1549
# Configuration file for "dnsmasq with whitelist"
1602
# ADD Toulouse university whitelist domains
1550
# ADD Toulouse university whitelist domains
1603
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-
 
1604
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
-
 
1605
pid-file=/var/run/dnsmasq-whitelist.pid
1551
pid-file=/var/run/dnsmasq-whitelist.pid
1606
listen-address=$PRIVATE_IP
1552
listen-address=127.0.0.1
1607
port=55
1553
port=55
1608
no-dhcp-interface=$INTIF
-
 
1609
no-dhcp-interface=tun0
-
 
1610
no-dhcp-interface=lo
1554
no-dhcp-interface=lo
1611
bind-interfaces
1555
bind-interfaces
1612
cache-size=1024
1556
cache-size=1024
1613
domain-needed
1557
domain-needed
1614
expand-hosts
1558
expand-hosts
1615
bogus-priv
1559
bogus-priv
1616
filterwin2k
1560
filterwin2k
1617
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1561
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1618
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
-
 
1619
EOF
-
 
1620
# 4th dnsmasq listen on udp 56 ("blackhole")
-
 
1621
	cat << EOF > /etc/dnsmasq-blackhole.conf
-
 
1622
# Configuration file for "dnsmasq as a blackhole"
-
 
1623
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local & remote DNS domain name resolutions
-
 
1624
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
-
 
1625
pid-file=/var/run/dnsmasq-blackhole.pid
-
 
1626
listen-address=$PRIVATE_IP
-
 
1627
port=56
-
 
1628
no-dhcp-interface=$INTIF
-
 
1629
no-dhcp-interface=tun0
-
 
1630
no-dhcp-interface=lo
-
 
1631
bind-interfaces
-
 
1632
cache-size=256
-
 
1633
domain-needed
-
 
1634
expand-hosts
1562
server=$DNS1
1635
bogus-priv
-
 
1636
filterwin2k
1563
server=$DNS2
1637
EOF
1564
EOF
1638
# file managing domain name resolution (local & remote)
-
 
1639
	cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
-
 
1640
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
-
 
1641
# Here you can define your local domain name ('localdomain' by default)
-
 
1642
local=/localdomain/
-
 
1643
domain=localdomain
-
 
1644
 
-
 
1645
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
-
 
1646
## Add one line for each domain name managed by an other DNS server
-
 
1647
## server=/<your_domain>/<@IP_domain_server>
-
 
1648
## Exemple for an A.D. domain :  server=/Your.Domain.AD/110.120.100.100
-
 
1649
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
-
 
1650
 
1565
 
-
 
1566
	# Create dnsmasq-whitelist unit
-
 
1567
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
-
 
1568
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
-
 
1569
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
-
 
1570
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
-
 
1571
} # End dnsmasq
-
 
1572
 
-
 
1573
##################################################
-
 
1574
##              Function "unbound"              ##
-
 
1575
##################################################
-
 
1576
unbound ()
-
 
1577
{
-
 
1578
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
-
 
1579
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
-
 
1580
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
-
 
1581
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
-
 
1582
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
-
 
1583
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
-
 
1584
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
-
 
1585
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
-
 
1586
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
-
 
1587
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
-
 
1588
 
-
 
1589
	# Local static DNS configuration
-
 
1590
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
-
 
1591
 
-
 
1592
	# Forward zone configuration file for all unbound dns servers
-
 
1593
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
-
 
1594
forward-zone:
-
 
1595
	name: "."
-
 
1596
	forward-addr: $DNS1
-
 
1597
	forward-addr: $DNS2
-
 
1598
EOF
-
 
1599
 
-
 
1600
	# Custom configuration file for manual DNS configuration
-
 
1601
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
-
 
1602
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
-
 
1603
## Add one block for each domain name managed by an other DNS server
-
 
1604
##
-
 
1605
## Example:
-
 
1606
##
-
 
1607
## server:
-
 
1608
##     local-zone: "<your_domain>." transparent
-
 
1609
## forward-zone:
-
 
1610
##     name: "<your_domain>."
-
 
1611
##     forward-addr: <@IP_domain_server>
-
 
1612
##
1651
## INFO : local hostnames are resolved in /etc/hosts file
1613
## INFO : local hostnames are resolved in /etc/hosts file
1652
EOF
1614
EOF
1653
 
1615
 
-
 
1616
	# Configuration file of ALCASAR main domains for $INTIF
-
 
1617
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
-
 
1618
server:
-
 
1619
	local-zone: "$HOSTNAME.$DOMAIN" static
-
 
1620
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
-
 
1621
	local-zone: "$HOSTNAME" static
-
 
1622
	local-data: "$HOSTNAME A $PRIVATE_IP"
-
 
1623
	local-zone: "$DOMAIN." static
-
 
1624
	local-data: "$DOMAIN. A"
-
 
1625
EOF
-
 
1626
 
-
 
1627
	# Configuration file for lo of forward unbound
-
 
1628
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
-
 
1629
server:
-
 
1630
	interface: 127.0.0.1@53
-
 
1631
	access-control-view: 127.0.0.1/8 lo
-
 
1632
 
-
 
1633
view:
-
 
1634
	name: "lo"
-
 
1635
	local-zone: "$HOSTNAME.$DOMAIN" static
-
 
1636
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
-
 
1637
	local-zone: "$HOSTNAME" static
-
 
1638
	local-data: "$HOSTNAME A 127.0.0.1"
-
 
1639
	local-zone: "$DOMAIN." static
-
 
1640
	local-data: "$DOMAIN. A"
-
 
1641
	view-first: yes
-
 
1642
EOF
-
 
1643
 
-
 
1644
	# Configuration file for $INTIF of forward unbound
-
 
1645
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
-
 
1646
server:
-
 
1647
	interface: ${PRIVATE_IP}@53
-
 
1648
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
-
 
1649
 
-
 
1650
view:
-
 
1651
	name: "$INTIF"
-
 
1652
	local-zone: "$HOSTNAME.$DOMAIN" static
-
 
1653
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
-
 
1654
	local-zone: "$HOSTNAME" static
-
 
1655
	local-data: "$HOSTNAME A $PRIVATE_IP"
-
 
1656
	view-first: yes
-
 
1657
EOF
-
 
1658
 
-
 
1659
	# Configuration file for forward unbound
-
 
1660
	cat << EOF > /etc/unbound/unbound.conf
-
 
1661
server:
-
 
1662
	verbosity: 1
-
 
1663
	hide-version: yes
-
 
1664
	hide-identity: yes
-
 
1665
	do-ip6: no
-
 
1666
 
-
 
1667
	include: /etc/unbound/conf.d/common/forward-zone.conf
-
 
1668
	include: /etc/unbound/conf.d/common/local-forward/*
-
 
1669
	include: /etc/unbound/conf.d/common/local-dns/*
-
 
1670
	include: /etc/unbound/conf.d/forward/*
-
 
1671
EOF
-
 
1672
 
-
 
1673
	# Configuration file for $INTIF of blacklist unbound
-
 
1674
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
-
 
1675
server:
-
 
1676
	interface: ${PRIVATE_IP}@54
-
 
1677
	access-control: $PRIVATE_IP_MASK allow
-
 
1678
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
-
 
1679
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
-
 
1680
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
-
 
1681
EOF
-
 
1682
 
-
 
1683
	# Configuration file for blacklist unbound
-
 
1684
	cat << EOF > /etc/unbound/unbound-blacklist.conf
-
 
1685
server:
-
 
1686
	verbosity: 1
-
 
1687
	hide-version: yes
-
 
1688
	hide-identity: yes
-
 
1689
	do-ip6: no
-
 
1690
	logfile: "/var/log/unbound/unbound-blacklist.log"
-
 
1691
	chroot: ""
-
 
1692
	define-tag: "blacklist"
-
 
1693
	log-local-actions: yes
-
 
1694
 
-
 
1695
	include: /etc/unbound/conf.d/common/forward-zone.conf
-
 
1696
	include: /etc/unbound/conf.d/common/local-forward/*
-
 
1697
	include: /etc/unbound/conf.d/common/local-dns/*
-
 
1698
	include: /etc/unbound/conf.d/blacklist/*
-
 
1699
 
-
 
1700
	include: /usr/local/share/unbound-bl-enabled/*
-
 
1701
EOF
-
 
1702
 
-
 
1703
	# Configuration file for $INTIF of whitelist unbound
-
 
1704
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
-
 
1705
server:
-
 
1706
	interface: ${PRIVATE_IP}@55
-
 
1707
	access-control: $PRIVATE_IP_MASK allow
-
 
1708
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
-
 
1709
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1654
# the main instance should start after network and chilli (which create tun0)
1710
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
-
 
1711
EOF
-
 
1712
 
-
 
1713
	# Configuration file for whitelist unbound
-
 
1714
	cat << EOF > /etc/unbound/unbound-whitelist.conf
-
 
1715
server:
-
 
1716
	verbosity: 1
-
 
1717
	hide-version: yes
-
 
1718
	hide-identity: yes
-
 
1719
	do-ip6: no
-
 
1720
	do-not-query-localhost: no
-
 
1721
	define-tag: "whitelist"
-
 
1722
 
-
 
1723
	local-zone: "." transparent
-
 
1724
	local-zone-tag: "." "whitelist"
-
 
1725
 
-
 
1726
	include: /usr/local/share/unbound-wl-enabled/*
-
 
1727
	include: /etc/unbound/conf.d/whitelist/*
-
 
1728
	include: /etc/unbound/conf.d/common/local-dns/*
-
 
1729
	include: /etc/unbound/conf.d/common/local-forward/*
-
 
1730
 
-
 
1731
forward-zone:
-
 
1732
	name: "."
-
 
1733
	forward-addr: 127.0.0.1@55
-
 
1734
EOF
-
 
1735
 
-
 
1736
	# Configuration file for $INTIF of blackhole unbound
-
 
1737
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
-
 
1738
server:
-
 
1739
	interface: ${PRIVATE_IP}@56
-
 
1740
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
-
 
1741
 
-
 
1742
view:
-
 
1743
	name: "$INTIF"
-
 
1744
	local-zone: "." redirect
-
 
1745
	local-data: ". A $PRIVATE_IP"
-
 
1746
EOF
-
 
1747
 
-
 
1748
	# Configuration file for blackhole unbound
-
 
1749
	cat << EOF > /etc/unbound/unbound-blackhole.conf
-
 
1750
server:
-
 
1751
	verbosity: 1
-
 
1752
	hide-version: yes
-
 
1753
	hide-identity: yes
-
 
1754
	do-ip6: no
-
 
1755
 
-
 
1756
	include: /etc/unbound/conf.d/blackhole/*
-
 
1757
	include: /etc/unbound/conf.d/common/local-dns/*
-
 
1758
	include: /etc/unbound/conf.d/common/local-forward/*
-
 
1759
EOF
-
 
1760
 
-
 
1761
	if [ ! -e /lib/systemd/system/unbound.service.default ]
-
 
1762
	then
1655
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1763
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
-
 
1764
	fi
1656
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1765
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1657
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1766
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
-
 
1767
 
1658
	for list in blacklist whitelist blackhole
1768
	for list in blacklist blackhole whitelist
1659
	do
1769
	do
1660
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1770
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1661
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1771
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1662
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1772
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1663
	done
1773
	done
-
 
1774
 
-
 
1775
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1664
} # End dnsmasq
1776
} # End unbound
1665
 
1777
 
1666
##########################################################
1778
##########################################################
1667
##                      Function "BL"                   ##
1779
##                      Function "BL"                   ##
1668
## - copy Toulouse BL                                   ##
1780
## - copy Toulouse BL                                   ##
1669
## - adapt this BL to ALCASAR architecture              ##
1781
## - adapt this BL to ALCASAR architecture              ##
1670
##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
1782
##     - domain names for unbound-bl & unbound-wl       ##
1671
##     - URLs for E²guardian                            ##
1783
##     - URLs for E²guardian                            ##
1672
##     - IPs for NetFilter                              ##
1784
##     - IPs for NetFilter                              ##
1673
##########################################################
1785
##########################################################
1674
BL ()
1786
BL ()
1675
{
1787
{
Line 1843... Line 1955...
1843
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1955
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1844
	usermod -a -G dialout gammu_smsd
1956
	usermod -a -G dialout gammu_smsd
1845
 
1957
 
1846
# Create 'gammu' database
1958
# Create 'gammu' database
1847
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1959
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1848
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1960
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1849
# Add a gammu database structure
1961
# Add a gammu database structure
1850
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1962
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1851
 
1963
 
1852
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1964
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1853
	cat << EOF > /etc/gammurc
1965
	cat << EOF > /etc/gammurc
1854
[gammu]
1966
[gammu]
1855
device = /dev/ttyUSB0
1967
device = /dev/ttyUSB0
Line 1970... Line 2082...
1970
 
2082
 
1971
	# Extract acme.sh
2083
	# Extract acme.sh
1972
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2084
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1973
 
2085
 
1974
	pwdInstall=$(pwd)
2086
	pwdInstall=$(pwd)
1975
	cd /tmp/acme.sh-*
2087
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
1976
 
2088
 
1977
	acmesh_installDir="/opt/acme.sh"
2089
	acmesh_installDir="/opt/acme.sh"
1978
	acmesh_confDir="/usr/local/etc/letsencrypt"
2090
	acmesh_confDir="/usr/local/etc/letsencrypt"
1979
	acmesh_userAgent="ALCASAR"
2091
	acmesh_userAgent="ALCASAR"
1980
 
2092
 
Line 2002... Line 2114...
2002
dateIssued=
2114
dateIssued=
2003
dnsapi=
2115
dnsapi=
2004
dateNextRenewal=
2116
dateNextRenewal=
2005
EOF
2117
EOF
2006
 
2118
 
2007
	cd $pwdInstall
2119
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2008
	rm -rf /tmp/acme.sh-*
2120
	rm -rf /tmp/acme.sh-*
2009
 
2121
 
2010
} # END letsencrypt()
2122
} # END letsencrypt()
2011
 
2123
 
2012
##################################################################
2124
##################################################################
Line 2025... Line 2137...
2025
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2137
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2026
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2138
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2027
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2139
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2028
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2140
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2029
# postfix banner anonymisation
2141
# postfix banner anonymisation
2030
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
2142
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2031
	chown -R postfix:postfix /var/lib/postfix
2143
	chown -R postfix:postfix /var/lib/postfix
2032
# sshd liste on EXTIF & INTIF
2144
# sshd liste on EXTIF & INTIF
2033
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2145
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2034
# sshd authorized certificate for root login
2146
# sshd authorized certificate for root login
2035
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2147
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
Line 2050... Line 2162...
2050
	echo "MULTIWAN=off" >> $CONF_FILE
2162
	echo "MULTIWAN=off" >> $CONF_FILE
2051
	echo "FAILOVER=30" >> $CONF_FILE
2163
	echo "FAILOVER=30" >> $CONF_FILE
2052
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2164
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2053
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2165
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2054
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2166
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
-
 
2167
	echo "BL_PUREIP=on" >> $CONF_FILE
-
 
2168
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
-
 
2169
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2055
# Prompt customisation (colors)
2170
# Prompt customisation (colors)
2056
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2171
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2057
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2172
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2058
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2173
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2059
# sudoers configuration for "apache" & "sysadmin"
2174
# sudoers configuration for "apache" & "sysadmin"
Line 2066... Line 2181...
2066
# Log compression
2181
# Log compression
2067
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2182
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2068
# actualisation des fichiers logs compressés
2183
# actualisation des fichiers logs compressés
2069
	for dir in firewall e2guardian lighttpd
2184
	for dir in firewall e2guardian lighttpd
2070
	do
2185
	do
2071
		find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2186
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2072
	done
2187
	done
2073
# create the alcasar-load_balancing unit
2188
# create the alcasar-load_balancing unit
2074
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2189
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2075
#  This file is part of systemd.
2190
#  This file is part of systemd.
2076
#
2191
#
Line 2095... Line 2210...
2095
[Install]
2210
[Install]
2096
WantedBy=multi-user.target
2211
WantedBy=multi-user.target
2097
EOF
2212
EOF
2098
	/usr/bin/systemctl daemon-reload
2213
	/usr/bin/systemctl daemon-reload
2099
# processes launched at boot time (Systemctl)
2214
# processes launched at boot time (Systemctl)
2100
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2215
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2101
	do
2216
	do
2102
		/usr/bin/systemctl -q enable $i.service
2217
		/usr/bin/systemctl -q enable $i.service
2103
	done
2218
	done
2104
 
2219
 
2105
# disable processes at boot time (Systemctl)
2220
# disable processes at boot time (Systemctl)
2106
	for i in ulogd gpm
2221
	for i in ulogd gpm dhcpd
2107
	do
2222
	do
2108
		/usr/bin/systemctl -q disable $i.service
2223
		/usr/bin/systemctl -q disable $i.service
2109
	done
2224
	done
2110
 
2225
 
2111
# Apply French Security Agency (ANSSI) rules
2226
# Apply French Security Agency (ANSSI) rules
Line 2150... Line 2265...
2150
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2265
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2151
	fi
2266
	fi
2152
	if [ $Lang == "fr" ]
2267
	if [ $Lang == "fr" ]
2153
	then
2268
	then
2154
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2269
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2155
		echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2270
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2156
	else
2271
	else
2157
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2272
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2158
		echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2273
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2159
	fi
2274
	fi
2160
	/usr/bin/update-grub2
2275
	/usr/bin/update-grub2
2161
# Load and apply the previous conf file
2276
# Load and apply the previous conf file
2162
	if [ "$mode" = "update" ]
2277
	if [ "$mode" = "update" ]
2163
	then
2278
	then
Line 2172... Line 2287...
2172
	fi
2287
	fi
2173
	rm -f /var/tmp/alcasar-conf*
2288
	rm -f /var/tmp/alcasar-conf*
2174
	chown -R root:apache $DIR_DEST_ETC/*
2289
	chown -R root:apache $DIR_DEST_ETC/*
2175
	chmod -R 660 $DIR_DEST_ETC/*
2290
	chmod -R 660 $DIR_DEST_ETC/*
2176
	chmod ug+x $DIR_DEST_ETC/digest
2291
	chmod ug+x $DIR_DEST_ETC/digest
2177
	cd $DIR_INSTALL
2292
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2178
	echo ""
2293
	echo ""
2179
	echo "#############################################################################"
2294
	echo "#############################################################################"
2180
	if [ $Lang == "fr" ]
2295
	if [ $Lang == "fr" ]
2181
		then
2296
		then
2182
		echo "#                        Fin d'installation d'ALCASAR                       #"
2297
		echo "#                        Fin d'installation d'ALCASAR                       #"
Line 2188... Line 2303...
2188
		echo
2303
		echo
2189
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2304
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2190
		echo
2305
		echo
2191
		echo "- Lisez attentivement la documentation d'exploitation"
2306
		echo "- Lisez attentivement la documentation d'exploitation"
2192
		echo
2307
		echo
2193
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2308
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2194
		echo
2309
		echo
2195
		echo "                   Appuyez sur 'Entrée' pour continuer"
2310
		echo "                   Appuyez sur 'Entrée' pour continuer"
2196
	else
2311
	else
2197
		echo "#                        End of ALCASAR install process                     #"
2312
		echo "#                        End of ALCASAR install process                     #"
2198
		echo "#                                                                           #"
2313
		echo "#                                                                           #"
Line 2203... Line 2318...
2203
		echo
2318
		echo
2204
		echo "- The system will be rebooted in order to operate ALCASAR"
2319
		echo "- The system will be rebooted in order to operate ALCASAR"
2205
		echo
2320
		echo
2206
		echo "- Read the exploitation documentation"
2321
		echo "- Read the exploitation documentation"
2207
		echo
2322
		echo
2208
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2323
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2209
		echo
2324
		echo
2210
		echo "                   Hit 'Enter' to continue"
2325
		echo "                   Hit 'Enter' to continue"
2211
	fi
2326
	fi
2212
	sleep 2
2327
	sleep 2
2213
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2328
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2214
	then
2329
	then
2215
		read a
2330
		read
2216
	fi
2331
	fi
2217
	clear
2332
	clear
2218
	reboot
2333
	reboot
2219
} # End post_install ()
2334
} # End post_install ()
2220
 
2335
 
Line 2226... Line 2341...
2226
then
2341
then
2227
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2342
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2228
	echo "Launch this program from the ALCASAR archive directory"
2343
	echo "Launch this program from the ALCASAR archive directory"
2229
	exit 0
2344
	exit 0
2230
fi
2345
fi
2231
if [[ $EUID > 0 ]]
2346
if [ $EUID -gt 0 ]
2232
then
2347
then
2233
	echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2348
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2234
	echo "You must be "root" to install ALCASAR ('su' command)"
2349
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2235
	exit 0
2350
	exit 0
2236
fi
2351
fi
2237
VERSION=`cat $DIR_INSTALL/VERSION`
2352
VERSION=`cat $DIR_INSTALL/VERSION`
2238
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2353
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2239
nb_args=$#
2354
nb_args=$#
Line 2271... Line 2386...
2271
			fi
2386
			fi
2272
		fi
2387
		fi
2273
	if [ $DEBUG_ALCASAR == "on" ]
2388
	if [ $DEBUG_ALCASAR == "on" ]
2274
	then
2389
	then
2275
		echo "*** 'debug' : end of cleaning ***"
2390
		echo "*** 'debug' : end of cleaning ***"
2276
		read a
2391
		read
2277
	fi
2392
	fi
2278
# Test if manual update
2393
# Test if manual update
2279
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2394
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2280
		then
2395
		then
2281
			header_install
2396
			header_install
Line 2311... Line 2426...
2311
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2426
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2312
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2427
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2313
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2428
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2314
			mode="update"
2429
			mode="update"
2315
		fi
2430
		fi
2316
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2431
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install
2317
		do
2432
		do
2318
			$func
2433
			$func
2319
			if [ $DEBUG_ALCASAR == "on" ]
2434
			if [ $DEBUG_ALCASAR == "on" ]
2320
				then
2435
			then
2321
				echo "*** 'debug' : end of install '$func' ***"
2436
				echo "*** 'debug' : end of install '$func' ***"
2322
				read a
2437
				read
2323
			fi
2438
			fi
2324
		done
2439
		done
2325
		;;
2440
		;;
2326
	-u | --uninstall)
2441
	-u | --uninstall)
2327
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2442
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
Line 2357... Line 2472...
2357
		echo "$usage"
2472
		echo "$usage"
2358
		exit 1
2473
		exit 1
2359
		;;
2474
		;;
2360
esac
2475
esac
2361
# end of script
2476
# end of script
2362
 
-