Subversion Repositories ALCASAR

Rev

Rev 2730 | Rev 2737 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2730 Rev 2736
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2730 2019-05-21 22:03:25Z rexy $
2
#  $Id: alcasar.sh 2736 2019-05-28 22:06:08Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC				: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA				: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	unbound			: Name server configuration
42
#	unbound			: Name server configuration
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	msec			: Mandriva security package configuration
49
#	msec			: Mandriva security package configuration
50
#	letsencrypt		: Let's Encrypt client
50
#	letsencrypt		: Let's Encrypt client
51
#	post_install	: Security, log rotation, etc.
51
#	post_install	: Security, log rotation, etc.
52
 
52
 
53
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
53
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
54
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE=`date '+%d %B %Y - %Hh%M'`
55
DATE_SHORT=`date '+%d/%m/%Y'`
55
DATE_SHORT=`date '+%d/%m/%Y'`
56
Lang=`echo $LANG|cut -c 1-2`
56
Lang=`echo $LANG|cut -c 1-2`
57
mode="install"
57
mode="install"
58
# ******* Files parameters - paramètres fichiers *********
58
# ******* Files parameters - paramètres fichiers *********
59
DIR_INSTALL=`pwd`						# current directory
59
DIR_INSTALL=`pwd`						# current directory
60
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
61
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
62
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
62
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
63
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
63
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
72
# ******* DBMS parameters - paramètres SGBD ********
72
# ******* DBMS parameters - paramètres SGBD ********
73
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_RADIUS="radius"						# database name used by FreeRadius server
74
DB_USER="radius"						# user name allows to request the users database
74
DB_USER="radius"						# user name allows to request the users database
75
DB_GAMMU="gammu"						# database name used by Gammu-smsd
75
DB_GAMMU="gammu"						# database name used by Gammu-smsd
76
# ******* Network parameters - paramètres réseau *******
76
# ******* Network parameters - paramètres réseau *******
77
HOSTNAME="alcasar"						# default hostname
77
HOSTNAME="alcasar"						# default hostname
78
DOMAIN="localdomain"					# default local domain
78
DOMAIN="localdomain"					# default local domain
79
EXTIF=''					# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
80
INTIF=''					# INTIF is connected to the consultation network
80
INTIF=''								# INTIF is connected to the consultation network
81
MTU="1500"
81
MTU="1500"
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
83
# ****** Paths - chemin des commandes *******
83
# ****** Paths - chemin des commandes *******
84
SED="/bin/sed -i"
84
SED="/bin/sed -i"
85
# ****************** End of global parameters *********************
85
# ****************** End of global parameters *********************
86
 
86
 
87
license()
87
license()
88
{
88
{
89
	if [ $Lang == "fr" ]
89
	if [ $Lang == "fr" ]
90
	then
90
	then
91
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
92
	else
92
	else
93
		cat $DIR_INSTALL/gpl-warning.txt | more
93
		cat $DIR_INSTALL/gpl-warning.txt | more
94
	fi
94
	fi
95
	response=0
95
	response=0
96
	PTN='^[oOyYnN]$'
96
	PTN='^[oOyYnN]$'
97
	until [[ $(expr $response : $PTN) -gt 0 ]]
97
	until [[ $(expr $response : $PTN) -gt 0 ]]
98
	do
98
	do
99
		if [ $Lang == "fr" ]
99
		if [ $Lang == "fr" ]
100
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
101
			else echo -n "Do you accept the terms of this license (Y/n)? : "
101
			else echo -n "Do you accept the terms of this license (Y/n)? : "
102
		fi
102
		fi
103
		read response
103
		read response
104
	done
104
	done
105
	if [ "$response" = "n" ] || [ "$response" = "N" ]
105
	if [ "$response" = "n" ] || [ "$response" = "N" ]
106
	then
106
	then
107
		exit 1
107
		exit 1
108
	fi
108
	fi
109
} # End of license()
109
} # End of license()
110
 
110
 
111
header_install()
111
header_install()
112
{
112
{
113
	clear
113
	clear
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "                     ALCASAR V$VERSION Installation"
116
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
117
	echo "-----------------------------------------------------------------------------"
117
	echo "-----------------------------------------------------------------------------"
118
} # End of header_install()
118
} # End of header_install()
119
 
119
 
120
########################################################
120
########################################################
121
##                  Function "testing"                ##
121
##                  Function "testing"                ##
122
## - Test Mageia version                              ##
122
## - Test Mageia version                              ##
123
## - Test ALCASAR version (if already installed)      ##
123
## - Test ALCASAR version (if already installed)      ##
124
## - Test free space on /var  (>10G)                  ##
124
## - Test free space on /var  (>10G)                  ##
125
## - Test Internet access                             ##
125
## - Test Internet access                             ##
126
########################################################
126
########################################################
127
testing()
127
testing()
128
{
128
{
129
# Test of Mageia version
129
# Test of Mageia version
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
131
	fic=`cat /etc/product.id`
131
	fic=`cat /etc/product.id`
132
	unknown_os=0
132
	unknown_os=0
133
	old="$IFS"
133
	old="$IFS"
134
	IFS=","
134
	IFS=","
135
	set $fic
135
	set $fic
136
	for i in "$@"
136
	for i in "$@"
137
	do
137
	do
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
139
			then
139
			then
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
141
			unknown_os=`expr $unknown_os + 1`
141
			unknown_os=`expr $unknown_os + 1`
142
		fi
142
		fi
143
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
144
			then
144
			then
145
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
146
			unknown_os=`expr $unknown_os + 1`
146
			unknown_os=`expr $unknown_os + 1`
147
		fi
147
		fi
148
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
149
			then
149
			then
150
			ARCH=`echo $i|cut -d"=" -f2`
150
			ARCH=`echo $i|cut -d"=" -f2`
151
			unknown_os=`expr $unknown_os + 1`
151
			unknown_os=`expr $unknown_os + 1`
152
		fi
152
		fi
153
	done
153
	done
154
	if [ "$ARCH" != "x86_64" ]
154
	if [ "$ARCH" != "x86_64" ]
155
		then
155
		then
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo "Votre architecture matérielle doit être en 64bits"
157
			then echo "Votre architecture matérielle doit être en 64bits"
158
			else echo "You hardware architecture must be 64bits"
158
			else echo "You hardware architecture must be 64bits"
159
		fi
159
		fi
160
		exit 1
160
		exit 1
161
	fi
161
	fi
162
	IFS="$old"
162
	IFS="$old"
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
164
	then
164
	then
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
166
			then
166
			then
167
			echo
167
			echo
168
			if [ $Lang == "fr" ]
168
			if [ $Lang == "fr" ]
169
				then
169
				then
170
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
170
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
171
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
171
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
172
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
172
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
173
				echo "3 - Importez votre base des usagers"
173
				echo "3 - Importez votre base des usagers"
174
			else
174
			else
175
				echo "The automatic update of ALCASAR can't be performed."
175
				echo "The automatic update of ALCASAR can't be performed."
176
				echo "1 - Save your traceability files and the user database"
176
				echo "1 - Save your traceability files and the user database"
177
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
177
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
178
				echo "3 - Import your users database"
178
				echo "3 - Import your users database"
179
			fi
179
			fi
180
		else
180
		else
181
			if [ $Lang == "fr" ]
181
			if [ $Lang == "fr" ]
182
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
182
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
183
				else echo "The installation of ALCASAR can't be performed."
183
				else echo "The installation of ALCASAR can't be performed."
184
			fi
184
			fi
185
		fi
185
		fi
186
		echo
186
		echo
187
		if [ $Lang == "fr" ]
187
		if [ $Lang == "fr" ]
188
			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
188
			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
189
			else echo "The OS must be replaced (Mageia6-64bits)"
189
			else echo "The OS must be replaced (Mageia6-64bits)"
190
		fi
190
		fi
191
		exit 1
191
		exit 1
192
	fi
192
	fi
193
 
193
 
194
# Test if ALCASAR is already installed
194
# Test if ALCASAR is already installed
195
	if [ -e $CONF_FILE ]
195
	if [ -e $CONF_FILE ]
196
	then
196
	then
197
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
197
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
198
		if [ $Lang == "fr" ]
198
		if [ $Lang == "fr" ]
199
			then echo "La version $current_version d'ALCASAR est déjà installée"
199
			then echo "La version $current_version d'ALCASAR est déjà installée"
200
			else echo "ALCASAR version $current_version is already installed"
200
			else echo "ALCASAR version $current_version is already installed"
201
		fi
201
		fi
202
		response=0
202
		response=0
203
		PTN='^[12]$'
203
		PTN='^[12]$'
204
		until [[ $(expr $response : $PTN) -gt 0 ]]
204
		until [[ $(expr $response : $PTN) -gt 0 ]]
205
		do
205
		do
206
			if [ $Lang == "fr" ]
206
			if [ $Lang == "fr" ]
207
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
207
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
208
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
208
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
209
			fi
209
			fi
210
			read response
210
			read response
211
		done
211
		done
212
		if [ "$response" = "2" ]
212
		if [ "$response" = "2" ]
213
		then
213
		then
214
			rm -f /var/tmp/alcasar-conf*
214
			rm -f /var/tmp/alcasar-conf*
215
		else
215
		else
216
# Retrieve former NICname
216
# Retrieve former NICname
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
221
# Create the current conf file
221
# Create the current conf file
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
223
			mode="update"
223
			mode="update"
224
		fi
224
		fi
225
	fi
225
	fi
226
# Test free space on /var
226
# Test free space on /var
227
	if [ ! -d /var/log/netflow/porttracker ]
227
	if [ ! -d /var/log/netflow/porttracker ]
228
		then
228
		then
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
230
		if [ $free_space -lt 10 ]
230
		if [ $free_space -lt 10 ]
231
			then
231
			then
232
			if [ $Lang == "fr" ]
232
			if [ $Lang == "fr" ]
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
235
			fi
235
			fi
236
		exit 0
236
		exit 0
237
		fi
237
		fi
238
	fi
238
	fi
239
 
239
 
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
	if [ -z "$EXTIF" ]; then
241
	if [ -z "$EXTIF" ]; then
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
		if [ -z "$EXTIF" ]; then
243
		if [ -z "$EXTIF" ]; then
244
			if [ "$Lang" == 'fr' ]
244
			if [ "$Lang" == 'fr' ]
245
				then echo -n "Aucune passerelle par défaut configurée"
245
				then echo -n "Aucune passerelle par défaut configurée"
246
				else echo -n "No default gateway configured"
246
				else echo -n "No default gateway configured"
247
			fi
247
			fi
248
			exit 1
248
			exit 1
249
		fi
249
		fi
250
	fi
250
	fi
251
	if [ "$Lang" == 'fr' ]
251
	if [ "$Lang" == 'fr' ]
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
254
	fi
254
	fi
255
 
255
 
256
	if [ -z "$INTIF" ]; then
256
	if [ -z "$INTIF" ]; then
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
259
		if [ $interfacesCount -eq 0 ]; then
259
		if [ $interfacesCount -eq 0 ]; then
260
			if [ "$Lang" == 'fr' ]
260
			if [ "$Lang" == 'fr' ]
261
				then echo "Aucune interface de disponible pour le réseau interne"
261
				then echo "Aucune interface de disponible pour le réseau interne"
262
				else echo "No interface available for the internal network"
262
				else echo "No interface available for the internal network"
263
			fi
263
			fi
264
			exit 1
264
			exit 1
265
		elif [ $interfacesCount -eq 1 ]; then
265
		elif [ $interfacesCount -eq 1 ]; then
266
			INTIF="$interfacesList"
266
			INTIF="$interfacesList"
267
		else
267
		else
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
			if [ "$Lang" == 'fr' ]
270
			if [ "$Lang" == 'fr' ]
271
				then echo 'Liste des interfaces disponible :'
271
				then echo 'Liste des interfaces disponible :'
272
				else echo 'List of available interfaces:'
272
				else echo 'List of available interfaces:'
273
			fi
273
			fi
274
			echo "$interfacesSorted"
274
			echo "$interfacesSorted"
275
			response=''
275
			response=''
276
			while true; do
276
			while true; do
277
				if [ "$Lang" == 'fr' ]
277
				if [ "$Lang" == 'fr' ]
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
				fi
280
				fi
281
				read response
281
				read response
282
 
282
 
283
				[ -z "$response" ] && response="$interfacePreferred"
283
				[ -z "$response" ] && response="$interfacePreferred"
284
 
284
 
285
				# Check if interface exist
285
				# Check if interface exist
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
					INTIF="$response"
287
					INTIF="$response"
288
					break
288
					break
289
				else
289
				else
290
					if [ "$Lang" == 'fr' ]
290
					if [ "$Lang" == 'fr' ]
291
						then echo "Interface \"$response\" introuvable"
291
						then echo "Interface \"$response\" introuvable"
292
						else echo "Interface \"$response\" not found"
292
						else echo "Interface \"$response\" not found"
293
					fi
293
					fi
294
				fi
294
				fi
295
			done
295
			done
296
		fi
296
		fi
297
	fi
297
	fi
298
	if [ "$Lang" == 'fr' ]
298
	if [ "$Lang" == 'fr' ]
299
		then echo "Interface interne utilisée : $INTIF"
299
		then echo "Interface interne utilisée : $INTIF"
300
		else echo "Internal interface used: $INTIF"
300
		else echo "Internal interface used: $INTIF"
301
	fi
301
	fi
302
 
302
 
303
	if [ $Lang == "fr" ]
303
	if [ $Lang == "fr" ]
304
		then echo -n "Tests des paramètres réseau : "
304
		then echo -n "Tests des paramètres réseau : "
305
		else echo -n "Network parameters tests: "
305
		else echo -n "Network parameters tests: "
306
	fi
306
	fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	for i in $IF_INTERFACES
310
	for i in $IF_INTERFACES
311
	do
311
	do
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
			rm -f ifcfg-$i
313
			rm -f ifcfg-$i
314
 
314
 
315
			if [ $Lang == "fr" ]
315
			if [ $Lang == "fr" ]
316
				then echo "Suppression : ifcfg-$i"
316
				then echo "Suppression : ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
318
			fi
318
			fi
319
		fi
319
		fi
320
	done
320
	done
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	echo -n "."
322
	echo -n "."
323
# Test Ethernet NIC links state
323
# Test Ethernet NIC links state
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	if [ ! -z "$interfacesDown" ]; then
325
	if [ ! -z "$interfacesDown" ]; then
326
		for i in $interfacesDown; do
326
		for i in $interfacesDown; do
327
			if [ $Lang == "fr" ]
327
			if [ $Lang == "fr" ]
328
			then
328
			then
329
				echo -e "\nÉchec"
329
				echo -e "\nÉchec"
330
				echo "Le lien réseau de la carte $i n'est pas actif."
330
				echo "Le lien réseau de la carte $i n'est pas actif."
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
			else
332
			else
333
				echo -e "\nFailed"
333
				echo -e "\nFailed"
334
				echo "The link state of $i interface is down."
334
				echo "The link state of $i interface is down."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
336
			fi
336
			fi
337
		done
337
		done
338
		exit 1
338
		exit 1
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test EXTIF config files
341
# Test EXTIF config files
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	then
346
	then
347
		if [ $Lang == "fr" ]
347
		if [ $Lang == "fr" ]
348
		then
348
		then
349
			echo -e "\nÉchec"
349
			echo -e "\nÉchec"
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
			echo "Appliquez les changements : 'systemctl restart network'"
352
			echo "Appliquez les changements : 'systemctl restart network'"
353
		else
353
		else
354
			echo -e "\nFailed"
354
			echo -e "\nFailed"
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
			echo "Apply the new configuration: 'systemctl restart network'"
357
			echo "Apply the new configuration: 'systemctl restart network'"
358
		fi
358
		fi
359
		echo "DEVICE=$EXTIF"
359
		echo "DEVICE=$EXTIF"
360
		echo "IPADDR="
360
		echo "IPADDR="
361
		echo "NETMASK="
361
		echo "NETMASK="
362
		echo "GATEWAY="
362
		echo "GATEWAY="
363
		echo "DNS1="
363
		echo "DNS1="
364
		echo "DNS2="
364
		echo "DNS2="
365
		echo "ONBOOT=yes"
365
		echo "ONBOOT=yes"
366
		exit 1
366
		exit 1
367
	fi
367
	fi
368
	echo -n "."
368
	echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
		if [ $Lang == "fr" ]
371
		if [ $Lang == "fr" ]
372
		then
372
		then
373
			echo -e "\nÉchec"
373
			echo -e "\nÉchec"
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Réglez ce problème puis relancez ce script."
375
			echo "Réglez ce problème puis relancez ce script."
376
		else
376
		else
377
			echo -e "\nFailed"
377
			echo -e "\nFailed"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
			echo "Resolv this problem, then restart this script."
379
			echo "Resolv this problem, then restart this script."
380
		fi
380
		fi
381
		exit 1
381
		exit 1
382
	fi
382
	fi
383
	echo -n "."
383
	echo -n "."
384
# Test if default GW is alive
384
# Test if default GW is alive
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	if [ "$(expr $arp_reply)" -eq 0 ]
386
	if [ "$(expr $arp_reply)" -eq 0 ]
387
		then
387
		then
388
		if [ $Lang == "fr" ]
388
		if [ $Lang == "fr" ]
389
		then
389
		then
390
			echo -e "\nÉchec"
390
			echo -e "\nÉchec"
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Réglez ce problème puis relancez ce script."
392
			echo "Réglez ce problème puis relancez ce script."
393
		else
393
		else
394
			echo -e "\nFailed"
394
			echo -e "\nFailed"
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
			echo "Resolv this problem, then restart this script."
396
			echo "Resolv this problem, then restart this script."
397
		fi
397
		fi
398
		exit 1
398
		exit 1
399
	fi
399
	fi
400
	echo -n "."
400
	echo -n "."
401
# Test Internet connectivity
401
# Test Internet connectivity
402
	domainTested='www.google.com'
402
	domainTested='www.google.com'
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
404
	if [ $? -ne 0 ]; then
404
	if [ $? -ne 0 ]; then
405
		if [ $Lang == "fr" ]
405
		if [ $Lang == "fr" ]
406
		then
406
		then
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
			echo "Vérifiez la validité des adresses IP des DNS."
409
			echo "Vérifiez la validité des adresses IP des DNS."
410
		else
410
		else
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
			echo "Verify the DNS IP addresses"
413
			echo "Verify the DNS IP addresses"
414
		fi
414
		fi
415
		exit 1
415
		exit 1
416
	fi
416
	fi
417
	echo ". : ok"
417
	echo ". : ok"
418
} # End of testing()
418
} # End of testing()
419
 
419
 
420
#######################################################################
420
#######################################################################
421
##                    Function "init"                                ##
421
##                    Function "init"                                ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
#######################################################################
424
#######################################################################
425
init()
425
init()
426
{
426
{
427
	if [ "$mode" != "update" ]
427
	if [ "$mode" != "update" ]
428
	then
428
	then
429
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
430
		header_install
430
		header_install
431
		ORGANISME=!
431
		ORGANISME=!
432
		PTN='^[a-zA-Z0-9-]*$'
432
		PTN='^[a-zA-Z0-9-]*$'
433
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
433
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
434
		do
434
		do
435
			if [ $Lang == "fr" ]
435
			if [ $Lang == "fr" ]
436
				then echo -n "Entrez le nom de votre organisme : "
436
				then echo -n "Entrez le nom de votre organisme : "
437
				else echo -n "Enter the name of your organism : "
437
				else echo -n "Enter the name of your organism : "
438
			fi
438
			fi
439
			read ORGANISME
439
			read ORGANISME
440
			if [ "$ORGANISME" == "" ]
440
			if [ "$ORGANISME" == "" ]
441
			then
441
			then
442
				ORGANISME=!
442
				ORGANISME=!
443
			fi
443
			fi
444
		done
444
		done
445
	fi
445
	fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
447
# We create random passwords and shared secrets
448
	rm -f $PASSWD_FILE
448
	rm -f $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		grep -v '[eE]nter password:' | \
453
		grep -v '[eE]nter password:' | \
454
		sed -e "s/PBKDF2 hash of your password is //"`
454
		sed -e "s/PBKDF2 hash of your password is //"`
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	chmod 0600 /boot/grub2/user.cfg
458
	chmod 0600 /boot/grub2/user.cfg
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
476
#  copy scripts in in /usr/local/bin
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
#  copy conf files in /usr/local/etc
478
#  copy conf files in /usr/local/etc
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
# generate central conf file
481
# generate central conf file
482
	cat <<EOF > $CONF_FILE
482
	cat <<EOF > $CONF_FILE
483
##########################################
483
##########################################
484
##                                      ##
484
##                                      ##
485
##          ALCASAR Parameters          ##
485
##          ALCASAR Parameters          ##
486
##                                      ##
486
##                                      ##
487
##########################################
487
##########################################
488
 
488
 
489
INSTALL_DATE=$DATE
489
INSTALL_DATE=$DATE
490
VERSION=$VERSION
490
VERSION=$VERSION
491
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
492
HOSTNAME=$HOSTNAME
492
HOSTNAME=$HOSTNAME
493
DOMAIN=$DOMAIN
493
DOMAIN=$DOMAIN
494
EOF
494
EOF
495
	chmod o-rwx $CONF_FILE
495
	chmod o-rwx $CONF_FILE
496
} # End of init()
496
} # End of init()
497
 
497
 
498
#########################################################
498
#########################################################
499
##                    Function "network"               ##
499
##                    Function "network"               ##
500
## - Define the several network address                ##
500
## - Define the several network address                ##
501
## - Define the DNS naming                             ##
501
## - Define the DNS naming                             ##
502
## - INTIF parameters (consultation network)           ##
502
## - INTIF parameters (consultation network)           ##
503
## - Write "/etc/hosts" file                           ##
503
## - Write "/etc/hosts" file                           ##
504
## - write "hosts.allow" & "hosts.deny" files          ##
504
## - write "hosts.allow" & "hosts.deny" files          ##
505
#########################################################
505
#########################################################
506
network()
506
network()
507
{
507
{
508
	header_install
508
	header_install
509
	if [ "$mode" != "update" ]
509
	if [ "$mode" != "update" ]
510
		then
510
		then
511
		if [ $Lang == "fr" ]
511
		if [ $Lang == "fr" ]
512
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
512
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
513
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
513
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
514
		fi
514
		fi
515
		response=0
515
		response=0
516
		PTN='^[oOyYnN]$'
516
		PTN='^[oOyYnN]$'
517
		until [[ $(expr $response : $PTN) -gt 0 ]]
517
		until [[ $(expr $response : $PTN) -gt 0 ]]
518
		do
518
		do
519
			if [ $Lang == "fr" ]
519
			if [ $Lang == "fr" ]
520
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
520
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
521
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
521
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
522
			fi
522
			fi
523
			read response
523
			read response
524
		done
524
		done
525
		if [ "$response" = "n" ] || [ "$response" = "N" ]
525
		if [ "$response" = "n" ] || [ "$response" = "N" ]
526
		then
526
		then
527
			PRIVATE_IP_MASK="0"
527
			PRIVATE_IP_MASK="0"
528
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
528
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
529
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
529
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
530
			do
530
			do
531
				if [ $Lang == "fr" ]
531
				if [ $Lang == "fr" ]
532
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
532
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
533
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
533
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
534
				fi
534
				fi
535
				read PRIVATE_IP_MASK
535
				read PRIVATE_IP_MASK
536
			done
536
			done
537
		else
537
		else
538
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
538
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
539
		fi
539
		fi
540
	else
540
	else
541
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
541
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
542
		rm -rf conf/etc/alcasar.conf
542
		rm -f conf/etc/alcasar.conf
-
 
543
	fi
-
 
544
	header_install
-
 
545
	if [ "$mode" != "update" ]
-
 
546
		then
-
 
547
		if [ $Lang == "fr" ]
-
 
548
			then echo "Par défaut, le nom d'hôte d'ALCASAR est : $HOSTNAME.$DOMAIN"
-
 
549
			else echo "The default ALCASAR hostname is : $HOSTNAME.$DOMAIN"
-
 
550
		fi
-
 
551
		response=0
-
 
552
		PTN='^[oOyYnN]$'
-
 
553
		until [[ $(expr $response : $PTN) -gt 0 ]]
-
 
554
		do
-
 
555
			if [ $Lang == "fr" ]
-
 
556
				then echo -n "Voulez-vous utiliser ce nom d'hôte (recommandé) (O/n)? : "
-
 
557
				else echo -n "Do you want to use this hostname (recommanded) (Y/n)? : "
-
 
558
			fi
-
 
559
			read response
-
 
560
		done
-
 
561
		if [ "$response" = "n" ] || [ "$response" = "N" ]
-
 
562
		then
-
 
563
			if [ $Lang == "fr" ]
-
 
564
				then echo -n "Entrez le nouveau nom d'hôte pleinement qualifié (hôte.domain) : "
-
 
565
				else echo -n "Enter the new full qualified hostname (host.domain) : "
-
 
566
			fi
-
 
567
			read FQDN
-
 
568
			HOSTNAME=`echo $FQDN|cut -d"." -f1`
-
 
569
			DOMAIN=`echo $FQDN|cut -d"." -f2`
-
 
570
		fi
543
	fi
571
	fi
544
# Define LAN side global parameters
572
# Define LAN side global parameters
545
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
573
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
546
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
574
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
547
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
575
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
548
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
576
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
549
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
577
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
550
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
578
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
551
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
579
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
552
	then
580
	then
553
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
581
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
554
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
582
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
555
	fi
583
	fi
556
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
584
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
557
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
585
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
558
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
586
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
559
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
587
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
560
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
588
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
561
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
589
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
562
# Define Internet parameters
590
# Define Internet parameters
563
	if [ "$mode" != "update" ]
591
	if [ "$mode" != "update" ]
564
	then
592
	then
565
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
593
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
566
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
594
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
567
	else
595
	else
568
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
596
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
569
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
597
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
570
	fi
598
	fi
571
    DNS1=${DNS1:=208.67.220.220}
599
    DNS1=${DNS1:=208.67.220.220}
572
	DNS2=${DNS2:=208.67.222.222}
600
	DNS2=${DNS2:=208.67.222.222}
573
#	if [ "$DNS1" == "" ]
601
#	if [ "$DNS1" == "" ]
574
#	then
602
#	then
575
#		if [ $Lang == "fr" ]
603
#		if [ $Lang == "fr" ]
576
#		then
604
#		then
577
#			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
605
#			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
578
#			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
606
#			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
579
#		else
607
#		else
580
#			echo "The IP address of DNS servers are not set correctly"
608
#			echo "The IP address of DNS servers are not set correctly"
581
#			echo "Check the extern network card configuration ($EXTIF)"
609
#			echo "Check the extern network card configuration ($EXTIF)"
582
#		fi
610
#		fi
583
#		exit 0
611
#		exit 0
584
#	fi
612
#	fi
585
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
613
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
586
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
614
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
587
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
615
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
588
# Write network parameters in the conf file
616
# Write network parameters in the conf file
589
	echo "EXTIF=$EXTIF" >> $CONF_FILE
617
	echo "EXTIF=$EXTIF" >> $CONF_FILE
590
	echo "INTIF=$INTIF" >> $CONF_FILE
618
	echo "INTIF=$INTIF" >> $CONF_FILE
591
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
619
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
592
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
620
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
593
	for i in $INTERFACES
621
	for i in $INTERFACES
594
	do
622
	do
595
		SUB=`echo ${i:0:2}`
623
		SUB=`echo ${i:0:2}`
596
		if [ $SUB = "wl" ]
624
		if [ $SUB = "wl" ]
597
			then WIFIF=$i
625
			then WIFIF=$i
598
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
626
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
599
			then LANIF=$i
627
			then LANIF=$i
600
		fi
628
		fi
601
	done
629
	done
602
	if [ -n "$WIFIF" ]
630
	if [ -n "$WIFIF" ]
603
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
631
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
604
	elif [ -n "$LANIF" ]
632
	elif [ -n "$LANIF" ]
605
		then echo "LANIF=$LANIF" >> $CONF_FILE
633
		then echo "LANIF=$LANIF" >> $CONF_FILE
606
	fi
634
	fi
607
	#########################################################################################################
635
	#########################################################################################################
608
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
636
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
609
	if [ $IP_SETTING == "dhcp" ]
637
	if [ $IP_SETTING == "dhcp" ]
610
	then
638
	then
611
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
639
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
612
		echo "GW=dhcp" >> $CONF_FILE
640
		echo "GW=dhcp" >> $CONF_FILE
613
	else
641
	else
614
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
642
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
615
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
643
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
616
	fi
644
	fi
617
	echo "DNS1=$DNS1" >> $CONF_FILE
645
	echo "DNS1=$DNS1" >> $CONF_FILE
618
	echo "DNS2=$DNS2" >> $CONF_FILE
646
	echo "DNS2=$DNS2" >> $CONF_FILE
619
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
647
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
620
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
648
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
621
	echo "DHCP=on" >> $CONF_FILE
649
	echo "DHCP=on" >> $CONF_FILE
622
	echo "EXT_DHCP_IP=" >> $CONF_FILE
650
	echo "EXT_DHCP_IP=" >> $CONF_FILE
623
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
651
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
624
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
652
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
625
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
653
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
626
	echo "INT_DNS_IP=" >> $CONF_FILE
654
	echo "INT_DNS_IP=" >> $CONF_FILE
627
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
655
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
628
# network default
656
# network default
629
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
657
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
630
	cat <<EOF > /etc/sysconfig/network
658
	cat <<EOF > /etc/sysconfig/network
631
NETWORKING=yes
659
NETWORKING=yes
632
FORWARD_IPV4=true
660
FORWARD_IPV4=true
633
EOF
661
EOF
634
# write "/etc/hosts"
662
# write "/etc/hosts"
635
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
663
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
636
	cat <<EOF > /etc/hosts
664
	cat <<EOF > /etc/hosts
637
127.0.0.1	localhost
665
127.0.0.1	localhost
638
$PRIVATE_IP	$HOSTNAME
666
$PRIVATE_IP	$HOSTNAME
639
EOF
667
EOF
640
# write EXTIF (Internet) config
668
# write EXTIF (Internet) config
641
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
669
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
642
	if [ $IP_SETTING == "dhcp" ]
670
	if [ $IP_SETTING == "dhcp" ]
643
	then
671
	then
644
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
672
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
645
DEVICE=$EXTIF
673
DEVICE=$EXTIF
646
BOOTPROTO=dhcp
674
BOOTPROTO=dhcp
647
DNS1=127.0.0.1
675
DNS1=127.0.0.1
648
PEERDNS=no
676
PEERDNS=no
649
RESOLV_MODS=yes
677
RESOLV_MODS=yes
650
ONBOOT=yes
678
ONBOOT=yes
651
NOZEROCONF=yes
679
NOZEROCONF=yes
652
METRIC=10
680
METRIC=10
653
MII_NOT_SUPPORTED=yes
681
MII_NOT_SUPPORTED=yes
654
IPV6INIT=no
682
IPV6INIT=no
655
IPV6TO4INIT=no
683
IPV6TO4INIT=no
656
ACCOUNTING=no
684
ACCOUNTING=no
657
USERCTL=no
685
USERCTL=no
658
MTU=$MTU
686
MTU=$MTU
659
EOF
687
EOF
660
	else
688
	else
661
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
689
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
662
DEVICE=$EXTIF
690
DEVICE=$EXTIF
663
BOOTPROTO=static
691
BOOTPROTO=static
664
IPADDR=$PUBLIC_IP
692
IPADDR=$PUBLIC_IP
665
NETMASK=$PUBLIC_NETMASK
693
NETMASK=$PUBLIC_NETMASK
666
GATEWAY=$PUBLIC_GATEWAY
694
GATEWAY=$PUBLIC_GATEWAY
667
DNS1=127.0.0.1
695
DNS1=127.0.0.1
668
RESOLV_MODS=yes
696
RESOLV_MODS=yes
669
ONBOOT=yes
697
ONBOOT=yes
670
METRIC=10
698
METRIC=10
671
NOZEROCONF=yes
699
NOZEROCONF=yes
672
MII_NOT_SUPPORTED=yes
700
MII_NOT_SUPPORTED=yes
673
IPV6INIT=no
701
IPV6INIT=no
674
IPV6TO4INIT=no
702
IPV6TO4INIT=no
675
ACCOUNTING=no
703
ACCOUNTING=no
676
USERCTL=no
704
USERCTL=no
677
MTU=$MTU
705
MTU=$MTU
678
EOF
706
EOF
679
	fi
707
	fi
680
# write INTIF (consultation LAN) in normal mode
708
# write INTIF (consultation LAN) in normal mode
681
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
709
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
682
DEVICE=$INTIF
710
DEVICE=$INTIF
683
BOOTPROTO=static
711
BOOTPROTO=static
684
ONBOOT=yes
712
ONBOOT=yes
685
NOZEROCONF=yes
713
NOZEROCONF=yes
686
MII_NOT_SUPPORTED=yes
714
MII_NOT_SUPPORTED=yes
687
IPV6INIT=no
715
IPV6INIT=no
688
IPV6TO4INIT=no
716
IPV6TO4INIT=no
689
ACCOUNTING=no
717
ACCOUNTING=no
690
USERCTL=no
718
USERCTL=no
691
EOF
719
EOF
692
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
720
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
693
# write INTIF in bypass mode (see "alcasar-bypass.sh")
721
# write INTIF in bypass mode (see "alcasar-bypass.sh")
694
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
722
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
695
DEVICE=$INTIF
723
DEVICE=$INTIF
696
BOOTPROTO=static
724
BOOTPROTO=static
697
IPADDR=$PRIVATE_IP
725
IPADDR=$PRIVATE_IP
698
NETMASK=$PRIVATE_NETMASK
726
NETMASK=$PRIVATE_NETMASK
699
ONBOOT=yes
727
ONBOOT=yes
700
METRIC=10
728
METRIC=10
701
NOZEROCONF=yes
729
NOZEROCONF=yes
702
MII_NOT_SUPPORTED=yes
730
MII_NOT_SUPPORTED=yes
703
IPV6INIT=no
731
IPV6INIT=no
704
IPV6TO4INIT=no
732
IPV6TO4INIT=no
705
ACCOUNTING=no
733
ACCOUNTING=no
706
USERCTL=no
734
USERCTL=no
707
EOF
735
EOF
708
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
736
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
709
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
737
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
710
	then
738
	then
711
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
739
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
712
DEVICE=$WIFIF
740
DEVICE=$WIFIF
713
BOOTPROTO=static
741
BOOTPROTO=static
714
ONBOOT=yes
742
ONBOOT=yes
715
NOZEROCONF=yes
743
NOZEROCONF=yes
716
MII_NOT_SUPPORTED=yes
744
MII_NOT_SUPPORTED=yes
717
IPV6INIT=no
745
IPV6INIT=no
718
IPV6TO4INIT=no
746
IPV6TO4INIT=no
719
ACCOUNTING=no
747
ACCOUNTING=no
720
USERCTL=no
748
USERCTL=no
721
EOF
749
EOF
722
	elif [ -n "$LANIF" ]
750
	elif [ -n "$LANIF" ]
723
	then
751
	then
724
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
752
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
725
DEVICE=$LANIF
753
DEVICE=$LANIF
726
BOOTPROTO=static
754
BOOTPROTO=static
727
ONBOOT=yes
755
ONBOOT=yes
728
NOZEROCONF=yes
756
NOZEROCONF=yes
729
MII_NOT_SUPPORTED=yes
757
MII_NOT_SUPPORTED=yes
730
IPV6INIT=no
758
IPV6INIT=no
731
IPV6TO4INIT=no
759
IPV6TO4INIT=no
732
ACCOUNTING=no
760
ACCOUNTING=no
733
USERCTL=no
761
USERCTL=no
734
EOF
762
EOF
735
	fi
763
	fi
736
	#########################################################################################################
764
	#########################################################################################################
737
# write hosts.allow & hosts.deny
765
# write hosts.allow & hosts.deny
738
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
766
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
739
	cat <<EOF > /etc/hosts.allow
767
	cat <<EOF > /etc/hosts.allow
740
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
768
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
741
sshd: ALL
769
sshd: ALL
742
ntpd: $PRIVATE_NETWORK_SHORT
770
ntpd: $PRIVATE_NETWORK_SHORT
743
EOF
771
EOF
744
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
772
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
745
	cat <<EOF > /etc/hosts.deny
773
	cat <<EOF > /etc/hosts.deny
746
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
774
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
747
EOF
775
EOF
748
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
776
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
749
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
777
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
750
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
778
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
751
# load conntrack ftp module
779
# load conntrack ftp module
752
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
780
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
753
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
781
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
754
# load ipt_NETFLOW module
782
# load ipt_NETFLOW module
755
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
783
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
756
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
784
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
757
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
785
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
758
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
786
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
759
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
787
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
760
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
788
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
761
#
789
#
762
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
790
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
763
} # End of network()
791
} # End of network()
764
 
792
 
765
###################################################
793
###################################################
766
##                  Function "ACC"               ##
794
##                  Function "ACC"               ##
767
## - copy ALCASAR Control Center (ACC) files     ##
795
## - copy ALCASAR Control Center (ACC) files     ##
768
## - configuration of the web server (Lighttpd)  ##
796
## - configuration of the web server (Lighttpd)  ##
769
## - creation of the first ACC admin account     ##
797
## - creation of the first ACC admin account     ##
770
## - secure the ACC access                       ##
798
## - secure the ACC access                       ##
771
###################################################
799
###################################################
772
ACC()
800
ACC()
773
{
801
{
774
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
802
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
775
	mkdir $DIR_WEB
803
	mkdir $DIR_WEB
776
# Copy & adapt ACC files
804
# Copy & adapt ACC files
777
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
805
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
778
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
806
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
779
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
807
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
780
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
808
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
781
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
809
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
782
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
810
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
783
	chown -R apache:apache $DIR_WEB/*
811
	chown -R apache:apache $DIR_WEB/*
784
# copy & adapt "freeradius-web" files
812
# copy & adapt "freeradius-web" files
785
	cp -rf $DIR_CONF/freeradius-web/ /etc/
813
	cp -rf $DIR_CONF/freeradius-web/ /etc/
786
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
814
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
787
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
815
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
788
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
816
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
789
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
817
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
790
	cat <<EOF > /etc/freeradius-web/naslist.conf
818
	cat <<EOF > /etc/freeradius-web/naslist.conf
791
nas1_name: alcasar-$ORGANISME
819
nas1_name: alcasar-$ORGANISME
792
nas1_model: Network Access Controler
820
nas1_model: Network Access Controler
793
nas1_ip: $PRIVATE_IP
821
nas1_ip: $PRIVATE_IP
794
nas1_port_num: 0
822
nas1_port_num: 0
795
nas1_community: public
823
nas1_community: public
796
EOF
824
EOF
797
	chown -R apache:apache /etc/freeradius-web/
825
	chown -R apache:apache /etc/freeradius-web/
798
# create the log & backup structure :
826
# create the log & backup structure :
799
# - base = users database
827
# - base = users database
800
# - archive = tarball of "base + http firewall + netflow"
828
# - archive = tarball of "base + http firewall + netflow"
801
# - security = watchdog log
829
# - security = watchdog log
802
	for i in base archive security activity_report;
830
	for i in base archive security activity_report;
803
	do
831
	do
804
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
832
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
805
	done
833
	done
806
	chown -R root:apache $DIR_SAVE
834
	chown -R root:apache $DIR_SAVE
807
# Configuring & securing php
835
# Configuring & securing php
808
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
836
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
837
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
810
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
838
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
811
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
839
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
812
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
840
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
813
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
841
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
814
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
842
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
815
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
843
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
816
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
844
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
817
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
845
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
818
# Configuring & securing Lighttpd
846
# Configuring & securing Lighttpd
819
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
847
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
820
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
848
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
821
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
849
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
850
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
823
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
851
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
824
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
852
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
825
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
853
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
826
 
854
 
827
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
855
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
828
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
856
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
829
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
857
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
830
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
858
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
831
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
859
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
832
 
860
 
833
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
861
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
834
 
862
 
835
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
863
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
836
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
864
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
837
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
865
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
866
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
839
 
867
 
840
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
868
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
841
 
869
 
842
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
870
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
843
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
871
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
844
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
872
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
873
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
874
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
847
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
875
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
848
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
876
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
849
 
877
 
850
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
878
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
851
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
879
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
852
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
880
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
853
 
881
 
854
	chown -R apache:apache /var/log/lighttpd
882
	chown -R apache:apache /var/log/lighttpd
855
	/usr/bin/systemctl start lighttpd
883
	/usr/bin/systemctl start lighttpd
856
	/usr/bin/systemctl start php-fpm
884
	/usr/bin/systemctl start php-fpm
857
 
885
 
858
# Creation of the first account (in 'admin' profile)
886
# Creation of the first account (in 'admin' profile)
859
	if [ "$mode" = "install" ]
887
	if [ "$mode" = "install" ]
860
	then
888
	then
861
		header_install
889
		header_install
862
# Creation of keys file for the admin account ("admin")
890
# Creation of keys file for the admin account ("admin")
863
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
891
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
864
		mkdir -p $DIR_DEST_ETC/digest
892
		mkdir -p $DIR_DEST_ETC/digest
865
		chmod 755 $DIR_DEST_ETC/digest
893
		chmod 755 $DIR_DEST_ETC/digest
866
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
894
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
867
		do
895
		do
868
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
896
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
869
		done
897
		done
870
	fi
898
	fi
871
 
899
 
872
	# Run after coova (in order to wait tun0 to be up)
900
	# Run after coova (in order to wait tun0 to be up)
873
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
901
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
874
	# Log file for ACC access imputability
902
	# Log file for ACC access imputability
875
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
903
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
876
	chown root:apache /var/Save/security/acc_access.log
904
	chown root:apache /var/Save/security/acc_access.log
877
	chmod 664 /var/Save/security/acc_access.log
905
	chmod 664 /var/Save/security/acc_access.log
878
} # End of ACC()
906
} # End of ACC()
879
 
907
 
880
##################################################################
908
##################################################################
881
##                               Fonction "CA"                  ##
909
##                               Fonction "CA"                  ##
882
## - Creating the CA and the server certificate (lighttpd)      ##
910
## - Creating the CA and the server certificate (lighttpd)      ##
883
##################################################################
911
##################################################################
884
CA()
912
CA()
885
{
913
{
886
	$DIR_DEST_BIN/alcasar-CA.sh
914
	$DIR_DEST_BIN/alcasar-CA.sh
887
	chown -R root:apache /etc/pki
915
	chown -R root:apache /etc/pki
888
	chmod -R 750 /etc/pki
916
	chmod -R 750 /etc/pki
889
} # End of CA()
917
} # End of CA()
890
 
918
 
891
#############################################################
919
#############################################################
892
##               Function "time_server"                    ##
920
##               Function "time_server"                    ##
893
## - Configuring NTP server                                ##
921
## - Configuring NTP server                                ##
894
#############################################################
922
#############################################################
895
time_server()
923
time_server()
896
{
924
{
897
# Set the Internet time server
925
# Set the Internet time server
898
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
926
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
899
	cat <<EOF > /etc/ntp/step-tickers
927
	cat <<EOF > /etc/ntp/step-tickers
900
0.fr.pool.ntp.org	# adapt to your country
928
0.fr.pool.ntp.org	# adapt to your country
901
1.fr.pool.ntp.org
929
1.fr.pool.ntp.org
902
2.fr.pool.ntp.org
930
2.fr.pool.ntp.org
903
EOF
931
EOF
904
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
932
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
905
	cat <<EOF > /etc/ntp.conf
933
	cat <<EOF > /etc/ntp.conf
906
server 0.fr.pool.ntp.org	# adapt to your country
934
server 0.fr.pool.ntp.org	# adapt to your country
907
server 1.fr.pool.ntp.org
935
server 1.fr.pool.ntp.org
908
server 2.fr.pool.ntp.org
936
server 2.fr.pool.ntp.org
909
server 127.127.1.0   		# local clock si NTP internet indisponible ...
937
server 127.127.1.0   		# local clock si NTP internet indisponible ...
910
fudge 127.127.1.0 stratum 10
938
fudge 127.127.1.0 stratum 10
911
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
939
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
912
restrict 127.0.0.1
940
restrict 127.0.0.1
913
driftfile /var/lib/ntp/drift
941
driftfile /var/lib/ntp/drift
914
logfile /var/log/ntp.log
942
logfile /var/log/ntp.log
915
disable monitor
943
disable monitor
916
EOF
944
EOF
917
	chown -R ntp:ntp /var/lib/ntp
945
	chown -R ntp:ntp /var/lib/ntp
918
# Synchronize now
946
# Synchronize now
919
	ntpd -4 -q -g &
947
	ntpd -4 -q -g &
920
} # End of time_server()
948
} # End of time_server()
921
 
949
 
922
#####################################################################
950
#####################################################################
923
##                     Function "init_db"                          ##
951
##                     Function "init_db"                          ##
924
## - Mysql initialization                                          ##
952
## - Mysql initialization                                          ##
925
## - Set admin (root) password                                     ##
953
## - Set admin (root) password                                     ##
926
## - Remove unused users & databases                               ##
954
## - Remove unused users & databases                               ##
927
## - Radius database creation                                      ##
955
## - Radius database creation                                      ##
928
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
956
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
929
#####################################################################
957
#####################################################################
930
init_db()
958
init_db()
931
{
959
{
932
	if [ "`systemctl is-active mysqld`" == "active" ]
960
	if [ "`systemctl is-active mysqld`" == "active" ]
933
	then
961
	then
934
		systemctl stop mysqld
962
		systemctl stop mysqld
935
	fi
963
	fi
936
	rm -rf /var/lib/mysql # to be sure that there is no former installation
964
	rm -rf /var/lib/mysql # to be sure that there is no former installation
937
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
965
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
938
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
966
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
939
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
967
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
940
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
968
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
941
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
969
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
942
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
970
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
943
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
971
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
944
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
972
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
945
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
973
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
946
	/usr/bin/systemctl start mysqld
974
	/usr/bin/systemctl start mysqld
947
	nb_round=1
975
	nb_round=1
948
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
976
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
949
	do
977
	do
950
		nb_round=`expr $nb_round + 1`
978
		nb_round=`expr $nb_round + 1`
951
		sleep 2
979
		sleep 2
952
	done
980
	done
953
	if [ ! -S /var/lib/mysql/mysql.sock ]
981
	if [ ! -S /var/lib/mysql/mysql.sock ]
954
	then
982
	then
955
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
983
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
956
		exit
984
		exit
957
	fi
985
	fi
958
# Secure the server
986
# Secure the server
959
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
987
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
960
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
988
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
961
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
989
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
962
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
990
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
963
# Create 'radius' database
991
# Create 'radius' database
964
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
992
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
965
# Add an empty radius database structure
993
# Add an empty radius database structure
966
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
994
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
967
# modify the start script in order to close accounting connexion when the system is comming down or up
995
# modify the start script in order to close accounting connexion when the system is comming down or up
968
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
996
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
969
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
997
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
970
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
998
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
971
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
999
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
972
	/usr/bin/systemctl daemon-reload
1000
	/usr/bin/systemctl daemon-reload
973
} # End of init_db()
1001
} # End of init_db()
974
 
1002
 
975
###################################################################
1003
###################################################################
976
##                       Function "freeradius"                   ##
1004
##                       Function "freeradius"                   ##
977
## - Set the configuration files                                 ##
1005
## - Set the configuration files                                 ##
978
## - Set the shared secret between coova-chilli and freeradius   ##
1006
## - Set the shared secret between coova-chilli and freeradius   ##
979
## - Adapt the Mysql conf file and counters                      ##
1007
## - Adapt the Mysql conf file and counters                      ##
980
###################################################################
1008
###################################################################
981
freeradius()
1009
freeradius()
982
{
1010
{
983
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
1011
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
984
	chown -R radius:radius /etc/raddb
1012
	chown -R radius:radius /etc/raddb
985
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1013
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
986
# Set radius global parameters (radius.conf)
1014
# Set radius global parameters (radius.conf)
987
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
1015
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
1016
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
1017
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
990
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
1018
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
991
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
1019
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
992
# Add ALCASAR & Coovachilli dictionaries
1020
# Add ALCASAR & Coovachilli dictionaries
993
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
1021
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
994
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
1022
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
995
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
1023
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
996
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
1024
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
997
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
1025
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
998
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1026
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
999
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1027
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1000
	cat << EOF > /etc/raddb/clients.conf
1028
	cat << EOF > /etc/raddb/clients.conf
1001
client localhost {
1029
client localhost {
1002
	ipaddr = 127.0.0.1
1030
	ipaddr = 127.0.0.1
1003
	secret = $secretradius
1031
	secret = $secretradius
1004
	shortname = chilli
1032
	shortname = chilli
1005
	nas_type = other
1033
	nas_type = other
1006
}
1034
}
1007
EOF
1035
EOF
1008
# Set Virtual server (remvove all except "alcasar virtual site")
1036
# Set Virtual server (remvove all except "alcasar virtual site")
1009
	rm -f /etc/raddb/sites-enabled/*
1037
	rm -f /etc/raddb/sites-enabled/*
1010
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1038
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1011
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1039
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1012
	chown radius:apache /etc/raddb/sites-available/alcasar*
1040
	chown radius:apache /etc/raddb/sites-available/alcasar*
1013
	chmod 660 /etc/raddb/sites-available/alcasar*
1041
	chmod 660 /etc/raddb/sites-available/alcasar*
1014
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1042
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1015
	# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
1043
	# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
1016
# Set modules
1044
# Set modules
1017
	# Add custom LDAP "available module"
1045
	# Add custom LDAP "available module"
1018
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1046
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1019
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1047
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1020
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1048
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1021
	rm -rf  /etc/raddb/mods-enabled/*
1049
	rm -rf  /etc/raddb/mods-enabled/*
1022
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1050
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1023
	do
1051
	do
1024
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1052
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1025
	done
1053
	done
1026
	# INFO : To connect from outside (EAP), add the EAP module (and right accesses to the keys (/etc/pki/tls/private/radius.pem)
1054
	# INFO : To connect from outside (EAP), add the EAP module (and right accesses to the keys (/etc/pki/tls/private/radius.pem)
1027
# Configure SQL mod
1055
# Configure SQL mod
1028
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1056
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1029
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1057
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1030
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1058
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1031
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1059
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1060
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1061
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1062
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1035
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1063
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1036
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1064
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1037
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1065
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1038
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1066
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1039
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1067
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1040
# sqlcounter modifications
1068
# sqlcounter modifications
1041
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1069
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1042
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1070
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1043
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1071
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1044
# make certain that mysql is up before freeradius start
1072
# make certain that mysql is up before freeradius start
1045
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1073
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1046
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1074
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1047
	/usr/bin/systemctl daemon-reload
1075
	/usr/bin/systemctl daemon-reload
1048
# Allow apache to change some conf files (ie : ldap on/off)
1076
# Allow apache to change some conf files (ie : ldap on/off)
1049
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1077
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1050
} # End of freeradius()
1078
} # End of freeradius()
1051
 
1079
 
1052
#############################################################################
1080
#############################################################################
1053
##                           Function "chilli"                             ##
1081
##                           Function "chilli"                             ##
1054
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1082
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1055
## - Adapt the authentication web page (intercept.php)                     ##
1083
## - Adapt the authentication web page (intercept.php)                     ##
1056
#############################################################################
1084
#############################################################################
1057
chilli()
1085
chilli()
1058
{
1086
{
1059
# chilli unit for systemd
1087
# chilli unit for systemd
1060
	cat << EOF > /lib/systemd/system/chilli.service
1088
	cat << EOF > /lib/systemd/system/chilli.service
1061
#  This file is part of systemd.
1089
#  This file is part of systemd.
1062
#
1090
#
1063
#  systemd is free software; you can redistribute it and/or modify it
1091
#  systemd is free software; you can redistribute it and/or modify it
1064
#  under the terms of the GNU General Public License as published by
1092
#  under the terms of the GNU General Public License as published by
1065
#  the Free Software Foundation; either version 2 of the License, or
1093
#  the Free Software Foundation; either version 2 of the License, or
1066
#  (at your option) any later version.
1094
#  (at your option) any later version.
1067
[Unit]
1095
[Unit]
1068
Description=chilli is a captive portal daemon
1096
Description=chilli is a captive portal daemon
1069
After=network.target
1097
After=network.target
1070
 
1098
 
1071
[Service]
1099
[Service]
1072
Type=forking
1100
Type=forking
1073
ExecStart=/usr/libexec/chilli start
1101
ExecStart=/usr/libexec/chilli start
1074
ExecStop=/usr/libexec/chilli stop
1102
ExecStop=/usr/libexec/chilli stop
1075
ExecReload=/usr/libexec/chilli reload
1103
ExecReload=/usr/libexec/chilli reload
1076
PIDFile=/var/run/chilli.pid
1104
PIDFile=/var/run/chilli.pid
1077
 
1105
 
1078
[Install]
1106
[Install]
1079
WantedBy=multi-user.target
1107
WantedBy=multi-user.target
1080
EOF
1108
EOF
1081
# init file creation
1109
# init file creation
1082
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1110
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1083
	cat <<EOF > /etc/init.d/chilli
1111
	cat <<EOF > /etc/init.d/chilli
1084
#!/bin/sh
1112
#!/bin/sh
1085
#
1113
#
1086
# chilli CoovaChilli init
1114
# chilli CoovaChilli init
1087
#
1115
#
1088
# chkconfig: 2345 65 35
1116
# chkconfig: 2345 65 35
1089
# description: CoovaChilli
1117
# description: CoovaChilli
1090
### BEGIN INIT INFO
1118
### BEGIN INIT INFO
1091
# Provides:       chilli
1119
# Provides:       chilli
1092
# Required-Start: network
1120
# Required-Start: network
1093
# Should-Start:
1121
# Should-Start:
1094
# Required-Stop:  network
1122
# Required-Stop:  network
1095
# Should-Stop:
1123
# Should-Stop:
1096
# Default-Start:  2 3 5
1124
# Default-Start:  2 3 5
1097
# Default-Stop:
1125
# Default-Stop:
1098
# Description:    CoovaChilli access controller
1126
# Description:    CoovaChilli access controller
1099
### END INIT INFO
1127
### END INIT INFO
1100
 
1128
 
1101
[ -f /usr/sbin/chilli ] || exit 0
1129
[ -f /usr/sbin/chilli ] || exit 0
1102
. /etc/init.d/functions
1130
. /etc/init.d/functions
1103
CONFIG=/etc/chilli.conf
1131
CONFIG=/etc/chilli.conf
1104
pidfile=/var/run/chilli.pid
1132
pidfile=/var/run/chilli.pid
1105
[ -f \$CONFIG ] || {
1133
[ -f \$CONFIG ] || {
1106
	echo "\$CONFIG Not found"
1134
	echo "\$CONFIG Not found"
1107
	exit 0
1135
	exit 0
1108
}
1136
}
1109
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1137
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1110
RETVAL=0
1138
RETVAL=0
1111
prog="chilli"
1139
prog="chilli"
1112
case \$1 in
1140
case \$1 in
1113
	start)
1141
	start)
1114
		if [ -f \$pidfile ] ; then
1142
		if [ -f \$pidfile ] ; then
1115
			gprintf "chilli is already running"
1143
			gprintf "chilli is already running"
1116
		else
1144
		else
1117
			gprintf "Starting \$prog: "
1145
			gprintf "Starting \$prog: "
1118
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1146
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1119
			rm -f /var/run/chilli* # cleaning
1147
			rm -f /var/run/chilli* # cleaning
1120
			/usr/sbin/modprobe tun >/dev/null 2>&1
1148
			/usr/sbin/modprobe tun >/dev/null 2>&1
1121
			echo 1 > /proc/sys/net/ipv4/ip_forward
1149
			echo 1 > /proc/sys/net/ipv4/ip_forward
1122
			[ -e /dev/net/tun ] || {
1150
			[ -e /dev/net/tun ] || {
1123
				(cd /dev;
1151
				(cd /dev;
1124
				mkdir net;
1152
				mkdir net;
1125
				cd net;
1153
				cd net;
1126
				mknod tun c 10 200)
1154
				mknod tun c 10 200)
1127
			}
1155
			}
1128
			ifconfig $INTIF 0.0.0.0
1156
			ifconfig $INTIF 0.0.0.0
1129
			/usr/sbin/ethtool -K $INTIF gro off
1157
			/usr/sbin/ethtool -K $INTIF gro off
1130
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1158
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1131
			RETVAL=\$?
1159
			RETVAL=\$?
1132
		fi
1160
		fi
1133
		;;
1161
		;;
1134
 
1162
 
1135
	reload)
1163
	reload)
1136
		killall -HUP chilli
1164
		killall -HUP chilli
1137
		;;
1165
		;;
1138
 
1166
 
1139
	restart)
1167
	restart)
1140
		\$0 stop
1168
		\$0 stop
1141
		sleep 2
1169
		sleep 2
1142
		\$0 start
1170
		\$0 start
1143
		;;
1171
		;;
1144
 
1172
 
1145
	status)
1173
	status)
1146
		status chilli
1174
		status chilli
1147
		RETVAL=0
1175
		RETVAL=0
1148
		;;
1176
		;;
1149
 
1177
 
1150
	stop)
1178
	stop)
1151
		if [ -f \$pidfile ] ; then
1179
		if [ -f \$pidfile ] ; then
1152
			gprintf "Shutting down \$prog: "
1180
			gprintf "Shutting down \$prog: "
1153
			killproc /usr/sbin/chilli
1181
			killproc /usr/sbin/chilli
1154
			RETVAL=\$?
1182
			RETVAL=\$?
1155
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1183
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1156
			[ -e \$current_users_file ] && rm -f \$current_users_file
1184
			[ -e \$current_users_file ] && rm -f \$current_users_file
1157
		else
1185
		else
1158
			gprintf "chilli is not running"
1186
			gprintf "chilli is not running"
1159
		fi
1187
		fi
1160
		;;
1188
		;;
1161
 
1189
 
1162
	*)
1190
	*)
1163
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1191
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1164
		exit 1
1192
		exit 1
1165
esac
1193
esac
1166
echo
1194
echo
1167
EOF
1195
EOF
1168
	chmod a+x /etc/init.d/chilli
1196
	chmod a+x /etc/init.d/chilli
1169
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1197
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1170
# conf file creation
1198
# conf file creation
1171
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1199
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1172
	#NTP Option configuration for DHCP
1200
	#NTP Option configuration for DHCP
1173
	#DHCP Options : rfc2132
1201
	#DHCP Options : rfc2132
1174
		#dhcp option value will be convert in hexa.
1202
		#dhcp option value will be convert in hexa.
1175
		#NTP option (or 'option 42') is like :
1203
		#NTP option (or 'option 42') is like :
1176
		#
1204
		#
1177
		#    Code   Len         Address 1               Address 2
1205
		#    Code   Len         Address 1               Address 2
1178
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1206
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1179
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1207
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1180
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1208
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1181
		#
1209
		#
1182
		#Code : 42 => 2a
1210
		#Code : 42 => 2a
1183
		#Len : 4 => 04
1211
		#Len : 4 => 04
1184
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1212
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1185
	cat <<EOF > /etc/chilli.conf
1213
	cat <<EOF > /etc/chilli.conf
1186
# coova config for ALCASAR
1214
# coova config for ALCASAR
1187
cmdsocket	/var/run/chilli.sock
1215
cmdsocket	/var/run/chilli.sock
1188
unixipc		chilli.$INTIF.ipc
1216
unixipc		chilli.$INTIF.ipc
1189
pidfile		/var/run/chilli.pid
1217
pidfile		/var/run/chilli.pid
1190
net		$PRIVATE_NETWORK_MASK
1218
net		$PRIVATE_NETWORK_MASK
1191
dhcpif		$INTIF
1219
dhcpif		$INTIF
1192
ethers		$DIR_DEST_ETC/alcasar-ethers
1220
ethers		$DIR_DEST_ETC/alcasar-ethers
1193
#nodynip
1221
#nodynip
1194
#statip
1222
#statip
1195
dynip		$PRIVATE_NETWORK_MASK
1223
dynip		$PRIVATE_NETWORK_MASK
1196
domain		$DOMAIN
1224
domain		$DOMAIN
1197
dns1		$PRIVATE_IP
1225
dns1		$PRIVATE_IP
1198
dns2		$PRIVATE_IP
1226
dns2		$PRIVATE_IP
1199
uamlisten	$PRIVATE_IP
1227
uamlisten	$PRIVATE_IP
1200
uamport		3990
1228
uamport		3990
1201
uamuiport	3991
1229
uamuiport	3991
1202
macauth
1230
macauth
1203
macpasswd	password
1231
macpasswd	password
1204
strictmacauth
1232
strictmacauth
1205
locationname	$HOSTNAME.$DOMAIN
1233
locationname	$HOSTNAME.$DOMAIN
1206
radiusserver1	127.0.0.1
1234
radiusserver1	127.0.0.1
1207
radiusserver2	127.0.0.1
1235
radiusserver2	127.0.0.1
1208
radiussecret	$secretradius
1236
radiussecret	$secretradius
1209
radiusauthport	1812
1237
radiusauthport	1812
1210
radiusacctport	1813
1238
radiusacctport	1813
1211
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1239
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1212
redirurl
1240
redirurl
1213
radiusnasid	$HOSTNAME.$DOMAIN
1241
radiusnasid	$HOSTNAME.$DOMAIN
1214
uamsecret	$secretuam
1242
uamsecret	$secretuam
1215
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1243
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1216
coaport		3799
1244
coaport		3799
1217
conup		$DIR_DEST_BIN/alcasar-conup.sh
1245
conup		$DIR_DEST_BIN/alcasar-conup.sh
1218
condown		$DIR_DEST_BIN/alcasar-condown.sh
1246
condown		$DIR_DEST_BIN/alcasar-condown.sh
1219
macup		$DIR_DEST_BIN/alcasar-macup.sh
1247
macup		$DIR_DEST_BIN/alcasar-macup.sh
1220
include		$DIR_DEST_ETC/alcasar-uamallowed
1248
include		$DIR_DEST_ETC/alcasar-uamallowed
1221
include		$DIR_DEST_ETC/alcasar-uamdomain
1249
include		$DIR_DEST_ETC/alcasar-uamdomain
1222
dhcpopt		2a04$PRIVATE_IP_HEXA
1250
dhcpopt		2a04$PRIVATE_IP_HEXA
1223
#dhcpgateway		none
1251
#dhcpgateway		none
1224
#dhcprelayagent		none
1252
#dhcprelayagent		none
1225
#dhcpgatewayport	none
1253
#dhcpgatewayport	none
1226
sslkeyfile	/etc/pki/tls/private/alcasar.key
1254
sslkeyfile	/etc/pki/tls/private/alcasar.key
1227
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1255
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1228
redirssl
1256
redirssl
1229
uamuissl
1257
uamuissl
1230
EOF
1258
EOF
1231
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1259
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1232
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1260
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1233
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1261
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1234
# create files for trusted domains and urls
1262
# create files for trusted domains and urls
1235
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1263
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1236
	chown root:apache $DIR_DEST_ETC/alcasar-*
1264
	chown root:apache $DIR_DEST_ETC/alcasar-*
1237
	chmod 660 $DIR_DEST_ETC/alcasar-*
1265
	chmod 660 $DIR_DEST_ETC/alcasar-*
1238
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1266
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1239
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1267
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1240
# user 'chilli' creation (in order to run conup/off and up/down scripts
1268
# user 'chilli' creation (in order to run conup/off and up/down scripts
1241
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1269
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1242
	if [ "$chilli_exist" == "1" ]
1270
	if [ "$chilli_exist" == "1" ]
1243
	then
1271
	then
1244
		userdel -r chilli 2>/dev/null
1272
		userdel -r chilli 2>/dev/null
1245
	fi
1273
	fi
1246
	groupadd -f chilli
1274
	groupadd -f chilli
1247
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1275
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1248
}  # End of chilli()
1276
}  # End of chilli()
1249
 
1277
 
1250
################################################################
1278
################################################################
1251
##                   Function "e2guardian"                    ##
1279
##                   Function "e2guardian"                    ##
1252
## - Set the parameters of this HTML proxy (as controler)     ##
1280
## - Set the parameters of this HTML proxy (as controler)     ##
1253
################################################################
1281
################################################################
1254
e2guardian()
1282
e2guardian()
1255
{
1283
{
1256
	mkdir -p /var/e2guardian /var/log/e2guardian
1284
	mkdir -p /var/e2guardian /var/log/e2guardian
1257
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1285
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1258
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1286
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1259
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1287
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1260
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1288
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1261
# By default the filter is off
1289
# By default the filter is off
1262
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1290
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1263
# French deny HTML page
1291
# French deny HTML page
1264
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1292
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1265
# Listen only on LAN side
1293
# Listen only on LAN side
1266
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1294
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1267
# DG send its flow to HAVP
1295
# DG send its flow to HAVP
1268
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1296
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1269
# replace the default deny HTML page
1297
# replace the default deny HTML page
1270
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1298
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1271
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1299
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1272
# Don't log
1300
# Don't log
1273
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1301
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1274
# # Change the default report page
1302
# # Change the default report page
1275
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1303
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1276
# Disable HTML content control
1304
# Disable HTML content control
1277
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1305
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1278
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1306
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1279
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1307
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1280
# Disable URL control with regex
1308
# Disable URL control with regex
1281
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1309
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1282
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1310
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1283
# Configure E2guardian for large site
1311
# Configure E2guardian for large site
1284
# Minimum number of processus to handle connections
1312
# Minimum number of processus to handle connections
1285
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1313
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1286
# Maximum number of processus to handle connections
1314
# Maximum number of processus to handle connections
1287
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1315
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1288
# Run at least 8 daemons
1316
# Run at least 8 daemons
1289
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1317
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1290
# minimum number of processes to spawn
1318
# minimum number of processes to spawn
1291
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1319
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1292
# maximum age of a child process before it croaks it
1320
# maximum age of a child process before it croaks it
1293
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1321
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1294
# Disable download files control
1322
# Disable download files control
1295
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1323
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1296
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1324
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1297
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1325
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1298
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1326
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1299
	touch $DIR_DG/lists/bannedextensionlist
1327
	touch $DIR_DG/lists/bannedextensionlist
1300
	touch $DIR_DG/lists/bannedmimetypelist
1328
	touch $DIR_DG/lists/bannedmimetypelist
1301
# 'Safesearch' regex actualisation
1329
# 'Safesearch' regex actualisation
1302
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1330
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1303
# empty LAN IP list that won't be WEB filtered
1331
# empty LAN IP list that won't be WEB filtered
1304
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1332
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1305
	touch $DIR_DG/lists/exceptioniplist
1333
	touch $DIR_DG/lists/exceptioniplist
1306
# Keep a copy of URL & domain filter configuration files
1334
# Keep a copy of URL & domain filter configuration files
1307
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1335
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1308
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1336
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1309
} # End of e2guardian()
1337
} # End of e2guardian()
1310
 
1338
 
1311
##################################################################
1339
##################################################################
1312
##                     Function "antivirus"                     ##
1340
##                     Function "antivirus"                     ##
1313
## - Set the parameters of havp, libclamav and freshclam        ##
1341
## - Set the parameters of havp, libclamav and freshclam        ##
1314
##################################################################
1342
##################################################################
1315
antivirus()
1343
antivirus()
1316
{
1344
{
1317
# create 'havp' user
1345
# create 'havp' user
1318
	havp_exist=`grep -c ^havp: /etc/passwd`
1346
	havp_exist=`grep -c ^havp: /etc/passwd`
1319
	if [ "$havp_exist" == "1" ]
1347
	if [ "$havp_exist" == "1" ]
1320
	then
1348
	then
1321
		userdel -r havp 2>/dev/null
1349
		userdel -r havp 2>/dev/null
1322
		groupdel havp 2>/dev/null
1350
		groupdel havp 2>/dev/null
1323
	fi
1351
	fi
1324
	groupadd -f havp
1352
	groupadd -f havp
1325
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1353
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1326
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1354
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1327
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1355
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1328
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1356
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1329
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1357
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1330
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1358
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1331
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1359
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1332
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1360
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1333
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1361
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1334
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1362
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1335
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1363
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1336
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1364
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1337
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1365
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1338
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1366
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1339
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1367
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1340
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1368
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1341
# skip checking of youtube flow (too heavy load / risk too low)
1369
# skip checking of youtube flow (too heavy load / risk too low)
1342
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1370
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1343
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1371
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1344
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1372
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1345
# adapt init script and systemd unit
1373
# adapt init script and systemd unit
1346
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1374
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1347
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1375
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1348
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1376
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1349
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1377
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1350
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1378
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1351
# replace of the intercept page (template)
1379
# replace of the intercept page (template)
1352
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1380
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1353
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1381
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1354
# update virus database every 4 hours (24h/6)
1382
# update virus database every 4 hours (24h/6)
1355
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1383
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1356
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1384
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1357
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1385
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1358
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1386
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1359
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1387
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1360
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1388
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1361
# update now
1389
# update now
1362
	/usr/bin/freshclam --no-warnings
1390
	/usr/bin/freshclam --no-warnings
1363
} # End of antivirus()
1391
} # End of antivirus()
1364
 
1392
 
1365
################################################################################
1393
################################################################################
1366
##                           Function "tinyproxy"                             ##
1394
##                           Function "tinyproxy"                             ##
1367
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1395
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1368
################################################################################
1396
################################################################################
1369
tinyproxy()
1397
tinyproxy()
1370
{
1398
{
1371
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1399
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1372
	if [ "$tinyproxy_exist" == "1" ]
1400
	if [ "$tinyproxy_exist" == "1" ]
1373
	then
1401
	then
1374
		userdel -r tinyproxy 2>/dev/null
1402
		userdel -r tinyproxy 2>/dev/null
1375
		groupdel tinyproxy 2>/dev/null
1403
		groupdel tinyproxy 2>/dev/null
1376
	fi
1404
	fi
1377
	groupadd -f tinyproxy
1405
	groupadd -f tinyproxy
1378
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1406
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1379
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1407
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1380
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1408
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1381
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1409
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1382
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1410
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1383
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1411
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1384
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1412
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1385
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1413
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1386
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1414
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1387
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1415
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1388
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1416
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1389
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1417
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1390
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1418
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1391
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1419
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1392
# Create the systemd unit
1420
# Create the systemd unit
1393
cat << EOF > /lib/systemd/system/tinyproxy.service
1421
cat << EOF > /lib/systemd/system/tinyproxy.service
1394
#  This file is part of systemd.
1422
#  This file is part of systemd.
1395
#
1423
#
1396
#  systemd is free software; you can redistribute it and/or modify it
1424
#  systemd is free software; you can redistribute it and/or modify it
1397
#  under the terms of the GNU General Public License as published by
1425
#  under the terms of the GNU General Public License as published by
1398
#  the Free Software Foundation; either version 2 of the License, or
1426
#  the Free Software Foundation; either version 2 of the License, or
1399
#  (at your option) any later version.
1427
#  (at your option) any later version.
1400
 
1428
 
1401
# This unit launches tinyproxy (a very light proxy).
1429
# This unit launches tinyproxy (a very light proxy).
1402
# The "sleep 2" is needed because the pid file isn't ready for systemd
1430
# The "sleep 2" is needed because the pid file isn't ready for systemd
1403
[Unit]
1431
[Unit]
1404
Description=Tinyproxy Web Proxy Server
1432
Description=Tinyproxy Web Proxy Server
1405
After=network.target iptables.service
1433
After=network.target iptables.service
1406
 
1434
 
1407
[Service]
1435
[Service]
1408
Type=forking
1436
Type=forking
1409
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1437
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1410
ExecStartPre=/bin/sleep 2
1438
ExecStartPre=/bin/sleep 2
1411
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1439
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1412
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1440
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1413
 
1441
 
1414
[Install]
1442
[Install]
1415
WantedBy=multi-user.target
1443
WantedBy=multi-user.target
1416
EOF
1444
EOF
1417
 
1445
 
1418
} # end of tinyproxy()
1446
} # end of tinyproxy()
1419
 
1447
 
1420
##############################################################
1448
##############################################################
1421
##                            function "ulogd"              ##
1449
##                            function "ulogd"              ##
1422
## - Ulog config for multi-log files                        ##
1450
## - Ulog config for multi-log files                        ##
1423
##############################################################
1451
##############################################################
1424
ulogd()
1452
ulogd()
1425
{
1453
{
1426
# Three instances of ulogd (three different logfiles)
1454
# Three instances of ulogd (three different logfiles)
1427
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1455
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1428
	nl=1
1456
	nl=1
1429
	for log_type in traceability ssh ext-access
1457
	for log_type in traceability ssh ext-access
1430
	do
1458
	do
1431
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1459
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1432
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1460
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1433
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1461
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1434
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1462
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1435
		cat << EOF >> /etc/ulogd-$log_type.conf
1463
		cat << EOF >> /etc/ulogd-$log_type.conf
1436
[emu1]
1464
[emu1]
1437
file="/var/log/firewall/$log_type.log"
1465
file="/var/log/firewall/$log_type.log"
1438
sync=1
1466
sync=1
1439
EOF
1467
EOF
1440
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1468
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1441
		nl=`expr $nl + 1`
1469
		nl=`expr $nl + 1`
1442
	done
1470
	done
1443
	chown -R root:apache /var/log/firewall
1471
	chown -R root:apache /var/log/firewall
1444
	chmod 750 /var/log/firewall
1472
	chmod 750 /var/log/firewall
1445
	chmod 640 /var/log/firewall/*
1473
	chmod 640 /var/log/firewall/*
1446
}  # End of ulogd()
1474
}  # End of ulogd()
1447
 
1475
 
1448
##########################################################
1476
##########################################################
1449
##                    Function "nfsen"                  ##
1477
##                    Function "nfsen"                  ##
1450
## - install the nfsen grapher                          ##
1478
## - install the nfsen grapher                          ##
1451
## - install the two plugins porttracker & surfmap      ##
1479
## - install the two plugins porttracker & surfmap      ##
1452
##########################################################
1480
##########################################################
1453
nfsen()
1481
nfsen()
1454
{
1482
{
1455
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1483
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1456
# Add PortTracker plugin
1484
# Add PortTracker plugin
1457
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1485
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1458
	do
1486
	do
1459
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1487
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1460
	done
1488
	done
1461
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1489
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1462
# use of our conf file and init unit
1490
# use of our conf file and init unit
1463
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1491
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1464
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1492
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1465
	DirTmp=$(pwd)
1493
	DirTmp=$(pwd)
1466
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1494
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1467
	/usr/bin/perl install.pl etc/nfsen.conf
1495
	/usr/bin/perl install.pl etc/nfsen.conf
1468
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1496
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1469
# Create RRD DB for porttracker (only in it still doesn't exist)
1497
# Create RRD DB for porttracker (only in it still doesn't exist)
1470
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1498
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1471
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1499
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1472
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1500
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1473
	chmod -R 770 /var/log/netflow/porttracker
1501
	chmod -R 770 /var/log/netflow/porttracker
1474
# nfsen unit for systemd
1502
# nfsen unit for systemd
1475
	cat << EOF > /lib/systemd/system/nfsen.service
1503
	cat << EOF > /lib/systemd/system/nfsen.service
1476
#  This file is part of systemd.
1504
#  This file is part of systemd.
1477
#
1505
#
1478
#  systemd is free software; you can redistribute it and/or modify it
1506
#  systemd is free software; you can redistribute it and/or modify it
1479
#  under the terms of the GNU General Public License as published by
1507
#  under the terms of the GNU General Public License as published by
1480
#  the Free Software Foundation; either version 2 of the License, or
1508
#  the Free Software Foundation; either version 2 of the License, or
1481
#  (at your option) any later version.
1509
#  (at your option) any later version.
1482
 
1510
 
1483
# This unit launches nfsen (a Netflow grapher).
1511
# This unit launches nfsen (a Netflow grapher).
1484
[Unit]
1512
[Unit]
1485
Description= NfSen init script
1513
Description= NfSen init script
1486
After=network.target iptables.service
1514
After=network.target iptables.service
1487
 
1515
 
1488
[Service]
1516
[Service]
1489
Type=oneshot
1517
Type=oneshot
1490
RemainAfterExit=yes
1518
RemainAfterExit=yes
1491
PIDFile=/var/run/nfsen/nfsen.pid
1519
PIDFile=/var/run/nfsen/nfsen.pid
1492
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1520
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1493
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1521
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1494
ExecStart=/usr/bin/nfsen start
1522
ExecStart=/usr/bin/nfsen start
1495
ExecStop=/usr/bin/nfsen stop
1523
ExecStop=/usr/bin/nfsen stop
1496
ExecReload=/usr/bin/nfsen restart
1524
ExecReload=/usr/bin/nfsen restart
1497
TimeoutSec=0
1525
TimeoutSec=0
1498
 
1526
 
1499
[Install]
1527
[Install]
1500
WantedBy=multi-user.target
1528
WantedBy=multi-user.target
1501
EOF
1529
EOF
1502
# Add the listen port to collect netflow packet (nfcapd)
1530
# Add the listen port to collect netflow packet (nfcapd)
1503
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1531
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1504
# expire delay for the profile "live"
1532
# expire delay for the profile "live"
1505
	/usr/bin/systemctl start nfsen
1533
	/usr/bin/systemctl start nfsen
1506
	/bin/nfsen -m live -e 62d 2>/dev/null
1534
	/bin/nfsen -m live -e 62d 2>/dev/null
1507
# add SURFmap plugin (waiting for new technical solution)
1535
# add SURFmap plugin (waiting for new technical solution)
1508
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1536
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1509
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1537
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1510
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1538
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1511
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1539
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1512
#	cd /tmp/
1540
#	cd /tmp/
1513
#	/usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
1541
#	/usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
1514
# clear the installation
1542
# clear the installation
1515
#	rm -rf /tmp/SURFmap*
1543
#	rm -rf /tmp/SURFmap*
1516
	rm -rf /tmp/nfsen-*
1544
	rm -rf /tmp/nfsen-*
1517
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1545
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1518
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1546
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1519
} # End of nfsen()
1547
} # End of nfsen()
1520
 
1548
 
1521
###########################################################
1549
###########################################################
1522
##                     Function "vnstat"                 ##
1550
##                     Function "vnstat"                 ##
1523
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1551
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1524
###########################################################
1552
###########################################################
1525
vnstat()
1553
vnstat()
1526
{
1554
{
1527
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1555
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1528
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1556
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1529
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1557
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1530
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1558
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1531
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1559
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1532
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1560
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1533
	/usr/bin/vnstat -i $EXTIF -u --force
1561
	/usr/bin/vnstat -i $EXTIF -u --force
1534
} # End of vnstat()
1562
} # End of vnstat()
1535
 
1563
 
1536
###################################################################
1564
###################################################################
1537
##                     Function "dnsmasq"                        ##
1565
##                     Function "dnsmasq"                        ##
1538
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1566
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1539
###################################################################
1567
###################################################################
1540
dnsmasq()
1568
dnsmasq()
1541
{
1569
{
1542
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1570
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1543
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1571
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1544
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1572
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1545
	cat << EOF > /etc/dnsmasq-whitelist.conf
1573
	cat << EOF > /etc/dnsmasq-whitelist.conf
1546
# Configuration file for "dnsmasq with whitelist"
1574
# Configuration file for "dnsmasq with whitelist"
1547
# ADD Toulouse university whitelist domains
1575
# ADD Toulouse university whitelist domains
1548
pid-file=/var/run/dnsmasq-whitelist.pid
1576
pid-file=/var/run/dnsmasq-whitelist.pid
1549
listen-address=127.0.0.1
1577
listen-address=127.0.0.1
1550
port=55
1578
port=55
1551
no-dhcp-interface=lo
1579
no-dhcp-interface=lo
1552
bind-interfaces
1580
bind-interfaces
1553
cache-size=1024
1581
cache-size=1024
1554
domain-needed
1582
domain-needed
1555
expand-hosts
1583
expand-hosts
1556
bogus-priv
1584
bogus-priv
1557
filterwin2k
1585
filterwin2k
1558
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1586
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1559
server=$DNS1
1587
server=$DNS1
1560
server=$DNS2
1588
server=$DNS2
1561
EOF
1589
EOF
1562
	# Create dnsmasq-whitelist unit
1590
	# Create dnsmasq-whitelist unit
1563
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1591
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1564
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1592
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1565
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1593
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1566
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1594
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1567
} # End of dnsmasq()
1595
} # End of dnsmasq()
1568
 
1596
 
1569
#########################################################
1597
#########################################################
1570
##              Function "unbound"                     ##
1598
##              Function "unbound"                     ##
1571
## - create the conf files for 4 unbound services      ##
1599
## - create the conf files for 4 unbound services      ##
1572
## - create the systemd files for 4 unbound services   ##
1600
## - create the systemd files for 4 unbound services   ##
1573
#########################################################
1601
#########################################################
1574
unbound ()
1602
unbound ()
1575
{
1603
{
1576
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1604
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1577
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1605
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1578
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1606
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1579
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1607
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1580
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1608
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1581
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1609
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1582
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1610
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1583
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1611
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1584
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1612
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1585
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1613
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1586
	# Local static DNS configuration
1614
	# Local static DNS configuration
1587
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1615
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1588
 
1616
 
1589
# Forward zone configuration file for all unbound dns servers
1617
# Forward zone configuration file for all unbound dns servers
1590
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1618
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1591
forward-zone:
1619
forward-zone:
1592
	name: "."
1620
	name: "."
1593
	forward-addr: $DNS1
1621
	forward-addr: $DNS1
1594
	forward-addr: $DNS2
1622
	forward-addr: $DNS2
1595
EOF
1623
EOF
1596
 
1624
 
1597
# Custom configuration file for manual DNS configuration
1625
# Custom configuration file for manual DNS configuration
1598
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1626
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1599
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1627
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1600
## Add one block for each domain name managed by an other DNS server
1628
## Add one block for each domain name managed by an other DNS server
1601
##
1629
##
1602
## Example:
1630
## Example:
1603
##
1631
##
1604
## server:
1632
## server:
1605
##     local-zone: "<your_domain>." transparent
1633
##     local-zone: "<your_domain>." transparent
1606
## forward-zone:
1634
## forward-zone:
1607
##     name: "<your_domain>."
1635
##     name: "<your_domain>."
1608
##     forward-addr: <@IP_domain_server>
1636
##     forward-addr: <@IP_domain_server>
1609
##
1637
##
1610
## INFO : local hostnames are resolved in /etc/hosts file
1638
## INFO : local hostnames are resolved in /etc/hosts file
1611
EOF
1639
EOF
1612
 
1640
 
1613
# Configuration file of ALCASAR main domains for $INTIF
1641
# Configuration file of ALCASAR main domains for $INTIF
1614
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1642
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1615
server:
1643
server:
1616
	local-zone: "$HOSTNAME.$DOMAIN" static
1644
	local-zone: "$HOSTNAME.$DOMAIN" static
1617
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1645
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1618
	local-zone: "$HOSTNAME" static
1646
	local-zone: "$HOSTNAME" static
1619
	local-data: "$HOSTNAME A $PRIVATE_IP"
1647
	local-data: "$HOSTNAME A $PRIVATE_IP"
1620
	local-zone: "$DOMAIN." static
1648
	local-zone: "$DOMAIN." static
1621
	local-data: "$DOMAIN. A"
1649
	local-data: "$DOMAIN. A"
1622
EOF
1650
EOF
1623
 
1651
 
1624
# Configuration file for lo of forward unbound
1652
# Configuration file for lo of forward unbound
1625
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1653
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1626
server:
1654
server:
1627
	interface: 127.0.0.1@53
1655
	interface: 127.0.0.1@53
1628
	access-control-view: 127.0.0.1/8 lo
1656
	access-control-view: 127.0.0.1/8 lo
1629
 
1657
 
1630
view:
1658
view:
1631
	name: "lo"
1659
	name: "lo"
1632
	local-zone: "$HOSTNAME.$DOMAIN" static
1660
	local-zone: "$HOSTNAME.$DOMAIN" static
1633
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1661
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1634
	local-zone: "$HOSTNAME" static
1662
	local-zone: "$HOSTNAME" static
1635
	local-data: "$HOSTNAME A 127.0.0.1"
1663
	local-data: "$HOSTNAME A 127.0.0.1"
1636
	view-first: yes
1664
	view-first: yes
1637
EOF
1665
EOF
1638
 
1666
 
1639
# Configuration file for $INTIF of forward unbound
1667
# Configuration file for $INTIF of forward unbound
1640
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1668
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1641
server:
1669
server:
1642
	interface: ${PRIVATE_IP}@53
1670
	interface: ${PRIVATE_IP}@53
1643
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1671
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1644
 
1672
 
1645
view:
1673
view:
1646
	name: "$INTIF"
1674
	name: "$INTIF"
1647
	local-zone: "$HOSTNAME.$DOMAIN" static
1675
	local-zone: "$HOSTNAME.$DOMAIN" static
1648
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1676
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1649
	local-zone: "$HOSTNAME" static
1677
	local-zone: "$HOSTNAME" static
1650
	local-data: "$HOSTNAME A $PRIVATE_IP"
1678
	local-data: "$HOSTNAME A $PRIVATE_IP"
1651
	view-first: yes
1679
	view-first: yes
1652
EOF
1680
EOF
1653
 
1681
 
1654
# Configuration file for forward unbound
1682
# Configuration file for forward unbound
1655
	cat << EOF > /etc/unbound/unbound.conf
1683
	cat << EOF > /etc/unbound/unbound.conf
1656
server:
1684
server:
1657
	verbosity: 1
1685
	verbosity: 1
1658
	hide-version: yes
1686
	hide-version: yes
1659
	hide-identity: yes
1687
	hide-identity: yes
1660
	do-ip6: no
1688
	do-ip6: no
1661
	include: /etc/unbound/conf.d/common/forward-zone.conf
1689
	include: /etc/unbound/conf.d/common/forward-zone.conf
1662
	include: /etc/unbound/conf.d/common/local-forward/*
1690
	include: /etc/unbound/conf.d/common/local-forward/*
1663
	include: /etc/unbound/conf.d/common/local-dns/*
1691
	include: /etc/unbound/conf.d/common/local-dns/*
1664
	include: /etc/unbound/conf.d/forward/*
1692
	include: /etc/unbound/conf.d/forward/*
1665
EOF
1693
EOF
1666
 
1694
 
1667
# Configuration file for $INTIF of blacklist unbound
1695
# Configuration file for $INTIF of blacklist unbound
1668
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1696
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1669
server:
1697
server:
1670
	interface: ${PRIVATE_IP}@54
1698
	interface: ${PRIVATE_IP}@54
1671
	access-control: $PRIVATE_IP_MASK allow
1699
	access-control: $PRIVATE_IP_MASK allow
1672
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1700
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1673
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1701
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1674
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1702
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1675
EOF
1703
EOF
1676
 
1704
 
1677
# Configuration file for blacklist unbound
1705
# Configuration file for blacklist unbound
1678
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1706
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1679
server:
1707
server:
1680
	verbosity: 1
1708
	verbosity: 1
1681
	hide-version: yes
1709
	hide-version: yes
1682
	hide-identity: yes
1710
	hide-identity: yes
1683
	do-ip6: no
1711
	do-ip6: no
1684
	logfile: "/var/log/unbound/unbound-blacklist.log"
1712
	logfile: "/var/log/unbound/unbound-blacklist.log"
1685
	chroot: ""
1713
	chroot: ""
1686
	define-tag: "blacklist"
1714
	define-tag: "blacklist"
1687
	log-local-actions: yes
1715
	log-local-actions: yes
1688
	include: /etc/unbound/conf.d/common/forward-zone.conf
1716
	include: /etc/unbound/conf.d/common/forward-zone.conf
1689
	include: /etc/unbound/conf.d/common/local-forward/*
1717
	include: /etc/unbound/conf.d/common/local-forward/*
1690
	include: /etc/unbound/conf.d/common/local-dns/*
1718
	include: /etc/unbound/conf.d/common/local-dns/*
1691
	include: /etc/unbound/conf.d/blacklist/*
1719
	include: /etc/unbound/conf.d/blacklist/*
1692
	include: /usr/local/share/unbound-bl-enabled/*
1720
	include: /usr/local/share/unbound-bl-enabled/*
1693
EOF
1721
EOF
1694
 
1722
 
1695
# Configuration file for $INTIF of whitelist unbound
1723
# Configuration file for $INTIF of whitelist unbound
1696
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1724
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1697
server:
1725
server:
1698
	interface: ${PRIVATE_IP}@55
1726
	interface: ${PRIVATE_IP}@55
1699
	access-control: $PRIVATE_IP_MASK allow
1727
	access-control: $PRIVATE_IP_MASK allow
1700
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1728
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1701
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1729
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1702
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1730
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1703
EOF
1731
EOF
1704
 
1732
 
1705
# Configuration file for whitelist unbound
1733
# Configuration file for whitelist unbound
1706
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1734
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1707
server:
1735
server:
1708
	verbosity: 1
1736
	verbosity: 1
1709
	hide-version: yes
1737
	hide-version: yes
1710
	hide-identity: yes
1738
	hide-identity: yes
1711
	do-ip6: no
1739
	do-ip6: no
1712
	do-not-query-localhost: no
1740
	do-not-query-localhost: no
1713
	define-tag: "whitelist"
1741
	define-tag: "whitelist"
1714
	local-zone: "." transparent
1742
	local-zone: "." transparent
1715
	local-zone-tag: "." "whitelist"
1743
	local-zone-tag: "." "whitelist"
1716
	include: /usr/local/share/unbound-wl-enabled/*
1744
	include: /usr/local/share/unbound-wl-enabled/*
1717
	include: /etc/unbound/conf.d/whitelist/*
1745
	include: /etc/unbound/conf.d/whitelist/*
1718
	include: /etc/unbound/conf.d/common/local-dns/*
1746
	include: /etc/unbound/conf.d/common/local-dns/*
1719
	include: /etc/unbound/conf.d/common/local-forward/*
1747
	include: /etc/unbound/conf.d/common/local-forward/*
1720
forward-zone:
1748
forward-zone:
1721
	name: "."
1749
	name: "."
1722
	forward-addr: 127.0.0.1@55
1750
	forward-addr: 127.0.0.1@55
1723
EOF
1751
EOF
1724
 
1752
 
1725
# Configuration file for $INTIF of blackhole unbound
1753
# Configuration file for $INTIF of blackhole unbound
1726
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1754
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1727
server:
1755
server:
1728
	interface: ${PRIVATE_IP}@56
1756
	interface: ${PRIVATE_IP}@56
1729
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1757
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1730
 
1758
 
1731
view:
1759
view:
1732
	name: "$INTIF"
1760
	name: "$INTIF"
1733
	local-zone: "." redirect
1761
	local-zone: "." redirect
1734
	local-data: ". A $PRIVATE_IP"
1762
	local-data: ". A $PRIVATE_IP"
1735
EOF
1763
EOF
1736
 
1764
 
1737
# Configuration file for blackhole unbound
1765
# Configuration file for blackhole unbound
1738
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1766
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1739
server:
1767
server:
1740
	verbosity: 1
1768
	verbosity: 1
1741
	hide-version: yes
1769
	hide-version: yes
1742
	hide-identity: yes
1770
	hide-identity: yes
1743
	do-ip6: no
1771
	do-ip6: no
1744
	include: /etc/unbound/conf.d/blackhole/*
1772
	include: /etc/unbound/conf.d/blackhole/*
1745
	include: /etc/unbound/conf.d/common/local-dns/*
1773
	include: /etc/unbound/conf.d/common/local-dns/*
1746
	include: /etc/unbound/conf.d/common/local-forward/*
1774
	include: /etc/unbound/conf.d/common/local-forward/*
1747
EOF
1775
EOF
1748
 
1776
 
1749
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1777
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1750
	then
1778
	then
1751
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1779
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1752
	fi
1780
	fi
1753
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1781
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1754
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1782
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1755
	for list in blacklist blackhole whitelist
1783
	for list in blacklist blackhole whitelist
1756
	do
1784
	do
1757
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1785
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1758
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1786
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1759
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1787
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1760
	done
1788
	done
1761
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1789
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1762
} # End of unbound()
1790
} # End of unbound()
1763
 
1791
 
1764
##################################################
1792
##################################################
1765
##              Function "dhcpd"                ##
1793
##              Function "dhcpd"                ##
1766
##################################################
1794
##################################################
1767
dhcpd()
1795
dhcpd()
1768
{
1796
{
1769
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1797
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1770
	cat <<EOF > /etc/dhcpd.conf
1798
	cat <<EOF > /etc/dhcpd.conf
1771
ddns-update-style none;
1799
ddns-update-style none;
1772
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1800
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1773
	option routers $PRIVATE_IP;
1801
	option routers $PRIVATE_IP;
1774
	option subnet-mask $PRIVATE_NETMASK;
1802
	option subnet-mask $PRIVATE_NETMASK;
1775
	option domain-name-servers $PRIVATE_IP;
1803
	option domain-name-servers $PRIVATE_IP;
1776
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1804
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1777
	default-lease-time 21600;
1805
	default-lease-time 21600;
1778
	max-lease-time 43200;
1806
	max-lease-time 43200;
1779
}
1807
}
1780
EOF
1808
EOF
1781
} # End of dhcpd()
1809
} # End of dhcpd()
1782
 
1810
 
1783
##########################################################
1811
##########################################################
1784
##                      Function "BL"                   ##
1812
##                      Function "BL"                   ##
1785
## - copy Toulouse BL                                   ##
1813
## - copy Toulouse BL                                   ##
1786
## - adapt this BL to ALCASAR architecture              ##
1814
## - adapt this BL to ALCASAR architecture              ##
1787
##     - domain names for unbound-bl & unbound-wl       ##
1815
##     - domain names for unbound-bl & unbound-wl       ##
1788
##     - URLs for E²guardian                            ##
1816
##     - URLs for E²guardian                            ##
1789
##     - IPs for NetFilter                              ##
1817
##     - IPs for NetFilter                              ##
1790
##########################################################
1818
##########################################################
1791
BL()
1819
BL()
1792
{
1820
{
1793
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1821
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1794
	rm -rf $DIR_DG/lists/blacklists
1822
	rm -rf $DIR_DG/lists/blacklists
1795
	mkdir -p /tmp/blacklists
1823
	mkdir -p /tmp/blacklists
1796
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1824
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1797
# creation of file for the rehabilited domains and urls
1825
# creation of file for the rehabilited domains and urls
1798
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1826
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1799
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1827
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1800
	touch $DIR_DG/lists/exceptionsitelist
1828
	touch $DIR_DG/lists/exceptionsitelist
1801
	touch $DIR_DG/lists/exceptionurllist
1829
	touch $DIR_DG/lists/exceptionurllist
1802
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1830
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1803
	cat <<EOF > $DIR_DG/lists/bannedurllist
1831
	cat <<EOF > $DIR_DG/lists/bannedurllist
1804
# E2guardian filter config for ALCASAR
1832
# E2guardian filter config for ALCASAR
1805
EOF
1833
EOF
1806
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1834
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1807
# E2guardian domain filter config for ALCASAR
1835
# E2guardian domain filter config for ALCASAR
1808
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1836
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1809
#**
1837
#**
1810
# block all SSL and CONNECT tunnels
1838
# block all SSL and CONNECT tunnels
1811
**s
1839
**s
1812
# block all SSL and CONNECT tunnels specified only as an IP
1840
# block all SSL and CONNECT tunnels specified only as an IP
1813
*ips
1841
*ips
1814
# block all sites specified only by an IP
1842
# block all sites specified only by an IP
1815
*ip
1843
*ip
1816
EOF
1844
EOF
1817
# Add Bing to the safesearch url regext list (parental control)
1845
# Add Bing to the safesearch url regext list (parental control)
1818
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1846
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1819
# Bing - add 'adlt=strict'
1847
# Bing - add 'adlt=strict'
1820
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1848
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1821
EOF
1849
EOF
1822
# change the google safesearch ("safe=strict" instead of "safe=vss")
1850
# change the google safesearch ("safe=strict" instead of "safe=vss")
1823
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1851
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1824
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1852
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1825
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1853
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1826
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1854
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1827
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1855
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1828
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1856
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1829
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1857
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1830
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1858
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1831
# add custom ALCASAR BL files
1859
# add custom ALCASAR BL files
1832
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1860
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1833
	do
1861
	do
1834
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1862
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1835
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1863
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1836
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1864
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1837
	done
1865
	done
1838
	chown -R e2guardian:apache $DIR_DG
1866
	chown -R e2guardian:apache $DIR_DG
1839
	chown -R root:apache $DIR_DEST_SHARE
1867
	chown -R root:apache $DIR_DEST_SHARE
1840
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1868
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1841
# adapt the Toulouse BL to ALCASAR architecture
1869
# adapt the Toulouse BL to ALCASAR architecture
1842
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1870
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1843
# enable the default categories
1871
# enable the default categories
1844
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1872
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1845
	rm -rf /tmp/blacklists
1873
	rm -rf /tmp/blacklists
1846
} # End of BL()
1874
} # End of BL()
1847
 
1875
 
1848
#######################################################
1876
#######################################################
1849
##                  Function "cron"                  ##
1877
##                  Function "cron"                  ##
1850
## - write all cron & anacron files                  ##
1878
## - write all cron & anacron files                  ##
1851
#######################################################
1879
#######################################################
1852
cron()
1880
cron()
1853
{
1881
{
1854
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1882
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1855
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1883
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1856
	cat <<EOF > /etc/crontab
1884
	cat <<EOF > /etc/crontab
1857
SHELL=/usr/bin/bash
1885
SHELL=/usr/bin/bash
1858
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1886
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1859
MAILTO=root
1887
MAILTO=root
1860
HOME=/
1888
HOME=/
1861
 
1889
 
1862
# run-parts
1890
# run-parts
1863
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1891
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1864
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1892
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1865
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1893
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1866
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1894
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1867
EOF
1895
EOF
1868
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1896
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1869
	cat <<EOF >> /etc/anacrontab
1897
	cat <<EOF >> /etc/anacrontab
1870
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1898
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1871
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1899
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1872
EOF
1900
EOF
1873
	cat <<EOF > /etc/cron.d/alcasar-mysql
1901
	cat <<EOF > /etc/cron.d/alcasar-mysql
1874
# Verify, repair and export users database (every monday at 4:45 am)
1902
# Verify, repair and export users database (every monday at 4:45 am)
1875
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1903
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1876
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1904
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1877
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1905
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1878
EOF
1906
EOF
1879
	cat <<EOF > /etc/cron.d/alcasar-archive
1907
	cat <<EOF > /etc/cron.d/alcasar-archive
1880
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1908
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1881
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1909
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1882
EOF
1910
EOF
1883
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1911
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1884
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1912
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1885
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1913
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1886
EOF
1914
EOF
1887
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1915
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1888
# Update the system (everyday at 3:30 am)
1916
# Update the system (everyday at 3:30 am)
1889
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1917
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1890
EOF
1918
EOF
1891
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1919
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1892
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1920
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1893
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1921
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1894
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1922
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1895
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1923
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1896
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1924
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1897
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1925
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1898
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1926
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1899
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1927
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1900
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1928
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1901
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1929
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1902
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1930
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1903
EOF
1931
EOF
1904
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1932
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1905
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1933
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1906
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1934
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1907
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1935
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1908
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1936
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1909
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1937
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1910
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1938
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1911
EOF
1939
EOF
1912
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1940
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1913
# start dead daemons (after boot process and every 18')
1941
# start dead daemons (after boot process and every 18')
1914
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1942
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1915
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1943
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1916
EOF
1944
EOF
1917
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1945
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1918
# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1946
# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1919
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1947
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1920
EOF
1948
EOF
1921
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1949
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1922
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1950
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1923
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1951
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1924
EOF
1952
EOF
1925
 
1953
 
1926
# removing the users crons
1954
# removing the users crons
1927
	rm -f /var/spool/cron/*
1955
	rm -f /var/spool/cron/*
1928
} # End of cron()
1956
} # End of cron()
1929
 
1957
 
1930
######################################################################
1958
######################################################################
1931
##                      Fonction "Fail2Ban"                         ##
1959
##                      Fonction "Fail2Ban"                         ##
1932
##- Adapt conf file to ALCASAR                                      ##
1960
##- Adapt conf file to ALCASAR                                      ##
1933
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1961
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1934
######################################################################
1962
######################################################################
1935
fail2ban()
1963
fail2ban()
1936
{
1964
{
1937
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1965
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1938
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1966
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1939
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1967
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1940
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1968
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1941
	chmod 644 /var/log/fail2ban.log
1969
	chmod 644 /var/log/fail2ban.log
1942
	chmod 644 /var/Save/security/watchdog.log
1970
	chmod 644 /var/Save/security/watchdog.log
1943
	/usr/bin/touch /var/log/auth.log
1971
	/usr/bin/touch /var/log/auth.log
1944
# fail2ban unit
1972
# fail2ban unit
1945
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1973
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1946
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1974
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1947
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1975
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1948
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1976
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1949
} # End of fail2ban()
1977
} # End of fail2ban()
1950
 
1978
 
1951
#########################################################
1979
#########################################################
1952
##                   Fonction "gammu_smsd"             ##
1980
##                   Fonction "gammu_smsd"             ##
1953
## - Creating of SMS management database               ##
1981
## - Creating of SMS management database               ##
1954
## - Write the gammu a gammu_smsd conf files           ##
1982
## - Write the gammu a gammu_smsd conf files           ##
1955
#########################################################
1983
#########################################################
1956
gammu_smsd()
1984
gammu_smsd()
1957
{
1985
{
1958
# Create 'gammu' system user
1986
# Create 'gammu' system user
1959
	groupadd -f gammu_smsd
1987
	groupadd -f gammu_smsd
1960
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1988
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1961
	usermod -a -G dialout gammu_smsd
1989
	usermod -a -G dialout gammu_smsd
1962
 
1990
 
1963
# Create 'gammu' database
1991
# Create 'gammu' database
1964
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1992
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1965
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1993
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1966
# Add a gammu database structure
1994
# Add a gammu database structure
1967
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1995
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1968
 
1996
 
1969
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1997
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1970
	cat << EOF > /etc/gammurc
1998
	cat << EOF > /etc/gammurc
1971
[gammu]
1999
[gammu]
1972
device = /dev/ttyUSB0
2000
device = /dev/ttyUSB0
1973
connection = at115200
2001
connection = at115200
1974
EOF
2002
EOF
1975
 
2003
 
1976
	cat << EOF > /etc/gammu_smsd_conf
2004
	cat << EOF > /etc/gammu_smsd_conf
1977
[gammu]
2005
[gammu]
1978
port = /dev/ttyUSB0
2006
port = /dev/ttyUSB0
1979
connection = at115200
2007
connection = at115200
1980
 
2008
 
1981
[smsd]
2009
[smsd]
1982
PIN = 1234
2010
PIN = 1234
1983
logfile = /var/log/gammu-smsd/gammu-smsd.log
2011
logfile = /var/log/gammu-smsd/gammu-smsd.log
1984
logformat = textall
2012
logformat = textall
1985
debuglevel = 0
2013
debuglevel = 0
1986
 
2014
 
1987
service = sql
2015
service = sql
1988
driver = native_mysql
2016
driver = native_mysql
1989
user = $DB_USER
2017
user = $DB_USER
1990
password = $radiuspwd
2018
password = $radiuspwd
1991
pc = localhost
2019
pc = localhost
1992
database = $DB_GAMMU
2020
database = $DB_GAMMU
1993
 
2021
 
1994
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
2022
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1995
 
2023
 
1996
StatusFrequency = 30
2024
StatusFrequency = 30
1997
;LoopSleep = 2
2025
;LoopSleep = 2
1998
 
2026
 
1999
;ResetFrequency = 300
2027
;ResetFrequency = 300
2000
;HardResetFrequency = 120
2028
;HardResetFrequency = 120
2001
 
2029
 
2002
CheckSecurity = 1
2030
CheckSecurity = 1
2003
CheckSignal = 1
2031
CheckSignal = 1
2004
CheckBattery = 0
2032
CheckBattery = 0
2005
EOF
2033
EOF
2006
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2034
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2007
 
2035
 
2008
# Create the systemd unit
2036
# Create the systemd unit
2009
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2037
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2010
[Unit]
2038
[Unit]
2011
Description=SMS daemon for Gammu
2039
Description=SMS daemon for Gammu
2012
Documentation=man:gammu-smsd(1)
2040
Documentation=man:gammu-smsd(1)
2013
After=network.target mysql.service
2041
After=network.target mysql.service
2014
 
2042
 
2015
[Service]
2043
[Service]
2016
Type=forking
2044
Type=forking
2017
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
2045
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
2018
ExecReload=/bin/kill -HUP $MAINPID
2046
ExecReload=/bin/kill -HUP $MAINPID
2019
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
2047
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
2020
PIDFile=/var/run/gammu-smsd.pid
2048
PIDFile=/var/run/gammu-smsd.pid
2021
 
2049
 
2022
[Install]
2050
[Install]
2023
WantedBy=multi-user.target
2051
WantedBy=multi-user.target
2024
EOF
2052
EOF
2025
 
2053
 
2026
# Log folder for gammu-smsd
2054
# Log folder for gammu-smsd
2027
	[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2055
	[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2028
	chmod 755 /var/log/gammu-smsd
2056
	chmod 755 /var/log/gammu-smsd
2029
 
2057
 
2030
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2058
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2031
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2059
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2032
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2060
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2033
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2061
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2034
#EOF
2062
#EOF
2035
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2063
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2036
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2064
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2037
 
2065
 
2038
} # End of gammu_smsd()
2066
} # End of gammu_smsd()
2039
 
2067
 
2040
############################################################
2068
############################################################
2041
##                 Fonction "msec"                        ##
2069
##                 Fonction "msec"                        ##
2042
## - Apply the "fileserver" security level                ##
2070
## - Apply the "fileserver" security level                ##
2043
## - remove the "system request" for rebboting            ##
2071
## - remove the "system request" for rebboting            ##
2044
## - Fix several file permissions                         ##
2072
## - Fix several file permissions                         ##
2045
############################################################
2073
############################################################
2046
msec()
2074
msec()
2047
{
2075
{
2048
 
2076
 
2049
# Apply fileserver security level
2077
# Apply fileserver security level
2050
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2078
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2051
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2079
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2052
 
2080
 
2053
# Set permissions monitoring and enforcement
2081
# Set permissions monitoring and enforcement
2054
cat <<EOF > /etc/security/msec/perm.local
2082
cat <<EOF > /etc/security/msec/perm.local
2055
/var/log/firefwall/                     root.apache     750
2083
/var/log/firefwall/                     root.apache     750
2056
/var/log/firewall/*                     root.apache     640
2084
/var/log/firewall/*                     root.apache     640
2057
/etc/security/msec/perm.local           root.root       640
2085
/etc/security/msec/perm.local           root.root       640
2058
/etc/security/msec/level.local          root.root       640
2086
/etc/security/msec/level.local          root.root       640
2059
/etc/freeradius-web                     root.apache     750
2087
/etc/freeradius-web                     root.apache     750
2060
/etc/freeradius-web/admin.conf          root.apache     640
2088
/etc/freeradius-web/admin.conf          root.apache     640
2061
/etc/raddb/client.conf                  radius.radius   640
2089
/etc/raddb/client.conf                  radius.radius   640
2062
/etc/raddb/radius.conf                  radius.radius   640
2090
/etc/raddb/radius.conf                  radius.radius   640
2063
/etc/raddb/mods-available/ldap          radius.apache   660
2091
/etc/raddb/mods-available/ldap          radius.apache   660
2064
/etc/raddb/sites-available/alcasar      radius.apache   660
2092
/etc/raddb/sites-available/alcasar      radius.apache   660
2065
/etc/pki/*                              root.apache     750
2093
/etc/pki/*                              root.apache     750
2066
/var/log/netflow/porttracker            root.apache     770
2094
/var/log/netflow/porttracker            root.apache     770
2067
/var/log/netflow/porttracker/*          root.apache     660
2095
/var/log/netflow/porttracker/*          root.apache     660
2068
EOF
2096
EOF
2069
# apply now hourly & daily checks
2097
# apply now hourly & daily checks
2070
/usr/sbin/msec
2098
/usr/sbin/msec
2071
/etc/cron.weekly/msec
2099
/etc/cron.weekly/msec
2072
 
2100
 
2073
} # End of msec()
2101
} # End of msec()
2074
 
2102
 
2075
##################################################################
2103
##################################################################
2076
##                   Fonction "letsencrypt"                     ##
2104
##                   Fonction "letsencrypt"                     ##
2077
## - Install Let's Encrypt client                               ##
2105
## - Install Let's Encrypt client                               ##
2078
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2106
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2079
##################################################################
2107
##################################################################
2080
letsencrypt()
2108
letsencrypt()
2081
{
2109
{
2082
	echo "Installing Let's Encrypt client..."
2110
	echo "Installing Let's Encrypt client..."
2083
 
2111
 
2084
	# Remove potential old installers
2112
	# Remove potential old installers
2085
	rm -rf /tmp/acme.sh-*
2113
	rm -rf /tmp/acme.sh-*
2086
 
2114
 
2087
	# Extract acme.sh
2115
	# Extract acme.sh
2088
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2116
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2089
 
2117
 
2090
	pwdInstall=$(pwd)
2118
	pwdInstall=$(pwd)
2091
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2119
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2092
 
2120
 
2093
	acmesh_installDir="/opt/acme.sh"
2121
	acmesh_installDir="/opt/acme.sh"
2094
	acmesh_confDir="/usr/local/etc/letsencrypt"
2122
	acmesh_confDir="/usr/local/etc/letsencrypt"
2095
	acmesh_userAgent="ALCASAR"
2123
	acmesh_userAgent="ALCASAR"
2096
 
2124
 
2097
	# Install acme.sh
2125
	# Install acme.sh
2098
	./acme.sh --install \
2126
	./acme.sh --install \
2099
		--home $acmesh_installDir \
2127
		--home $acmesh_installDir \
2100
		--config-home $acmesh_confDir/data \
2128
		--config-home $acmesh_confDir/data \
2101
		--certhome $acmesh_confDir/certs \
2129
		--certhome $acmesh_confDir/certs \
2102
		--accountkey $acmesh_confDir/ca/account.key \
2130
		--accountkey $acmesh_confDir/ca/account.key \
2103
		--accountconf $acmesh_confDir/data/account.conf \
2131
		--accountconf $acmesh_confDir/data/account.conf \
2104
		--useragent $acmesh_userAgent \
2132
		--useragent $acmesh_userAgent \
2105
		--nocron \
2133
		--nocron \
2106
		> /dev/null
2134
		> /dev/null
2107
 
2135
 
2108
	if [ $? -ne 0 ]; then
2136
	if [ $? -ne 0 ]; then
2109
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2137
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2110
	fi
2138
	fi
2111
 
2139
 
2112
	# Create configuration file
2140
	# Create configuration file
2113
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2141
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2114
email=
2142
email=
2115
dateIssueRequest=
2143
dateIssueRequest=
2116
domainRequest=
2144
domainRequest=
2117
challenge=
2145
challenge=
2118
dateIssued=
2146
dateIssued=
2119
dnsapi=
2147
dnsapi=
2120
dateNextRenewal=
2148
dateNextRenewal=
2121
EOF
2149
EOF
2122
 
2150
 
2123
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2151
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2124
	rm -rf /tmp/acme.sh-*
2152
	rm -rf /tmp/acme.sh-*
2125
 
2153
 
2126
} # End of letsencrypt()
2154
} # End of letsencrypt()
2127
 
2155
 
2128
##################################################################
2156
##################################################################
2129
##                    Fonction "post_install"                   ##
2157
##                    Fonction "post_install"                   ##
2130
## - Modifying banners (locals et ssh) & prompts                ##
2158
## - Modifying banners (locals et ssh) & prompts                ##
2131
## - SSH config                                                 ##
2159
## - SSH config                                                 ##
2132
## - sudoers config & files security                            ##
2160
## - sudoers config & files security                            ##
2133
## - log rotate & ANSSI security parameters                     ##
2161
## - log rotate & ANSSI security parameters                     ##
2134
## - Apply former conf in case of an update                     ##
2162
## - Apply former conf in case of an update                     ##
2135
##################################################################
2163
##################################################################
2136
post_install()
2164
post_install()
2137
{
2165
{
2138
# change the SSH banner
2166
# change the SSH banner
2139
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2167
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2140
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2168
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2141
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2169
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2142
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2170
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2143
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2171
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2144
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2172
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2145
# postfix banner anonymisation
2173
# postfix banner anonymisation
2146
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2174
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2147
	chown -R postfix:postfix /var/lib/postfix
2175
	chown -R postfix:postfix /var/lib/postfix
2148
# sshd liste on EXTIF & INTIF
2176
# sshd liste on EXTIF & INTIF
2149
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2177
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2150
# sshd authorized certificate for root login
2178
# sshd authorized certificate for root login
2151
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2179
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2152
# ALCASAR conf file
2180
# ALCASAR conf file
2153
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2181
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2154
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2182
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2155
	echo "SSH=on" >> $CONF_FILE
2183
	echo "SSH=on" >> $CONF_FILE
2156
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2184
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2157
	echo "LDAP=off" >> $CONF_FILE
2185
	echo "LDAP=off" >> $CONF_FILE
2158
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2186
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2159
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2187
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2160
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2188
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2161
	echo "LDAP_FILTER=" >> $CONF_FILE
2189
	echo "LDAP_FILTER=" >> $CONF_FILE
2162
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2190
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2163
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2191
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2164
	echo "LDAP_SSL=on" >> $CONF_FILE
2192
	echo "LDAP_SSL=on" >> $CONF_FILE
2165
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2193
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2166
	echo "SMS=off" >> $CONF_FILE
2194
	echo "SMS=off" >> $CONF_FILE
2167
	echo "SMS_NUM=" >> $CONF_FILE
2195
	echo "SMS_NUM=" >> $CONF_FILE
2168
	echo "MULTIWAN=off" >> $CONF_FILE
2196
	echo "MULTIWAN=off" >> $CONF_FILE
2169
	echo "FAILOVER=30" >> $CONF_FILE
2197
	echo "FAILOVER=30" >> $CONF_FILE
2170
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2198
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2171
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2199
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2172
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2200
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2173
	echo "BL_PUREIP=on" >> $CONF_FILE
2201
	echo "BL_PUREIP=on" >> $CONF_FILE
2174
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2202
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2175
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2203
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2176
# Prompt customisation (colors)
2204
# Prompt customisation (colors)
2177
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2205
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2178
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2206
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2179
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2207
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2180
# sudoers configuration for "apache" & "sysadmin"
2208
# sudoers configuration for "apache" & "sysadmin"
2181
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2209
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2182
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2210
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2183
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2211
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2184
# Modify some logrotate files (gammu, ulogd)
2212
# Modify some logrotate files (gammu, ulogd)
2185
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2213
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2186
	chmod 644 /etc/logrotate.d/*
2214
	chmod 644 /etc/logrotate.d/*
2187
# Log compression
2215
# Log compression
2188
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2216
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2189
# actualisation des fichiers logs compressés
2217
# actualisation des fichiers logs compressés
2190
	for dir in firewall e2guardian lighttpd
2218
	for dir in firewall e2guardian lighttpd
2191
	do
2219
	do
2192
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2220
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2193
	done
2221
	done
2194
# create the alcasar-load_balancing unit
2222
# create the alcasar-load_balancing unit
2195
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2223
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2196
#  This file is part of systemd.
2224
#  This file is part of systemd.
2197
#
2225
#
2198
#  systemd is free software; you can redistribute it and/or modify it
2226
#  systemd is free software; you can redistribute it and/or modify it
2199
#  under the terms of the GNU General Public License as published by
2227
#  under the terms of the GNU General Public License as published by
2200
#  the Free Software Foundation; either version 2 of the License, or
2228
#  the Free Software Foundation; either version 2 of the License, or
2201
#  (at your option) any later version.
2229
#  (at your option) any later version.
2202
 
2230
 
2203
# This unit lauches alcasar-load-balancing.sh script.
2231
# This unit lauches alcasar-load-balancing.sh script.
2204
[Unit]
2232
[Unit]
2205
Description=alcasar-load_balancing.sh execution
2233
Description=alcasar-load_balancing.sh execution
2206
After=network.target iptables.service
2234
After=network.target iptables.service
2207
 
2235
 
2208
[Service]
2236
[Service]
2209
Type=oneshot
2237
Type=oneshot
2210
RemainAfterExit=yes
2238
RemainAfterExit=yes
2211
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2239
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2212
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2240
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2213
TimeoutSec=0
2241
TimeoutSec=0
2214
SysVStartPriority=99
2242
SysVStartPriority=99
2215
 
2243
 
2216
[Install]
2244
[Install]
2217
WantedBy=multi-user.target
2245
WantedBy=multi-user.target
2218
EOF
2246
EOF
2219
	/usr/bin/systemctl daemon-reload
2247
	/usr/bin/systemctl daemon-reload
2220
# processes launched at boot time (Systemctl)
2248
# processes launched at boot time (Systemctl)
2221
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2249
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2222
	do
2250
	do
2223
		/usr/bin/systemctl -q enable $i.service
2251
		/usr/bin/systemctl -q enable $i.service
2224
	done
2252
	done
2225
 
2253
 
2226
# disable processes at boot time (Systemctl)
2254
# disable processes at boot time (Systemctl)
2227
	for i in ulogd gpm dhcpd
2255
	for i in ulogd gpm dhcpd
2228
	do
2256
	do
2229
		/usr/bin/systemctl -q disable $i.service
2257
		/usr/bin/systemctl -q disable $i.service
2230
	done
2258
	done
2231
 
2259
 
2232
# Apply French Security Agency (ANSSI) rules
2260
# Apply French Security Agency (ANSSI) rules
2233
# ignore ICMP broadcast (smurf attack)
2261
# ignore ICMP broadcast (smurf attack)
2234
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2262
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2235
# ignore ICMP errors bogus
2263
# ignore ICMP errors bogus
2236
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2264
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2237
# remove ICMP redirects responces
2265
# remove ICMP redirects responces
2238
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2266
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2239
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2267
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2240
# enable SYN Cookies (Syn flood attacks)
2268
# enable SYN Cookies (Syn flood attacks)
2241
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2269
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2242
# enable kernel antispoofing
2270
# enable kernel antispoofing
2243
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2271
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2244
# ignore source routing
2272
# ignore source routing
2245
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2273
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2246
# set conntrack timer to 1h (3600s) instead of 5 weeks
2274
# set conntrack timer to 1h (3600s) instead of 5 weeks
2247
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2275
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2248
# disable log_martians (ALCASAR is often installed between two private network addresses)
2276
# disable log_martians (ALCASAR is often installed between two private network addresses)
2249
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2277
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2250
# disable iptables_helpers
2278
# disable iptables_helpers
2251
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2279
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2252
# Switch to the router mode
2280
# Switch to the router mode
2253
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2281
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2254
# Remove unused service ipv6
2282
# Remove unused service ipv6
2255
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2283
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2256
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2284
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2257
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2285
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2258
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2286
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2259
# switch to multi-users runlevel (instead of x11)
2287
# switch to multi-users runlevel (instead of x11)
2260
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2288
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2261
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2289
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2262
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2290
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2263
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2291
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2264
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2292
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2265
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2293
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2266
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2294
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2267
	if [ $vm_vga == 0 ] # is not a VM
2295
	if [ $vm_vga == 0 ] # is not a VM
2268
	then
2296
	then
2269
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2297
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2270
		echo >> /etc/mageia-release
2298
		echo >> /etc/mageia-release
2271
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2299
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2272
	fi
2300
	fi
2273
	if [ $Lang == "fr" ]
2301
	if [ $Lang == "fr" ]
2274
	then
2302
	then
2275
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2303
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2276
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2304
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2277
	else
2305
	else
2278
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2306
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2279
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2307
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2280
	fi
2308
	fi
2281
	/usr/bin/update-grub2
2309
	/usr/bin/update-grub2
2282
# Load and apply the previous conf file
2310
# Load and apply the previous conf file
2283
	if [ "$mode" = "update" ]
2311
	if [ "$mode" = "update" ]
2284
	then
2312
	then
2285
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2313
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2286
		$DIR_DEST_BIN/alcasar-conf.sh --load
2314
		$DIR_DEST_BIN/alcasar-conf.sh --load
2287
		PARENT_SCRIPT=`basename $0`
2315
		PARENT_SCRIPT=`basename $0`
2288
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2316
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2289
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2317
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2290
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2318
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2291
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2319
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2292
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2320
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2293
	fi
2321
	fi
2294
	rm -f /var/tmp/alcasar-conf*
2322
	rm -f /var/tmp/alcasar-conf*
2295
	chown -R root:apache $DIR_DEST_ETC/*
2323
	chown -R root:apache $DIR_DEST_ETC/*
2296
	chmod -R 660 $DIR_DEST_ETC/*
2324
	chmod -R 660 $DIR_DEST_ETC/*
2297
	chmod ug+x $DIR_DEST_ETC/digest
2325
	chmod ug+x $DIR_DEST_ETC/digest
2298
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2326
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2299
	echo ""
2327
	echo ""
2300
	echo "#############################################################################"
2328
	echo "#############################################################################"
2301
	if [ $Lang == "fr" ]
2329
	if [ $Lang == "fr" ]
2302
		then
2330
		then
2303
		echo "#                        Fin d'installation d'ALCASAR                       #"
2331
		echo "#                        Fin d'installation d'ALCASAR                       #"
2304
		echo "#                                                                           #"
2332
		echo "#                                                                           #"
2305
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2333
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2306
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2334
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2307
		echo "#                                                                           #"
2335
		echo "#                                                                           #"
2308
		echo "#############################################################################"
2336
		echo "#############################################################################"
2309
		echo
2337
		echo
2310
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2338
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2311
		echo
2339
		echo
2312
		echo "- Lisez attentivement la documentation d'exploitation"
2340
		echo "- Lisez attentivement la documentation d'exploitation"
2313
		echo
2341
		echo
2314
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2342
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2315
		echo
2343
		echo
2316
		echo "                   Appuyez sur 'Entrée' pour continuer"
2344
		echo "                   Appuyez sur 'Entrée' pour continuer"
2317
	else
2345
	else
2318
		echo "#                        End of ALCASAR install process                     #"
2346
		echo "#                        End of ALCASAR install process                     #"
2319
		echo "#                                                                           #"
2347
		echo "#                                                                           #"
2320
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2348
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2321
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2349
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2322
		echo "#                                                                           #"
2350
		echo "#                                                                           #"
2323
		echo "#############################################################################"
2351
		echo "#############################################################################"
2324
		echo
2352
		echo
2325
		echo "- The system will be rebooted in order to operate ALCASAR"
2353
		echo "- The system will be rebooted in order to operate ALCASAR"
2326
		echo
2354
		echo
2327
		echo "- Read the exploitation documentation"
2355
		echo "- Read the exploitation documentation"
2328
		echo
2356
		echo
2329
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2357
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2330
		echo
2358
		echo
2331
		echo "                   Hit 'Enter' to continue"
2359
		echo "                   Hit 'Enter' to continue"
2332
	fi
2360
	fi
2333
	sleep 2
2361
	sleep 2
2334
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2362
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2335
	then
2363
	then
2336
		read
2364
		read
2337
	fi
2365
	fi
2338
	clear
2366
	clear
2339
	reboot
2367
	reboot
2340
} # End of post_install()
2368
} # End of post_install()
2341
 
2369
 
2342
#####################################################################################
2370
#####################################################################################
2343
#                                   Main Install loop                               #
2371
#                                   Main Install loop                               #
2344
#####################################################################################
2372
#####################################################################################
2345
dir_exec=`dirname "$0"`
2373
dir_exec=`dirname "$0"`
2346
if [ $dir_exec != "." ]
2374
if [ $dir_exec != "." ]
2347
then
2375
then
2348
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2376
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2349
	echo "Launch this program from the ALCASAR archive directory"
2377
	echo "Launch this program from the ALCASAR archive directory"
2350
	exit 0
2378
	exit 0
2351
fi
2379
fi
2352
if [ $EUID -gt 0 ]
2380
if [ $EUID -gt 0 ]
2353
then
2381
then
2354
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2382
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2355
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2383
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2356
	exit 0
2384
	exit 0
2357
fi
2385
fi
2358
VERSION=`cat $DIR_INSTALL/VERSION`
2386
VERSION=`cat $DIR_INSTALL/VERSION`
2359
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2387
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2360
nb_args=$#
2388
nb_args=$#
2361
args=$1
2389
args=$1
2362
if [ $nb_args -eq 0 ]
2390
if [ $nb_args -eq 0 ]
2363
then
2391
then
2364
	nb_args=1
2392
	nb_args=1
2365
	args="-h"
2393
	args="-h"
2366
fi
2394
fi
2367
chmod -R u+x $DIR_SCRIPTS/*
2395
chmod -R u+x $DIR_SCRIPTS/*
2368
case $args in
2396
case $args in
2369
	-\? | -h* | --h*)
2397
	-\? | -h* | --h*)
2370
		echo "$usage"
2398
		echo "$usage"
2371
		exit 0
2399
		exit 0
2372
		;;
2400
		;;
2373
	-i | --install)
2401
	-i | --install)
2374
		for func in license testing
2402
		for func in license testing
2375
		do
2403
		do
2376
			header_install
2404
			header_install
2377
			$func
2405
			$func
2378
			if [ $DEBUG_ALCASAR == "on" ]
2406
			if [ $DEBUG_ALCASAR == "on" ]
2379
			then
2407
			then
2380
				echo "*** 'debug' : end of install '$func' ***"
2408
				echo "*** 'debug' : end of install '$func' ***"
2381
				read
2409
				read
2382
			fi
2410
			fi
2383
		done
2411
		done
2384
# RPMs install
2412
# RPMs install
2385
		$DIR_SCRIPTS/alcasar-urpmi.sh
2413
		$DIR_SCRIPTS/alcasar-urpmi.sh
2386
		if [ "$?" != "0" ]
2414
		if [ "$?" != "0" ]
2387
		then
2415
		then
2388
			exit 0
2416
			exit 0
2389
		fi
2417
		fi
2390
		if [ -e $CONF_FILE ]
2418
		if [ -e $CONF_FILE ]
2391
		then
2419
		then
2392
# Uninstall or update the running version
2420
# Uninstall or update the running version
2393
			if [ "$mode" == "update" ]
2421
			if [ "$mode" == "update" ]
2394
			then
2422
			then
2395
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2423
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2396
			else
2424
			else
2397
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2425
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2398
			fi
2426
			fi
2399
		fi
2427
		fi
2400
	if [ $DEBUG_ALCASAR == "on" ]
2428
	if [ $DEBUG_ALCASAR == "on" ]
2401
	then
2429
	then
2402
		echo "*** 'debug' : end of cleaning ***"
2430
		echo "*** 'debug' : end of cleaning ***"
2403
		read
2431
		read
2404
	fi
2432
	fi
2405
# Test if manual update
2433
# Test if manual update
2406
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2434
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2407
		then
2435
		then
2408
			header_install
2436
			header_install
2409
			if [ $Lang == "fr" ]
2437
			if [ $Lang == "fr" ]
2410
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2438
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2411
				else echo "The configuration file of an old version has been found";
2439
				else echo "The configuration file of an old version has been found";
2412
			fi
2440
			fi
2413
			response=0
2441
			response=0
2414
			PTN='^[oOnNyY]$'
2442
			PTN='^[oOnNyY]$'
2415
			until [[ $(expr $response : $PTN) -gt 0 ]]
2443
			until [[ $(expr $response : $PTN) -gt 0 ]]
2416
			do
2444
			do
2417
				if [ $Lang == "fr" ]
2445
				if [ $Lang == "fr" ]
2418
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2446
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2419
					else echo -n "Do you want to use it (Y/n)?";
2447
					else echo -n "Do you want to use it (Y/n)?";
2420
				 fi
2448
				 fi
2421
				read response
2449
				read response
2422
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2450
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2423
				then rm -f /var/tmp/alcasar-conf*
2451
				then rm -f /var/tmp/alcasar-conf*
2424
				fi
2452
				fi
2425
			done
2453
			done
2426
		fi
2454
		fi
2427
# Test if update
2455
# Test if update
2428
		if [ -e /var/tmp/alcasar-conf* ]
2456
		if [ -e /var/tmp/alcasar-conf* ]
2429
		then
2457
		then
2430
			if [ $Lang == "fr" ]
2458
			if [ $Lang == "fr" ]
2431
				then echo "#### Installation avec mise à jour ####";
2459
				then echo "#### Installation avec mise à jour ####";
2432
				else echo "#### Installation with update     ####";
2460
				else echo "#### Installation with update     ####";
2433
			fi
2461
			fi
2434
# Extract some info from the previous configuration file
2462
# Extract some info from the previous configuration file
2435
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2463
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2436
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2464
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2437
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2465
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2438
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2466
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2439
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2467
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2440
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2468
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2441
			mode="update"
2469
			mode="update"
2442
		fi
2470
		fi
2443
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2471
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2444
		do
2472
		do
2445
			$func
2473
			$func
2446
			if [ $DEBUG_ALCASAR == "on" ]
2474
			if [ $DEBUG_ALCASAR == "on" ]
2447
			then
2475
			then
2448
				echo "*** 'debug' : end of install '$func' ***"
2476
				echo "*** 'debug' : end of install '$func' ***"
2449
				read
2477
				read
2450
			fi
2478
			fi
2451
		done
2479
		done
2452
		;;
2480
		;;
2453
	-u | --uninstall)
2481
	-u | --uninstall)
2454
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2482
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2455
		then
2483
		then
2456
			if [ $Lang == "fr" ]
2484
			if [ $Lang == "fr" ]
2457
				then echo "ALCASAR n'est pas installé!";
2485
				then echo "ALCASAR n'est pas installé!";
2458
				else echo "ALCASAR isn't installed!";
2486
				else echo "ALCASAR isn't installed!";
2459
			fi
2487
			fi
2460
			exit 0
2488
			exit 0
2461
		fi
2489
		fi
2462
		response=0
2490
		response=0
2463
		PTN='^[oOnN]$'
2491
		PTN='^[oOnN]$'
2464
		until [[ $(expr $response : $PTN) -gt 0 ]]
2492
		until [[ $(expr $response : $PTN) -gt 0 ]]
2465
		do
2493
		do
2466
			if [ $Lang == "fr" ]
2494
			if [ $Lang == "fr" ]
2467
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2495
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2468
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2496
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2469
			fi
2497
			fi
2470
			read response
2498
			read response
2471
		done
2499
		done
2472
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2500
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2473
		then
2501
		then
2474
			$DIR_SCRIPTS/alcasar-conf.sh --create
2502
			$DIR_SCRIPTS/alcasar-conf.sh --create
2475
		else
2503
		else
2476
			rm -f /var/tmp/alcasar-conf*
2504
			rm -f /var/tmp/alcasar-conf*
2477
		fi
2505
		fi
2478
# Uninstall the running version
2506
# Uninstall the running version
2479
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2507
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2480
		;;
2508
		;;
2481
	*)
2509
	*)
2482
		echo "Argument inconnu :$1";
2510
		echo "Argument inconnu :$1";
2483
		echo "Unknown argument :$1";
2511
		echo "Unknown argument :$1";
2484
		echo "$usage"
2512
		echo "$usage"
2485
		exit 1
2513
		exit 1
2486
		;;
2514
		;;
2487
esac
2515
esac
2488
# end of script
2516
# end of script
2489
 
2517
 
2490
 
2518
 
2491

Generated by GNU Enscript 1.6.6.
2519

Generated by GNU Enscript 1.6.6.
2492
 
2520
 
2493
 
2521
 
2494
 
2522