Subversion Repositories ALCASAR

Rev

Rev 2887 | Rev 2922 | Go to most recent revision | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2887 Rev 2888
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2887 2020-11-26 22:08:42Z rexy $
2
#  $Id: alcasar.sh 2888 2020-11-29 18:13:41Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
# Functions :
26
# Functions :
27
#	testing			: connectivity tests, free space test and mageia version test
27
#	testing			: connectivity tests, free space test and mageia version test
28
#	init			: Installation of RPM and scripts
28
#	init			: Installation of RPM and scripts
29
#	network			: Network parameters
29
#	network			: Network parameters
30
#	ACC				: ALCASAR Control Center installation
30
#	ACC				: ALCASAR Control Center installation
31
#	CA				: Certification Authority initialization
31
#	CA				: Certification Authority initialization
32
#	time_server		: NTPd configuration
32
#	time_server		: NTPd configuration
33
#	init_db			: Initilization of radius database managed with MariaDB
33
#	init_db			: Initilization of radius database managed with MariaDB
34
#	freeradius		: FreeRadius initialisation
34
#	freeradius		: FreeRadius initialisation
35
#	chilli			: coovachilli initialisation (+authentication page)
35
#	chilli			: coovachilli initialisation (+authentication page)
36
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
36
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	antivirus		: clamav & freshclam configuration
37
#	antivirus		: clamav & freshclam configuration
38
#	ulogd			: log system in userland (match NFLOG target of iptables)
38
#	ulogd			: log system in userland (match NFLOG target of iptables)
39
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
39
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
40
#	unbound			: Name server configuration
40
#	unbound			: Name server configuration
41
#	dnsmasq			: Name server configuration (for whitelist ipset support)
41
#	dnsmasq			: Name server configuration (for whitelist ipset support)
42
#	vnstat			: little network stat daemon
42
#	vnstat			: little network stat daemon
43
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
43
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
44
#	cron			: Logs export + watchdog + connexion statistics
44
#	cron			: Logs export + watchdog + connexion statistics
45
#	fail2ban		: Fail2ban IDS installation and configuration
45
#	fail2ban		: Fail2ban IDS installation and configuration
46
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
46
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
47
#	msec			: Mandriva security package configuration
47
#	msec			: Mandriva security package configuration
48
#	letsencrypt		: Let's Encrypt client
48
#	letsencrypt		: Let's Encrypt client
49
#	post_install	: Security, log rotation, etc.
49
#	post_install	: Security, log rotation, etc.
50
 
50
 
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
51
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
52
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
54
Lang=`echo $LANG|cut -c 1-2`
54
Lang=`echo $LANG|cut -c 1-2`
55
mode="install"
55
mode="install"
56
# ******* Files parameters - paramètres fichiers *********
56
# ******* Files parameters - paramètres fichiers *********
57
DIR_INSTALL=`pwd`						# current directory
57
DIR_INSTALL=`pwd`						# current directory
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
61
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
61
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
62
DIR_WEB="/var/www/html"					# directory of Lighttpd
62
DIR_WEB="/var/www/html"					# directory of Lighttpd
63
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
63
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
64
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
64
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
# ******* DBMS parameters - paramètres SGBD ********
70
# ******* DBMS parameters - paramètres SGBD ********
71
DB_RADIUS="radius"						# database name used by FreeRadius server
71
DB_RADIUS="radius"						# database name used by FreeRadius server
72
DB_USER="radius"						# user name allows to request the users database
72
DB_USER="radius"						# user name allows to request the users database
73
DB_GAMMU="gammu"						# database name used by Gammu-smsd
73
DB_GAMMU="gammu"						# database name used by Gammu-smsd
74
# ******* Network parameters - paramètres réseau *******
74
# ******* Network parameters - paramètres réseau *******
75
HOSTNAME="alcasar"						# default hostname
75
HOSTNAME="alcasar"						# default hostname
76
DOMAIN="localdomain"					# default local domain
76
DOMAIN="localdomain"					# default local domain
77
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
EXTIF=''								# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
INTIF=''								# INTIF is connected to the consultation network
78
INTIF=''								# INTIF is connected to the consultation network
79
MTU="1500"
79
MTU="1500"
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
# ****** Paths - chemin des commandes *******
81
# ****** Paths - chemin des commandes *******
82
SED="/bin/sed -i"
82
SED="/bin/sed -i"
83
# ****************** End of global parameters *********************
83
# ****************** End of global parameters *********************
84
 
84
 
85
license()
85
license()
86
{
86
{
87
	if [ $Lang == "fr" ]
87
	if [ $Lang == "fr" ]
88
	then
88
	then
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
	else
90
	else
91
		cat $DIR_INSTALL/gpl-warning.txt | more
91
		cat $DIR_INSTALL/gpl-warning.txt | more
92
	fi
92
	fi
93
	response=0
93
	response=0
94
	PTN='^[oOyYnN]?$'
94
	PTN='^[oOyYnN]?$'
95
	until [[ "$response" =~ $PTN ]]
95
	until [[ "$response" =~ $PTN ]]
96
	do
96
	do
97
		if [ $Lang == "fr" ]
97
		if [ $Lang == "fr" ]
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
		fi
100
		fi
101
		read response
101
		read response
102
	done
102
	done
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	then
104
	then
105
		exit 1
105
		exit 1
106
	fi
106
	fi
107
} # End of license()
107
} # End of license()
108
 
108
 
109
header_install()
109
header_install()
110
{
110
{
111
	clear
111
	clear
112
	echo "-----------------------------------------------------------------------------"
112
	echo "-----------------------------------------------------------------------------"
113
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "-----------------------------------------------------------------------------"
115
	echo "-----------------------------------------------------------------------------"
116
} # End of header_install()
116
} # End of header_install()
117
 
117
 
118
########################################################
118
########################################################
119
##              Function "testing_system"             ##
119
##              Function "testing_system"             ##
120
## - Test Mageia version                              ##
120
## - Test Mageia version                              ##
121
## - Test ALCASAR version (if already installed)      ##
121
## - Test ALCASAR version (if already installed)      ##
122
## - Test free space on /var  (>10G)                  ##
122
## - Test free space on /var  (>10G)                  ##
123
## - Test Internet access                             ##
123
## - Test Internet access                             ##
124
########################################################
124
########################################################
125
testing_system()
125
testing_system()
126
{
126
{
127
# Test of Mageia version
127
# Test of Mageia version
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
	fic=`cat /etc/product.id`
129
	fic=`cat /etc/product.id`
130
	unknown_os=0
130
	unknown_os=0
131
	old="$IFS"
131
	old="$IFS"
132
	IFS=","
132
	IFS=","
133
	set $fic
133
	set $fic
134
	for i in "$@"
134
	for i in "$@"
135
	do
135
	do
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
			then
137
			then
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			unknown_os=`expr $unknown_os + 1`
139
			unknown_os=`expr $unknown_os + 1`
140
		fi
140
		fi
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
			then
142
			then
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			unknown_os=`expr $unknown_os + 1`
144
			unknown_os=`expr $unknown_os + 1`
145
		fi
145
		fi
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
			then
147
			then
148
			ARCH=`echo $i|cut -d"=" -f2`
148
			ARCH=`echo $i|cut -d"=" -f2`
149
			unknown_os=`expr $unknown_os + 1`
149
			unknown_os=`expr $unknown_os + 1`
150
		fi
150
		fi
151
	done
151
	done
152
	if [ "$ARCH" != "x86_64" ]
152
	if [ "$ARCH" != "x86_64" ]
153
		then
153
		then
154
		if [ $Lang == "fr" ]
154
		if [ $Lang == "fr" ]
155
			then echo "Votre architecture matérielle doit être en 64bits"
155
			then echo "Votre architecture matérielle doit être en 64bits"
156
			else echo "You hardware architecture must be 64bits"
156
			else echo "You hardware architecture must be 64bits"
157
		fi
157
		fi
158
		exit 1
158
		exit 1
159
	fi
159
	fi
160
	IFS="$old"
160
	IFS="$old"
161
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
161
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "7" ) ]]
162
	then
162
	then
163
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
163
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
164
			then
164
			then
165
			echo
165
			echo
166
			if [ $Lang == "fr" ]
166
			if [ $Lang == "fr" ]
167
				then
167
				then
168
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
168
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
169
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
169
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
170
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
170
				echo "2 - Installez Linux-Mageia 7.1 (64bits) et ALCASAR (cf. doc d'installation)"
171
				echo "3 - Importez votre base des usagers"
171
				echo "3 - Importez votre base des usagers"
172
			else
172
			else
173
				echo "The automatic update of ALCASAR can't be performed."
173
				echo "The automatic update of ALCASAR can't be performed."
174
				echo "1 - Save your traceability files and the user database"
174
				echo "1 - Save your traceability files and the user database"
175
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
175
				echo "2 - Install Linux-Mageia 7.1 (64bits) & ALCASAR (cf. installation doc)"
176
				echo "3 - Import your users database"
176
				echo "3 - Import your users database"
177
			fi
177
			fi
178
		else
178
		else
179
			if [ $Lang == "fr" ]
179
			if [ $Lang == "fr" ]
180
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
180
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
181
				else echo "The installation of ALCASAR can't be performed."
181
				else echo "The installation of ALCASAR can't be performed."
182
			fi
182
			fi
183
		fi
183
		fi
184
		echo
184
		echo
185
		if [ $Lang == "fr" ]
185
		if [ $Lang == "fr" ]
186
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
186
			then echo "Le système d'exploitation doit être remplacé (Mageia7.1-64bits)"
187
			else echo "The OS must be replaced (Mageia7.1-64bits)"
187
			else echo "The OS must be replaced (Mageia7.1-64bits)"
188
		fi
188
		fi
189
		exit 1
189
		exit 1
190
	fi
190
	fi
191
 
191
 
192
# Test if ALCASAR is already installed
192
# Test if ALCASAR is already installed
193
	if [ -e $CONF_FILE ]
193
	if [ -e $CONF_FILE ]
194
	then
194
	then
195
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
195
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
196
		if [ $Lang == "fr" ]
196
		if [ $Lang == "fr" ]
197
			then echo "La version $current_version d'ALCASAR est déjà installée"
197
			then echo "La version $current_version d'ALCASAR est déjà installée"
198
			else echo "ALCASAR version $current_version is already installed"
198
			else echo "ALCASAR version $current_version is already installed"
199
		fi
199
		fi
200
		response=0
200
		response=0
201
		PTN='^[12]$'
201
		PTN='^[12]$'
202
		until [[ "$response" =~ $PTN ]]
202
		until [[ "$response" =~ $PTN ]]
203
		do
203
		do
204
			if [ $Lang == "fr" ]
204
			if [ $Lang == "fr" ]
205
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
205
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
206
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
206
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
207
			fi
207
			fi
208
			read response
208
			read response
209
		done
209
		done
210
		if [ "$response" = "2" ]
210
		if [ "$response" = "2" ]
211
		then
211
		then
212
			rm -f /var/tmp/alcasar-conf*
212
			rm -f /var/tmp/alcasar-conf*
213
		else
213
		else
214
# Create the archive of conf files
214
# Create the archive of conf files
215
			$DIR_SCRIPTS/alcasar-conf.sh --create
215
			$DIR_SCRIPTS/alcasar-conf.sh --create
216
			mode="update"
216
			mode="update"
217
		fi
217
		fi
218
	fi
218
	fi
219
# Free /var (when updating) and test free space
219
# Free /var (when updating) and test free space
220
	[ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
220
	[ -d /var/log/netflow ] && rm -rf /var/log/netflow  # remove old porttracker RRD database
221
	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
221
	[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
222
	journalctl -q --vacuum-files 1  # remove previous journal logs
222
	journalctl -q --vacuum-files 1  # remove previous journal logs
223
	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
223
	free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
224
	if [ $free_space -lt 10 ]
224
	if [ $free_space -lt 10 ]
225
		then
225
		then
226
		if [ $Lang == "fr" ]
226
		if [ $Lang == "fr" ]
227
			then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
227
			then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
228
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
228
			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
229
		fi
229
		fi
230
	exit 0
230
	exit 0
231
	fi
231
	fi
232
} # End of testing_system
232
} # End of testing_system
233
 
233
 
234
########################################################
234
########################################################
235
##             Function "testing_network"             ##
235
##             Function "testing_network"             ##
236
## - Test Internet access                             ##
236
## - Test Internet access                             ##
237
########################################################
237
########################################################
238
testing_network()
238
testing_network()
239
{
239
{
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
	if [ -z "$EXTIF" ]; then
241
	if [ -z "$EXTIF" ]; then
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
		if [ -z "$EXTIF" ]; then
243
		if [ -z "$EXTIF" ]; then
244
			if [ "$Lang" == 'fr' ]
244
			if [ "$Lang" == 'fr' ]
245
				then echo "Aucune passerelle par défaut configurée"
245
				then echo "Aucune passerelle par défaut configurée"
246
				else echo "No default gateway configured"
246
				else echo "No default gateway configured"
247
			fi
247
			fi
248
			exit 1
248
			exit 1
249
		fi
249
		fi
250
	fi
250
	fi
251
	if [ "$Lang" == 'fr' ]
251
	if [ "$Lang" == 'fr' ]
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
254
	fi
254
	fi
255
 
255
 
256
	if [ -z "$INTIF" ]; then
256
	if [ -z "$INTIF" ]; then
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
258
		interfacesCount=$(echo "$interfacesList" | wc -w)
259
		if [ $interfacesCount -eq 0 ]; then
259
		if [ $interfacesCount -eq 0 ]; then
260
			if [ "$Lang" == 'fr' ]
260
			if [ "$Lang" == 'fr' ]
261
				then echo "Aucune interface de disponible pour le réseau interne"
261
				then echo "Aucune interface de disponible pour le réseau interne"
262
				else echo "No interface available for the internal network"
262
				else echo "No interface available for the internal network"
263
			fi
263
			fi
264
			exit 1
264
			exit 1
265
		elif [ $interfacesCount -eq 1 ]; then
265
		elif [ $interfacesCount -eq 1 ]; then
266
			INTIF="$interfacesList"
266
			INTIF="$interfacesList"
267
		else
267
		else
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
			if [ "$Lang" == 'fr' ]
270
			if [ "$Lang" == 'fr' ]
271
				then echo 'Liste des interfaces disponible :'
271
				then echo 'Liste des interfaces disponible :'
272
				else echo 'List of available interfaces:'
272
				else echo 'List of available interfaces:'
273
			fi
273
			fi
274
			echo "$interfacesSorted"
274
			echo "$interfacesSorted"
275
			response=''
275
			response=''
276
			while true; do
276
			while true; do
277
				if [ "$Lang" == 'fr' ]
277
				if [ "$Lang" == 'fr' ]
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
278
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
279
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
				fi
280
				fi
281
				read response
281
				read response
282
 
282
 
283
				[ -z "$response" ] && response="$interfacePreferred"
283
				[ -z "$response" ] && response="$interfacePreferred"
284
 
284
 
285
				# Check if interface exist
285
				# Check if interface exist
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
286
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
					INTIF="$response"
287
					INTIF="$response"
288
					break
288
					break
289
				else
289
				else
290
					if [ "$Lang" == 'fr' ]
290
					if [ "$Lang" == 'fr' ]
291
						then echo "Interface \"$response\" introuvable"
291
						then echo "Interface \"$response\" introuvable"
292
						else echo "Interface \"$response\" not found"
292
						else echo "Interface \"$response\" not found"
293
					fi
293
					fi
294
				fi
294
				fi
295
			done
295
			done
296
		fi
296
		fi
297
	fi
297
	fi
298
	if [ "$Lang" == 'fr' ]
298
	if [ "$Lang" == 'fr' ]
299
		then echo "Interface interne utilisée : $INTIF"
299
		then echo "Interface interne utilisée : $INTIF"
300
		else echo "Internal interface used: $INTIF"
300
		else echo "Internal interface used: $INTIF"
301
	fi
301
	fi
302
 
302
 
303
	if [ $Lang == "fr" ]
303
	if [ $Lang == "fr" ]
304
		then echo -n "Tests des paramètres réseau : "
304
		then echo -n "Tests des paramètres réseau : "
305
		else echo -n "Network parameters tests: "
305
		else echo -n "Network parameters tests: "
306
	fi
306
	fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
308
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
309
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	for i in $IF_INTERFACES
310
	for i in $IF_INTERFACES
311
	do
311
	do
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
312
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
			rm -f ifcfg-$i
313
			rm -f ifcfg-$i
314
 
314
 
315
			if [ $Lang == "fr" ]
315
			if [ $Lang == "fr" ]
316
				then echo "Suppression : ifcfg-$i"
316
				then echo "Suppression : ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
317
				else echo "Deleting: ifcfg-$i"
318
			fi
318
			fi
319
		fi
319
		fi
320
	done
320
	done
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
321
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	echo -n "."
322
	echo -n "."
323
# Test Ethernet NIC links state
323
# Test Ethernet NIC links state
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
324
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	if [ ! -z "$interfacesDown" ]; then
325
	if [ ! -z "$interfacesDown" ]; then
326
		for i in $interfacesDown; do
326
		for i in $interfacesDown; do
327
			if [ $Lang == "fr" ]
327
			if [ $Lang == "fr" ]
328
			then
328
			then
329
				echo -e "\nÉchec"
329
				echo -e "\nÉchec"
330
				echo "Le lien réseau de la carte $i n'est pas actif."
330
				echo "Le lien réseau de la carte $i n'est pas actif."
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
331
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
			else
332
			else
333
				echo -e "\nFailed"
333
				echo -e "\nFailed"
334
				echo "The link state of $i interface is down."
334
				echo "The link state of $i interface is down."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
335
				echo "Make sure that this network card is connected to a switch or an A.P."
336
			fi
336
			fi
337
		done
337
		done
338
		exit 1
338
		exit 1
339
	fi
339
	fi
340
	echo -n "."
340
	echo -n "."
341
# Test EXTIF config files
341
# Test EXTIF config files
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
342
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
343
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
344
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
345
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	then
346
	then
347
		if [ $Lang == "fr" ]
347
		if [ $Lang == "fr" ]
348
		then
348
		then
349
			echo -e "\nÉchec"
349
			echo -e "\nÉchec"
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
350
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
351
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
			echo "Appliquez les changements : 'systemctl restart network'"
352
			echo "Appliquez les changements : 'systemctl restart network'"
353
		else
353
		else
354
			echo -e "\nFailed"
354
			echo -e "\nFailed"
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
355
			echo "The Internet connected network card ($EXTIF) isn't well configured."
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
356
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
			echo "Apply the new configuration: 'systemctl restart network'"
357
			echo "Apply the new configuration: 'systemctl restart network'"
358
		fi
358
		fi
359
		echo "DEVICE=$EXTIF"
359
		echo "DEVICE=$EXTIF"
360
		echo "IPADDR="
360
		echo "IPADDR="
361
		echo "NETMASK="
361
		echo "NETMASK="
362
		echo "GATEWAY="
362
		echo "GATEWAY="
363
		echo "DNS1="
363
		echo "DNS1="
364
		echo "DNS2="
364
		echo "DNS2="
365
		echo "ONBOOT=yes"
365
		echo "ONBOOT=yes"
366
		exit 1
366
		exit 1
367
	fi
367
	fi
368
	echo -n "."
368
	echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
370
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
		if [ $Lang == "fr" ]
371
		if [ $Lang == "fr" ]
372
		then
372
		then
373
			echo -e "\nÉchec"
373
			echo -e "\nÉchec"
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
374
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Réglez ce problème puis relancez ce script."
375
			echo "Réglez ce problème puis relancez ce script."
376
		else
376
		else
377
			echo -e "\nFailed"
377
			echo -e "\nFailed"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
378
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
			echo "Resolv this problem, then restart this script."
379
			echo "Resolv this problem, then restart this script."
380
		fi
380
		fi
381
		exit 1
381
		exit 1
382
	fi
382
	fi
383
	echo -n "."
383
	echo -n "."
384
# Test if default GW is alive
384
# Test if default GW is alive
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
385
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	if [ "$(expr $arp_reply)" -eq 0 ]
386
	if [ "$(expr $arp_reply)" -eq 0 ]
387
		then
387
		then
388
		if [ $Lang == "fr" ]
388
		if [ $Lang == "fr" ]
389
		then
389
		then
390
			echo -e "\nÉchec"
390
			echo -e "\nÉchec"
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
391
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Réglez ce problème puis relancez ce script."
392
			echo "Réglez ce problème puis relancez ce script."
393
		else
393
		else
394
			echo -e "\nFailed"
394
			echo -e "\nFailed"
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
395
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
			echo "Resolv this problem, then restart this script."
396
			echo "Resolv this problem, then restart this script."
397
		fi
397
		fi
398
		exit 1
398
		exit 1
399
	fi
399
	fi
400
	echo -n "."
400
	echo -n "."
401
# Test Internet connectivity
401
# Test Internet connectivity
402
	domainTested='www.google.com'
402
	domainTested='www.google.com'
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
403
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
404
	if [ $? -ne 0 ]; then
404
	if [ $? -ne 0 ]; then
405
		if [ $Lang == "fr" ]
405
		if [ $Lang == "fr" ]
406
		then
406
		then
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
407
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
408
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
			echo "Vérifiez la validité des adresses IP des DNS."
409
			echo "Vérifiez la validité des adresses IP des DNS."
410
		else
410
		else
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
411
			echo -e "\nThe Internet connection try failed ($domainTested)."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
412
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
			echo "Verify the DNS IP addresses"
413
			echo "Verify the DNS IP addresses"
414
		fi
414
		fi
415
		exit 1
415
		exit 1
416
	fi
416
	fi
417
	echo ". : ok"
417
	echo ". : ok"
418
} # End of testing_network()
418
} # End of testing_network()
419
 
419
 
420
#######################################################################
420
#######################################################################
421
##                    Function "init"                                ##
421
##                    Function "init"                                ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
#######################################################################
424
#######################################################################
425
init()
425
init()
426
{
426
{
427
	if [ "$mode" != "update" ]
427
	if [ "$mode" != "update" ]
428
	then
428
	then
429
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
430
		header_install
430
		header_install
431
		ORGANISME=!
431
		ORGANISME=!
432
		PTN='^[a-zA-Z0-9-]*$'
432
		PTN='^[a-zA-Z0-9-]*$'
433
		until [[ "$ORGANISME" =~ $PTN ]]
433
		until [[ "$ORGANISME" =~ $PTN ]]
434
		do
434
		do
435
			if [ $Lang == "fr" ]
435
			if [ $Lang == "fr" ]
436
				then echo -n "Entrez le nom de votre organisme : "
436
				then echo -n "Entrez le nom de votre organisme : "
437
				else echo -n "Enter the name of your organism : "
437
				else echo -n "Enter the name of your organism : "
438
			fi
438
			fi
439
			read ORGANISME
439
			read ORGANISME
440
			if [ "$ORGANISME" == "" ]
440
			if [ "$ORGANISME" == "" ]
441
			then
441
			then
442
				ORGANISME=!
442
				ORGANISME=!
443
			fi
443
			fi
444
		done
444
		done
445
	fi
445
	fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
447
# We create random passwords and shared secrets
448
	rm -f $PASSWD_FILE
448
	rm -f $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
449
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
450
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
451
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
452
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		grep -v '[eE]nter password:' | \
453
		grep -v '[eE]nter password:' | \
454
		sed -e "s/PBKDF2 hash of your password is //"`
454
		sed -e "s/PBKDF2 hash of your password is //"`
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
455
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
456
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
457
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	chmod 0600 /boot/grub2/user.cfg
458
	chmod 0600 /boot/grub2/user.cfg
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
459
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
460
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
461
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
462
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
463
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
464
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
465
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
466
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
467
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
468
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
469
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
470
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
471
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
472
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
473
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
474
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
475
	chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
476
#  copy scripts in in /usr/local/bin
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
477
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
#  copy conf files in /usr/local/etc
478
#  copy conf files in /usr/local/etc
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
479
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
480
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
# generate central conf file
481
# generate central conf file
482
	cat <<EOF > $CONF_FILE
482
	cat <<EOF > $CONF_FILE
483
##########################################
483
##########################################
484
##                                      ##
484
##                                      ##
485
##          ALCASAR Parameters          ##
485
##          ALCASAR Parameters          ##
486
##                                      ##
486
##                                      ##
487
##########################################
487
##########################################
488
 
488
 
489
INSTALL_DATE=$DATE
489
INSTALL_DATE=$DATE
490
VERSION=$VERSION
490
VERSION=$VERSION
491
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
492
EOF
492
EOF
493
	chmod o-rwx $CONF_FILE
493
	chmod o-rwx $CONF_FILE
494
} # End of init()
494
} # End of init()
495
 
495
 
496
#########################################################
496
#########################################################
497
##                    Function "network"               ##
497
##                    Function "network"               ##
498
## - Define the several network address                ##
498
## - Define the several network address                ##
499
## - Define the DNS naming                             ##
499
## - Define the DNS naming                             ##
500
## - INTIF parameters (consultation network)           ##
500
## - INTIF parameters (consultation network)           ##
501
## - Write "/etc/hosts" file                           ##
501
## - Write "/etc/hosts" file                           ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
502
## - write "hosts.allow" & "hosts.deny" files          ##
503
#########################################################
503
#########################################################
504
network()
504
network()
505
{
505
{
506
	header_install
506
	header_install
507
	if [ "$mode" != "update" ]
507
	if [ "$mode" != "update" ]
508
		then
508
		then
509
		if [ $Lang == "fr" ]
509
		if [ $Lang == "fr" ]
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
510
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
511
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
512
		fi
512
		fi
513
		response=0
513
		response=0
514
		PTN='^[oOyYnN]?$'
514
		PTN='^[oOyYnN]?$'
515
		until [[ "$response" =~ $PTN ]]
515
		until [[ "$response" =~ $PTN ]]
516
		do
516
		do
517
			if [ $Lang == "fr" ]
517
			if [ $Lang == "fr" ]
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
518
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
519
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
520
			fi
520
			fi
521
			read response
521
			read response
522
		done
522
		done
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
523
		if [ "$response" = "n" ] || [ "$response" = "N" ]
524
		then
524
		then
525
			PRIVATE_IP_MASK="0"
525
			PRIVATE_IP_MASK="0"
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
526
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
527
			until [[ $(expr "$PRIVATE_IP_MASK" : $PTN) -gt 0 ]]
528
			do
528
			do
529
				if [ $Lang == "fr" ]
529
				if [ $Lang == "fr" ]
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
530
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
531
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
532
				fi
532
				fi
533
				read PRIVATE_IP_MASK
533
				read PRIVATE_IP_MASK
534
			done
534
			done
535
		else
535
		else
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
536
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
537
		fi
537
		fi
538
	else
538
	else
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
539
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= /var/tmp/conf/etc/alcasar.conf|cut -d"=" -f2`
540
		rm -rf /var/tmp/conf
540
		rm -rf /var/tmp/conf
541
	fi
541
	fi
542
# Define LAN side global parameters
542
# Define LAN side global parameters
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
543
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
544
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
545
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
546
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
547
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
548
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
549
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
550
	then
550
	then
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
551
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
552
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
553
	fi
553
	fi
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
554
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
555
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
556
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
557
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
558
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
559
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
560
# Define Internet parameters
560
# Define Internet parameters
561
	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
561
	DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
562
	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
562
	DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
563
	DNS1=${DNS1:=208.67.220.220}
563
	DNS1=${DNS1:=208.67.220.220}
564
	DNS2=${DNS2:=208.67.222.222}
564
	DNS2=${DNS2:=208.67.222.222}
565
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
565
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
566
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
566
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
567
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
567
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
568
# Write network parameters in the conf file
568
# Write network parameters in the conf file
569
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
569
	echo "HOSTNAME=$HOSTNAME" >> $CONF_FILE
570
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
570
	echo "DOMAIN=$DOMAIN" >> $CONF_FILE
571
	echo "EXTIF=$EXTIF" >> $CONF_FILE
571
	echo "EXTIF=$EXTIF" >> $CONF_FILE
572
	echo "INTIF=$INTIF" >> $CONF_FILE
572
	echo "INTIF=$INTIF" >> $CONF_FILE
573
# Retrieve NIC name of other consultation LAN
573
# Retrieve NIC name of other consultation LAN
574
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
574
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
575
	for i in $INTERFACES
575
	for i in $INTERFACES
576
	do
576
	do
577
		SUB=`echo ${i:0:2}`
577
		SUB=`echo ${i:0:2}`
578
		if [ $SUB = "wl" ]
578
		if [ $SUB = "wl" ]
579
			then WIFIF=$i
579
			then WIFIF=$i
580
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
580
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
581
			then LANIF=$i
581
			then LANIF=$i
582
		fi
582
		fi
583
	done
583
	done
584
	if [ -n "$WIFIF" ]
584
	if [ -n "$WIFIF" ]
585
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
585
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
586
	elif [ -n "$LANIF" ]
586
	elif [ -n "$LANIF" ]
587
		then echo "LANIF=$LANIF" >> $CONF_FILE
587
		then echo "LANIF=$LANIF" >> $CONF_FILE
588
	fi
588
	fi
589
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
589
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
590
	if [ $IP_SETTING == "dhcp" ]
590
	if [ $IP_SETTING == "dhcp" ]
591
	then
591
	then
592
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
592
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
593
		echo "GW=dhcp" >> $CONF_FILE
593
		echo "GW=dhcp" >> $CONF_FILE
594
	else
594
	else
595
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
595
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
596
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
596
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
597
	fi
597
	fi
598
	echo "DNS1=$DNS1" >> $CONF_FILE
598
	echo "DNS1=$DNS1" >> $CONF_FILE
599
	echo "DNS2=$DNS2" >> $CONF_FILE
599
	echo "DNS2=$DNS2" >> $CONF_FILE
600
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
600
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
601
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
601
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
602
	echo "DHCP=on" >> $CONF_FILE
602
	echo "DHCP=on" >> $CONF_FILE
603
	echo "EXT_DHCP_IP=" >> $CONF_FILE
603
	echo "EXT_DHCP_IP=" >> $CONF_FILE
604
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
604
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
605
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
605
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
606
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
606
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
607
	echo "INT_DNS_IP=" >> $CONF_FILE
607
	echo "INT_DNS_IP=" >> $CONF_FILE
608
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
608
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
609
# network default
609
# network default
610
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
610
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
611
	cat <<EOF > /etc/sysconfig/network
611
	cat <<EOF > /etc/sysconfig/network
612
NETWORKING=yes
612
NETWORKING=yes
613
FORWARD_IPV4=true
613
FORWARD_IPV4=true
614
EOF
614
EOF
615
# write "/etc/hosts"
615
# write "/etc/hosts"
616
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
616
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
617
	cat <<EOF > /etc/hosts
617
	cat <<EOF > /etc/hosts
618
127.0.0.1	localhost
618
127.0.0.1	localhost
619
$PRIVATE_IP	$HOSTNAME
619
$PRIVATE_IP	$HOSTNAME
620
EOF
620
EOF
621
# write EXTIF (Internet) config
621
# write EXTIF (Internet) config
622
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
622
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
623
	if [ $IP_SETTING == "dhcp" ]
623
	if [ $IP_SETTING == "dhcp" ]
624
	then
624
	then
625
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
625
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
626
DEVICE=$EXTIF
626
DEVICE=$EXTIF
627
BOOTPROTO=dhcp
627
BOOTPROTO=dhcp
628
DNS1=127.0.0.1
628
DNS1=127.0.0.1
629
PEERDNS=no
629
PEERDNS=no
630
RESOLV_MODS=yes
630
RESOLV_MODS=yes
631
ONBOOT=yes
631
ONBOOT=yes
632
NOZEROCONF=yes
632
NOZEROCONF=yes
633
METRIC=10
633
METRIC=10
634
MII_NOT_SUPPORTED=yes
634
MII_NOT_SUPPORTED=yes
635
IPV6INIT=no
635
IPV6INIT=no
636
IPV6TO4INIT=no
636
IPV6TO4INIT=no
637
ACCOUNTING=no
637
ACCOUNTING=no
638
USERCTL=no
638
USERCTL=no
639
MTU=$MTU
639
MTU=$MTU
640
EOF
640
EOF
641
	else
641
	else
642
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
642
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
643
DEVICE=$EXTIF
643
DEVICE=$EXTIF
644
BOOTPROTO=static
644
BOOTPROTO=static
645
IPADDR=$PUBLIC_IP
645
IPADDR=$PUBLIC_IP
646
NETMASK=$PUBLIC_NETMASK
646
NETMASK=$PUBLIC_NETMASK
647
GATEWAY=$PUBLIC_GATEWAY
647
GATEWAY=$PUBLIC_GATEWAY
648
DNS1=$DNS1
648
DNS1=$DNS1
649
DNS2=$DNS2
649
DNS2=$DNS2
650
RESOLV_MODS=yes
650
RESOLV_MODS=yes
651
ONBOOT=yes
651
ONBOOT=yes
652
METRIC=10
652
METRIC=10
653
NOZEROCONF=yes
653
NOZEROCONF=yes
654
MII_NOT_SUPPORTED=yes
654
MII_NOT_SUPPORTED=yes
655
IPV6INIT=no
655
IPV6INIT=no
656
IPV6TO4INIT=no
656
IPV6TO4INIT=no
657
ACCOUNTING=no
657
ACCOUNTING=no
658
USERCTL=no
658
USERCTL=no
659
MTU=$MTU
659
MTU=$MTU
660
EOF
660
EOF
661
	fi
661
	fi
662
# write INTIF (consultation LAN) in normal mode
662
# write INTIF (consultation LAN) in normal mode
663
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
663
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
664
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
664
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
665
DEVICE=$INTIF
665
DEVICE=$INTIF
666
BOOTPROTO=static
666
BOOTPROTO=static
667
ONBOOT=yes
667
ONBOOT=yes
668
NOZEROCONF=yes
668
NOZEROCONF=yes
669
MII_NOT_SUPPORTED=yes
669
MII_NOT_SUPPORTED=yes
670
IPV6INIT=no
670
IPV6INIT=no
671
IPV6TO4INIT=no
671
IPV6TO4INIT=no
672
ACCOUNTING=no
672
ACCOUNTING=no
673
USERCTL=no
673
USERCTL=no
674
EOF
674
EOF
675
# write INTIF in bypass mode (see "alcasar-bypass.sh")
675
# write INTIF in bypass mode (see "alcasar-bypass.sh")
676
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
676
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
677
DEVICE=$INTIF
677
DEVICE=$INTIF
678
BOOTPROTO=static
678
BOOTPROTO=static
679
IPADDR=$PRIVATE_IP
679
IPADDR=$PRIVATE_IP
680
NETMASK=$PRIVATE_NETMASK
680
NETMASK=$PRIVATE_NETMASK
681
ONBOOT=yes
681
ONBOOT=yes
682
METRIC=10
682
METRIC=10
683
NOZEROCONF=yes
683
NOZEROCONF=yes
684
MII_NOT_SUPPORTED=yes
684
MII_NOT_SUPPORTED=yes
685
IPV6INIT=no
685
IPV6INIT=no
686
IPV6TO4INIT=no
686
IPV6TO4INIT=no
687
ACCOUNTING=no
687
ACCOUNTING=no
688
USERCTL=no
688
USERCTL=no
689
EOF
689
EOF
690
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
690
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
691
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
691
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
692
	then
692
	then
693
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
693
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
694
DEVICE=$WIFIF
694
DEVICE=$WIFIF
695
BOOTPROTO=static
695
BOOTPROTO=static
696
ONBOOT=yes
696
ONBOOT=yes
697
NOZEROCONF=yes
697
NOZEROCONF=yes
698
MII_NOT_SUPPORTED=yes
698
MII_NOT_SUPPORTED=yes
699
IPV6INIT=no
699
IPV6INIT=no
700
IPV6TO4INIT=no
700
IPV6TO4INIT=no
701
ACCOUNTING=no
701
ACCOUNTING=no
702
USERCTL=no
702
USERCTL=no
703
EOF
703
EOF
704
	elif [ -n "$LANIF" ]
704
	elif [ -n "$LANIF" ]
705
	then
705
	then
706
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
706
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
707
DEVICE=$LANIF
707
DEVICE=$LANIF
708
BOOTPROTO=static
708
BOOTPROTO=static
709
ONBOOT=yes
709
ONBOOT=yes
710
NOZEROCONF=yes
710
NOZEROCONF=yes
711
MII_NOT_SUPPORTED=yes
711
MII_NOT_SUPPORTED=yes
712
IPV6INIT=no
712
IPV6INIT=no
713
IPV6TO4INIT=no
713
IPV6TO4INIT=no
714
ACCOUNTING=no
714
ACCOUNTING=no
715
USERCTL=no
715
USERCTL=no
716
EOF
716
EOF
717
	fi
717
	fi
718
# write hosts.allow & hosts.deny
718
# write hosts.allow & hosts.deny
719
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
719
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
720
	cat <<EOF > /etc/hosts.allow
720
	cat <<EOF > /etc/hosts.allow
721
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
721
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
722
sshd: ALL
722
sshd: ALL
723
ntpd: $PRIVATE_NETWORK_SHORT
723
ntpd: $PRIVATE_NETWORK_SHORT
724
EOF
724
EOF
725
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
725
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
726
	cat <<EOF > /etc/hosts.deny
726
	cat <<EOF > /etc/hosts.deny
727
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
727
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
728
EOF
728
EOF
729
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
729
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
730
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
730
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
731
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
731
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
732
# load conntrack ftp module
732
# load conntrack ftp module
733
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
733
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
734
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
734
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
735
# load ipt_NETFLOW module
735
# load ipt_NETFLOW module
736
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
736
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
737
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
738
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
738
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
739
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
739
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
740
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
740
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
741
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
741
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
742
#
742
#
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
743
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
744
} # End of network()
744
} # End of network()
745
 
745
 
746
##################################################################
746
##################################################################
747
##                      Fonction "CA"                           ##
747
##                      Fonction "CA"                           ##
748
## - Creating the CA and the server certificate (lighttpd)      ##
748
## - Creating the CA and the server certificate (lighttpd)      ##
749
##################################################################
749
##################################################################
750
CA()
750
CA()
751
{
751
{
752
	$DIR_DEST_BIN/alcasar-CA.sh
752
	$DIR_DEST_BIN/alcasar-CA.sh
753
	chmod 755 /etc/pki/
753
	chmod 755 /etc/pki/
754
	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
754
	chown root:apache /etc/pki/CA; chmod 750 /etc/pki/CA
755
	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
755
	chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
756
	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
756
	chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
757
	chmod 600 /etc/pki/CA/private/*
757
	chmod 600 /etc/pki/CA/private/*
758
	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
758
	chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
759
	chmod 640 /etc/pki/tls/private/*
759
	chmod 640 /etc/pki/tls/private/*
760
	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
760
	chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
761
} # End of CA()
761
} # End of CA()
762
 
762
 
763
###################################################
763
###################################################
764
##                  Function "ACC"               ##
764
##                  Function "ACC"               ##
765
## - copy ALCASAR Control Center (ACC) files     ##
765
## - copy ALCASAR Control Center (ACC) files     ##
766
## - configuration of the web server (Lighttpd)  ##
766
## - configuration of the web server (Lighttpd)  ##
767
## - creation of the first ACC admin account     ##
767
## - creation of the first ACC admin account     ##
768
## - secure the ACC access                       ##
768
## - secure the ACC access                       ##
769
###################################################
769
###################################################
770
ACC()
770
ACC()
771
{
771
{
772
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
772
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
773
	mkdir $DIR_WEB
773
	mkdir $DIR_WEB
774
# Copy & adapt ACC files
774
# Copy & adapt ACC files
775
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
775
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
776
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
776
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
777
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
777
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
778
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
778
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
779
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
779
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
780
	chown -R apache:apache $DIR_WEB/*
780
	chown -R apache:apache $DIR_WEB/*
781
# copy & adapt "freeradius-web" files
781
# copy & adapt "freeradius-web" files
782
	cp -rf $DIR_CONF/freeradius-web/ /etc/
782
	cp -rf $DIR_CONF/freeradius-web/ /etc/
783
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
783
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
784
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
784
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
785
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
785
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
786
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
786
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
787
	cat <<EOF > /etc/freeradius-web/naslist.conf
787
	cat <<EOF > /etc/freeradius-web/naslist.conf
788
nas1_name: alcasar-$ORGANISME
788
nas1_name: alcasar-$ORGANISME
789
nas1_model: Network Access Controler
789
nas1_model: Network Access Controler
790
nas1_ip: $PRIVATE_IP
790
nas1_ip: $PRIVATE_IP
791
nas1_port_num: 0
791
nas1_port_num: 0
792
nas1_community: public
792
nas1_community: public
793
EOF
793
EOF
794
	chown -R apache:apache /etc/freeradius-web/
794
	chown -R apache:apache /etc/freeradius-web/
795
# create the log & backup structure :
795
# create the log & backup structure :
796
# - base = users database
796
# - base = users database
797
# - archive = tarball of "base + http firewall + netflow"
797
# - archive = tarball of "base + http firewall + netflow"
798
# - security = watchdog log
798
# - security = watchdog log
799
# - conf_file = archive conf file (usefull in updating process)
799
# - conf_file = archive conf file (usefull in updating process)
800
	for i in base archive security activity_report iot_captures;
800
	for i in base archive security activity_report iot_captures;
801
	do
801
	do
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
802
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
803
	done
803
	done
804
	chown -R root:apache $DIR_SAVE
804
	chown -R root:apache $DIR_SAVE
805
# Configuring & securing php
805
# Configuring & securing php
806
	[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
806
	[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
807
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
807
	timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
808
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
810
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
810
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
811
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
811
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
812
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
812
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
813
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
813
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
814
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
814
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
815
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
815
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
816
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
816
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
817
# Configuring & securing Lighttpd
817
# Configuring & securing Lighttpd
818
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
818
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
819
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
819
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
820
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
820
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
821
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
821
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
823
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
823
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
824
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
824
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
825
 
825
 
826
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
826
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
827
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
827
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
828
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
828
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
829
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
829
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
830
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
830
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
831
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
831
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
832
 
832
 
833
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
833
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
834
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
834
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
835
 
835
 
836
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
836
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
837
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
837
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
839
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
839
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
840
 
840
 
841
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
841
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
842
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
842
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
843
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
843
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
844
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
844
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
845
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
846
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
847
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
847
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
848
 
848
 
849
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
849
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
850
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
850
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
851
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
851
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
852
 
852
 
853
	chown -R apache:apache /var/log/lighttpd
853
	chown -R apache:apache /var/log/lighttpd
854
 
854
 
855
# Creation of the first account (in 'admin' profile)
855
# Creation of the first account (in 'admin' profile)
856
	if [ "$mode" = "install" ]
856
	if [ "$mode" = "install" ]
857
	then
857
	then
858
		header_install
858
		header_install
859
# Creation of keys file for the admin account ("admin")
859
# Creation of keys file for the admin account ("admin")
860
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
860
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
861
		mkdir -p $DIR_DEST_ETC/digest
861
		mkdir -p $DIR_DEST_ETC/digest
862
		chmod 755 $DIR_DEST_ETC/digest
862
		chmod 755 $DIR_DEST_ETC/digest
863
		if [ $Lang == "fr" ]
863
		if [ $Lang == "fr" ]
864
			then echo "Création du premier compte administrateur : "
864
			then echo "Création du premier compte administrateur : "
865
			else echo "Creation of the first admin account : "
865
			else echo "Creation of the first admin account : "
866
		fi
866
		fi
867
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
867
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
868
		do
868
		do
869
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
869
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
870
		done
870
		done
871
	fi
871
	fi
872
# Creation of ACC certs links
872
# Creation of ACC certs links
873
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
873
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
874
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
874
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
875
# Run lighttpd after coova (in order waiting tun0 to be up)
875
# Run lighttpd after coova (in order waiting tun0 to be up)
876
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
876
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
877
	# Log file for ACC access imputability
877
	# Log file for ACC access imputability
878
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
878
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
879
	chown root:apache $DIR_SAVE/security/acc_access.log
879
	chown root:apache $DIR_SAVE/security/acc_access.log
880
	chmod 664 $DIR_SAVE/security/acc_access.log
880
	chmod 664 $DIR_SAVE/security/acc_access.log
-
 
881
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
-
 
882
    cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
881
} # End of ACC()
883
} # End of ACC()
882
 
884
 
883
#############################################################
885
#############################################################
884
##               Function "time_server"                    ##
886
##               Function "time_server"                    ##
885
## - Configuring NTP server                                ##
887
## - Configuring NTP server                                ##
886
#############################################################
888
#############################################################
887
time_server()
889
time_server()
888
{
890
{
889
# Set the Internet time server
891
# Set the Internet time server
890
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
892
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
891
	cat <<EOF > /etc/ntp/step-tickers
893
	cat <<EOF > /etc/ntp/step-tickers
892
0.fr.pool.ntp.org	# adapt to your country
894
0.fr.pool.ntp.org	# adapt to your country
893
1.fr.pool.ntp.org
895
1.fr.pool.ntp.org
894
2.fr.pool.ntp.org
896
2.fr.pool.ntp.org
895
EOF
897
EOF
896
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
898
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
897
	cat <<EOF > /etc/ntp.conf
899
	cat <<EOF > /etc/ntp.conf
898
server 0.fr.pool.ntp.org	# adapt to your country
900
server 0.fr.pool.ntp.org	# adapt to your country
899
server 1.fr.pool.ntp.org
901
server 1.fr.pool.ntp.org
900
server 2.fr.pool.ntp.org
902
server 2.fr.pool.ntp.org
901
server 127.127.1.0   		# local clock si NTP internet indisponible ...
903
server 127.127.1.0   		# local clock si NTP internet indisponible ...
902
fudge 127.127.1.0 stratum 10
904
fudge 127.127.1.0 stratum 10
903
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
905
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
904
restrict 127.0.0.1
906
restrict 127.0.0.1
905
driftfile /var/lib/ntp/drift
907
driftfile /var/lib/ntp/drift
906
logfile /var/log/ntp.log
908
logfile /var/log/ntp.log
907
disable monitor
909
disable monitor
908
EOF
910
EOF
909
	chown -R ntp:ntp /var/lib/ntp
911
	chown -R ntp:ntp /var/lib/ntp
910
# Synchronize now
912
# Synchronize now
911
	ntpd -4 -q -g &
913
	ntpd -4 -q -g &
912
} # End of time_server()
914
} # End of time_server()
913
 
915
 
914
#####################################################################
916
#####################################################################
915
##                     Function "init_db"                          ##
917
##                     Function "init_db"                          ##
916
## - Mysql initialization                                          ##
918
## - Mysql initialization                                          ##
917
## - Set admin (root) password                                     ##
919
## - Set admin (root) password                                     ##
918
## - Remove unused users & databases                               ##
920
## - Remove unused users & databases                               ##
919
## - Radius database creation                                      ##
921
## - Radius database creation                                      ##
920
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
922
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
921
#####################################################################
923
#####################################################################
922
init_db()
924
init_db()
923
{
925
{
924
	if [ "`systemctl is-active mysqld`" == "active" ]
926
	if [ "`systemctl is-active mysqld`" == "active" ]
925
	then
927
	then
926
		systemctl stop mysqld
928
		systemctl stop mysqld
927
	fi
929
	fi
928
	rm -rf /var/lib/mysql # to be sure that there is no former installation
930
	rm -rf /var/lib/mysql # to be sure that there is no former installation
929
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
931
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
930
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
932
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
931
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
933
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
932
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
934
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
933
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
935
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
934
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
936
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
935
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
937
	[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
936
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
938
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
937
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
939
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
938
	/usr/bin/systemctl start mysqld
940
	/usr/bin/systemctl start mysqld
939
	nb_round=1
941
	nb_round=1
940
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
942
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
941
	do
943
	do
942
		nb_round=`expr $nb_round + 1`
944
		nb_round=`expr $nb_round + 1`
943
		sleep 2
945
		sleep 2
944
	done
946
	done
945
	if [ ! -S /var/lib/mysql/mysql.sock ]
947
	if [ ! -S /var/lib/mysql/mysql.sock ]
946
	then
948
	then
947
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
949
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
948
		exit
950
		exit
949
	fi
951
	fi
950
# Secure the server
952
# Secure the server
951
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
953
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
952
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
954
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
953
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
955
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
954
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
956
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
955
# Create 'radius' database
957
# Create 'radius' database
956
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
958
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
957
# Add an empty radius database structure
959
# Add an empty radius database structure
958
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
960
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
959
# modify the start script in order to close accounting connexion when the system is comming down or up
961
# modify the start script in order to close accounting connexion when the system is comming down or up
960
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
962
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
961
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
963
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
962
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
964
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
963
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
965
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
964
	/usr/bin/systemctl daemon-reload
966
	/usr/bin/systemctl daemon-reload
965
} # End of init_db()
967
} # End of init_db()
966
 
968
 
967
###################################################################
969
###################################################################
968
##                       Function "freeradius"                   ##
970
##                       Function "freeradius"                   ##
969
## - Set the configuration files                                 ##
971
## - Set the configuration files                                 ##
970
## - Set the shared secret between coova-chilli and freeradius   ##
972
## - Set the shared secret between coova-chilli and freeradius   ##
971
## - Adapt the Mysql conf file and counters                      ##
973
## - Adapt the Mysql conf file and counters                      ##
972
###################################################################
974
###################################################################
973
freeradius()
975
freeradius()
974
{
976
{
975
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
977
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
976
	chown -R radius:radius /etc/raddb
978
	chown -R radius:radius /etc/raddb
977
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
979
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
978
# Set radius global parameters (radius.conf)
980
# Set radius global parameters (radius.conf)
979
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
981
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
980
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
982
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
981
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
983
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
982
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
984
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
983
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
985
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
984
# Add ALCASAR & Coovachilli dictionaries
986
# Add ALCASAR & Coovachilli dictionaries
985
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
987
	[ -e /etc/raddb/dictionary.default ] || cp /etc/raddb/dictionary /etc/raddb/dictionary.default
986
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
988
	cp $DIR_CONF/radius/dictionary.alcasar /etc/raddb/
987
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
989
	echo '$INCLUDE dictionary.alcasar' > /etc/raddb/dictionary
988
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
990
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /etc/raddb/
989
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
991
	echo '$INCLUDE dictionary.coovachilli' >> /etc/raddb/dictionary
990
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
992
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
991
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
993
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
992
	cat << EOF > /etc/raddb/clients.conf
994
	cat << EOF > /etc/raddb/clients.conf
993
client localhost {
995
client localhost {
994
	ipaddr = 127.0.0.1
996
	ipaddr = 127.0.0.1
995
	secret = $secretradius
997
	secret = $secretradius
996
	shortname = chilli
998
	shortname = chilli
997
	nas_type = other
999
	nas_type = other
998
}
1000
}
999
EOF
1001
EOF
1000
# Set Virtual server
1002
# Set Virtual server
1001
    # Remvoveing all except "alcasar virtual site")
1003
    # Remvoveing all except "alcasar virtual site")
1002
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1004
	# INFO : To enable 802.1X, add the "innser-tunnel" virtual server (link in sites-enabled)  Change the firewall rules to allow "radius" extern connections.
1003
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1005
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1004
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1006
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1005
	chown radius:apache /etc/raddb/sites-available/alcasar*
1007
	chown radius:apache /etc/raddb/sites-available/alcasar*
1006
	chmod 660 /etc/raddb/sites-available/alcasar*
1008
	chmod 660 /etc/raddb/sites-available/alcasar*
1007
	rm -f /etc/raddb/sites-enabled/*
1009
	rm -f /etc/raddb/sites-enabled/*
1008
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1010
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1009
# Set modules
1011
# Set modules
1010
	# Add custom LDAP "available module"
1012
	# Add custom LDAP "available module"
1011
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1013
	# INFO : To enable 802.1X, add the "eap" module and verify access to the keys (/etc/pki/tls/private/radius.pem). Change the firewall rules to allow "radius" extern connections.
1012
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1014
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1013
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1015
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1014
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1016
	# Set only usefull modules for ALCASAR (! the module 'ldap-alcasar' is enabled only via ACC)
1015
	rm -rf  /etc/raddb/mods-enabled/*
1017
	rm -rf  /etc/raddb/mods-enabled/*
1016
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1018
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1017
	do
1019
	do
1018
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1020
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1019
	done
1021
	done
1020
# Configure SQL module
1022
# Configure SQL module
1021
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1023
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1022
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1024
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1023
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1025
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1024
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1026
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1025
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1027
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1026
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1028
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1027
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1029
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1028
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1030
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1029
	# no TLS encryption on 127.0.0.1
1031
	# no TLS encryption on 127.0.0.1
1030
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
1031
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1035
	$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1036
	$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
1035
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1037
	$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
1036
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1038
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1037
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1039
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1038
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1040
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1039
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1041
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1040
# sqlcounter modifications
1042
# sqlcounter modifications
1041
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1043
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1042
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1044
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1043
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1045
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1044
# make certain that mysql is up before freeradius start
1046
# make certain that mysql is up before freeradius start
1045
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1046
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1047
	/usr/bin/systemctl daemon-reload
1049
	/usr/bin/systemctl daemon-reload
1048
# Allow apache to change some conf files (ie : ldap on/off)
1050
# Allow apache to change some conf files (ie : ldap on/off)
1049
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1050
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
	chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
} # End of freeradius()
1053
} # End of freeradius()
1052
 
1054
 
1053
#############################################################################
1055
#############################################################################
1054
##                           Function "chilli"                             ##
1056
##                           Function "chilli"                             ##
1055
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1057
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1056
## - Adapt the authentication web page (intercept.php)                     ##
1058
## - Adapt the authentication web page (intercept.php)                     ##
1057
#############################################################################
1059
#############################################################################
1058
chilli()
1060
chilli()
1059
{
1061
{
1060
# chilli unit for systemd
1062
# chilli unit for systemd
1061
	cat << EOF > /lib/systemd/system/chilli.service
1063
	cat << EOF > /lib/systemd/system/chilli.service
1062
#  This file is part of systemd.
1064
#  This file is part of systemd.
1063
#
1065
#
1064
#  systemd is free software; you can redistribute it and/or modify it
1066
#  systemd is free software; you can redistribute it and/or modify it
1065
#  under the terms of the GNU General Public License as published by
1067
#  under the terms of the GNU General Public License as published by
1066
#  the Free Software Foundation; either version 2 of the License, or
1068
#  the Free Software Foundation; either version 2 of the License, or
1067
#  (at your option) any later version.
1069
#  (at your option) any later version.
1068
 
1070
 
1069
# This unit launches coova-chilli a captive portal
1071
# This unit launches coova-chilli a captive portal
1070
[Unit]
1072
[Unit]
1071
Description=chilli is a captive portal daemon
1073
Description=chilli is a captive portal daemon
1072
After=network.target
1074
After=network.target
1073
 
1075
 
1074
[Service]
1076
[Service]
1075
Type=forking
1077
Type=forking
1076
ExecStart=/usr/libexec/chilli start
1078
ExecStart=/usr/libexec/chilli start
1077
ExecStop=/usr/libexec/chilli stop
1079
ExecStop=/usr/libexec/chilli stop
1078
ExecReload=/usr/libexec/chilli reload
1080
ExecReload=/usr/libexec/chilli reload
1079
PIDFile=/run/chilli.pid
1081
PIDFile=/run/chilli.pid
1080
 
1082
 
1081
[Install]
1083
[Install]
1082
WantedBy=multi-user.target
1084
WantedBy=multi-user.target
1083
EOF
1085
EOF
1084
# init file creation
1086
# init file creation
1085
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1087
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1086
	cat <<EOF > /etc/init.d/chilli
1088
	cat <<EOF > /etc/init.d/chilli
1087
#!/bin/sh
1089
#!/bin/sh
1088
#
1090
#
1089
# chilli CoovaChilli init
1091
# chilli CoovaChilli init
1090
#
1092
#
1091
# chkconfig: 2345 65 35
1093
# chkconfig: 2345 65 35
1092
# description: CoovaChilli
1094
# description: CoovaChilli
1093
### BEGIN INIT INFO
1095
### BEGIN INIT INFO
1094
# Provides:       chilli
1096
# Provides:       chilli
1095
# Required-Start: network
1097
# Required-Start: network
1096
# Should-Start:
1098
# Should-Start:
1097
# Required-Stop:  network
1099
# Required-Stop:  network
1098
# Should-Stop:
1100
# Should-Stop:
1099
# Default-Start:  2 3 5
1101
# Default-Start:  2 3 5
1100
# Default-Stop:
1102
# Default-Stop:
1101
# Description:    CoovaChilli access controller
1103
# Description:    CoovaChilli access controller
1102
### END INIT INFO
1104
### END INIT INFO
1103
 
1105
 
1104
[ -f /usr/sbin/chilli ] || exit 0
1106
[ -f /usr/sbin/chilli ] || exit 0
1105
. /etc/init.d/functions
1107
. /etc/init.d/functions
1106
CONFIG=/etc/chilli.conf
1108
CONFIG=/etc/chilli.conf
1107
pidfile=/run/chilli.pid
1109
pidfile=/run/chilli.pid
1108
[ -f \$CONFIG ] || {
1110
[ -f \$CONFIG ] || {
1109
	echo "\$CONFIG Not found"
1111
	echo "\$CONFIG Not found"
1110
	exit 0
1112
	exit 0
1111
}
1113
}
1112
current_users_file="/tmp/current_users.txt"	# file containing active users
1114
current_users_file="/tmp/current_users.txt"	# file containing active users
1113
RETVAL=0
1115
RETVAL=0
1114
prog="chilli"
1116
prog="chilli"
1115
case \$1 in
1117
case \$1 in
1116
	start)
1118
	start)
1117
		if [ -f \$pidfile ] ; then
1119
		if [ -f \$pidfile ] ; then
1118
			gprintf "chilli is already running"
1120
			gprintf "chilli is already running"
1119
		else
1121
		else
1120
			gprintf "Starting \$prog: "
1122
			gprintf "Starting \$prog: "
1121
			echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
1123
			echo '' > \$current_users_file && chown root:apache \$current_users_file && chmod 660 \$current_users_file
1122
			rm -f /run/chilli* # cleaning
1124
			rm -f /run/chilli* # cleaning
1123
			/usr/sbin/modprobe tun >/dev/null 2>&1
1125
			/usr/sbin/modprobe tun >/dev/null 2>&1
1124
			echo 1 > /proc/sys/net/ipv4/ip_forward
1126
			echo 1 > /proc/sys/net/ipv4/ip_forward
1125
			[ -e /dev/net/tun ] || {
1127
			[ -e /dev/net/tun ] || {
1126
				(cd /dev;
1128
				(cd /dev;
1127
				mkdir net;
1129
				mkdir net;
1128
				cd net;
1130
				cd net;
1129
				mknod tun c 10 200)
1131
				mknod tun c 10 200)
1130
			}
1132
			}
1131
			ifconfig $INTIF 0.0.0.0
1133
			ifconfig $INTIF 0.0.0.0
1132
			/usr/sbin/ethtool -K $INTIF gro off
1134
			/usr/sbin/ethtool -K $INTIF gro off
1133
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1135
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1134
			RETVAL=\$?
1136
			RETVAL=\$?
1135
		fi
1137
		fi
1136
		;;
1138
		;;
1137
 
1139
 
1138
	reload)
1140
	reload)
1139
		killall -HUP chilli
1141
		killall -HUP chilli
1140
		;;
1142
		;;
1141
 
1143
 
1142
	restart)
1144
	restart)
1143
		\$0 stop
1145
		\$0 stop
1144
		sleep 2
1146
		sleep 2
1145
		\$0 start
1147
		\$0 start
1146
		;;
1148
		;;
1147
 
1149
 
1148
	status)
1150
	status)
1149
		status chilli
1151
		status chilli
1150
		RETVAL=0
1152
		RETVAL=0
1151
		;;
1153
		;;
1152
 
1154
 
1153
	stop)
1155
	stop)
1154
		if [ -f \$pidfile ] ; then
1156
		if [ -f \$pidfile ] ; then
1155
			gprintf "Shutting down \$prog: "
1157
			gprintf "Shutting down \$prog: "
1156
			killproc /usr/sbin/chilli
1158
			killproc /usr/sbin/chilli
1157
			RETVAL=\$?
1159
			RETVAL=\$?
1158
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1160
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1159
			[ -e \$current_users_file ] && rm -f \$current_users_file
1161
			[ -e \$current_users_file ] && rm -f \$current_users_file
1160
		else
1162
		else
1161
			gprintf "chilli is not running"
1163
			gprintf "chilli is not running"
1162
		fi
1164
		fi
1163
		;;
1165
		;;
1164
 
1166
 
1165
	*)
1167
	*)
1166
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1168
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1167
		exit 1
1169
		exit 1
1168
esac
1170
esac
1169
echo
1171
echo
1170
EOF
1172
EOF
1171
	chmod a+x /etc/init.d/chilli
1173
	chmod a+x /etc/init.d/chilli
1172
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1174
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1173
# conf file creation
1175
# conf file creation
1174
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1176
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1175
	#NTP Option configuration for DHCP
1177
	#NTP Option configuration for DHCP
1176
	#DHCP Options : rfc2132
1178
	#DHCP Options : rfc2132
1177
		#dhcp option value will be convert in hexa.
1179
		#dhcp option value will be convert in hexa.
1178
		#NTP option (or 'option 42') is like :
1180
		#NTP option (or 'option 42') is like :
1179
		#
1181
		#
1180
		#    Code   Len         Address 1               Address 2
1182
		#    Code   Len         Address 1               Address 2
1181
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1183
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1182
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1184
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1183
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1185
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1184
		#
1186
		#
1185
		#Code : 42 => 2a
1187
		#Code : 42 => 2a
1186
		#Len : 4 => 04
1188
		#Len : 4 => 04
1187
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1189
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1188
	cat <<EOF > /etc/chilli.conf
1190
	cat <<EOF > /etc/chilli.conf
1189
# coova config for ALCASAR
1191
# coova config for ALCASAR
1190
cmdsocket	/run/chilli.sock
1192
cmdsocket	/run/chilli.sock
1191
unixipc		chilli.$INTIF.ipc
1193
unixipc		chilli.$INTIF.ipc
1192
pidfile		/run/chilli.pid
1194
pidfile		/run/chilli.pid
1193
net		$PRIVATE_NETWORK_MASK
1195
net		$PRIVATE_NETWORK_MASK
1194
dhcpif		$INTIF
1196
dhcpif		$INTIF
1195
ethers		$DIR_DEST_ETC/alcasar-ethers
1197
ethers		$DIR_DEST_ETC/alcasar-ethers
1196
#nodynip
1198
#nodynip
1197
#statip
1199
#statip
1198
dynip		$PRIVATE_NETWORK_MASK
1200
dynip		$PRIVATE_NETWORK_MASK
1199
domain		$DOMAIN
1201
domain		$DOMAIN
1200
dns1		$PRIVATE_IP
1202
dns1		$PRIVATE_IP
1201
dns2		$PRIVATE_IP
1203
dns2		$PRIVATE_IP
1202
uamlisten	$PRIVATE_IP
1204
uamlisten	$PRIVATE_IP
1203
uamport		3990
1205
uamport		3990
1204
uamuiport	3991
1206
uamuiport	3991
1205
macauth
1207
macauth
1206
macpasswd	password
1208
macpasswd	password
1207
strictmacauth
1209
strictmacauth
1208
locationname	$HOSTNAME.$DOMAIN
1210
locationname	$HOSTNAME.$DOMAIN
1209
radiusserver1	127.0.0.1
1211
radiusserver1	127.0.0.1
1210
radiusserver2	127.0.0.1
1212
radiusserver2	127.0.0.1
1211
radiussecret	$secretradius
1213
radiussecret	$secretradius
1212
radiusauthport	1812
1214
radiusauthport	1812
1213
radiusacctport	1813
1215
radiusacctport	1813
1214
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
1216
uamserver	http://$HOSTNAME.$DOMAIN/intercept.php
1215
redirurl
1217
redirurl
1216
radiusnasid	$HOSTNAME.$DOMAIN
1218
radiusnasid	$HOSTNAME.$DOMAIN
1217
uamsecret	$secretuam
1219
uamsecret	$secretuam
1218
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1220
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1219
coaport		3799
1221
coaport		3799
1220
conup		$DIR_DEST_BIN/alcasar-conup.sh
1222
conup		$DIR_DEST_BIN/alcasar-conup.sh
1221
condown		$DIR_DEST_BIN/alcasar-condown.sh
1223
condown		$DIR_DEST_BIN/alcasar-condown.sh
1222
macup		$DIR_DEST_BIN/alcasar-macup.sh
1224
macup		$DIR_DEST_BIN/alcasar-macup.sh
1223
include		$DIR_DEST_ETC/alcasar-uamallowed
1225
include		$DIR_DEST_ETC/alcasar-uamallowed
1224
include		$DIR_DEST_ETC/alcasar-uamdomain
1226
include		$DIR_DEST_ETC/alcasar-uamdomain
1225
dhcpopt		2a04$PRIVATE_IP_HEXA
1227
dhcpopt		2a04$PRIVATE_IP_HEXA
1226
#dhcpgateway		none
1228
#dhcpgateway		none
1227
#dhcprelayagent		none
1229
#dhcprelayagent		none
1228
#dhcpgatewayport	none
1230
#dhcpgatewayport	none
1229
sslkeyfile	/etc/pki/tls/private/alcasar.key
1231
sslkeyfile	/etc/pki/tls/private/alcasar.key
1230
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1232
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1231
#redirssl
1233
#redirssl
1232
#uamuissl
1234
#uamuissl
1233
EOF
1235
EOF
1234
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1236
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1235
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1237
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1236
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1238
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1237
# create files for trusted domains and urls
1239
# create files for trusted domains and urls
1238
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1240
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1239
	chown root:apache $DIR_DEST_ETC/alcasar-*
1241
	chown root:apache $DIR_DEST_ETC/alcasar-*
1240
	chmod 660 $DIR_DEST_ETC/alcasar-*
1242
	chmod 660 $DIR_DEST_ETC/alcasar-*
1241
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1243
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1242
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1244
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1243
# user 'chilli' creation (in order to run conup/off and up/down scripts
1245
# user 'chilli' creation (in order to run conup/off and up/down scripts
1244
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1246
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1245
	if [ "$chilli_exist" == "1" ]
1247
	if [ "$chilli_exist" == "1" ]
1246
	then
1248
	then
1247
		userdel -r chilli 2>/dev/null
1249
		userdel -r chilli 2>/dev/null
1248
	fi
1250
	fi
1249
	groupadd -f chilli
1251
	groupadd -f chilli
1250
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1252
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1251
}  # End of chilli()
1253
}  # End of chilli()
1252
 
1254
 
1253
################################################################
1255
################################################################
1254
##                   Function "e2guardian"                    ##
1256
##                   Function "e2guardian"                    ##
1255
## - Set the parameters of this HTML proxy (as controler)     ##
1257
## - Set the parameters of this HTML proxy (as controler)     ##
1256
################################################################
1258
################################################################
1257
e2guardian()
1259
e2guardian()
1258
{
1260
{
1259
# Adapt systemd unit
1261
# Adapt systemd unit
1260
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1262
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1261
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1263
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1262
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1264
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1263
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1265
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1264
# Adapt the main conf file
1266
# Adapt the main conf file
1265
# French deny HTML page
1267
# French deny HTML page
1266
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1268
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1267
# 2 filtergroups (8080 & 8090)
1269
# 2 filtergroups (8080 & 8090)
1268
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1270
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1269
# Listen on 8080 (HTTP for BL users) only on LAN side
1271
# Listen on 8080 (HTTP for BL users) only on LAN side
1270
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1272
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1271
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1273
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1272
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1274
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
1273
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1275
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1274
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1276
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1275
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1277
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
1276
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1278
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1277
# Don't log
1279
# Don't log
1278
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1280
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1279
# Disable HTML content control (weighted & banned)
1281
# Disable HTML content control (weighted & banned)
1280
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1282
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1281
# Enable authport plugin
1283
# Enable authport plugin
1282
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1284
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1283
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1285
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1284
# Enable clamd scanner
1286
# Enable clamd scanner
1285
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1287
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
1286
 
1288
 
1287
# Adapt the first group conf file
1289
# Adapt the first group conf file
1288
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1290
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1289
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1291
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1290
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1292
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1291
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1293
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1292
 
1294
 
1293
# copy & adapt HTML templates
1295
# copy & adapt HTML templates
1294
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1296
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1295
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1297
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1296
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1298
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1297
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1299
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1298
 
1300
 
1299
###### ALCASAR special filtering ####
1301
###### ALCASAR special filtering ####
1300
# RAZ bannedphraselist
1302
# RAZ bannedphraselist
1301
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1303
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1302
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1304
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1303
# Disable URL control with regex
1305
# Disable URL control with regex
1304
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1306
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1305
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1307
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1306
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1308
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1307
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1309
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1308
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1310
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1309
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1311
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1310
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1312
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1311
# Dont filtering files by extension or mime-type (empty list)
1313
# Dont filtering files by extension or mime-type (empty list)
1312
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1314
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1313
	touch $DIR_DG/lists/bannedextensionlist
1315
	touch $DIR_DG/lists/bannedextensionlist
1314
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1316
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1315
	touch $DIR_DG/lists/bannedmimetypelist
1317
	touch $DIR_DG/lists/bannedmimetypelist
1316
# Empty LAN IP list that won't be WEB filtered
1318
# Empty LAN IP list that won't be WEB filtered
1317
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1319
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1318
	touch $DIR_DG/lists/exceptioniplist
1320
	touch $DIR_DG/lists/exceptioniplist
1319
# Creation of ALCASAR banned site list
1321
# Creation of ALCASAR banned site list
1320
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1322
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
1321
	cat <<EOF > $DIR_DG/lists/greysitelist
1323
	cat <<EOF > $DIR_DG/lists/greysitelist
1322
# E2guardian filter config for ALCASAR
1324
# E2guardian filter config for ALCASAR
1323
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1325
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1324
# block all SSL and CONNECT tunnels
1326
# block all SSL and CONNECT tunnels
1325
**s
1327
**s
1326
# block all SSL and CONNECT tunnels specified only as an IP
1328
# block all SSL and CONNECT tunnels specified only as an IP
1327
*ips
1329
*ips
1328
# block all sites specified only by an IP
1330
# block all sites specified only by an IP
1329
*ip
1331
*ip
1330
EOF
1332
EOF
1331
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1333
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1332
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1334
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1333
	cat <<EOF > $DIR_DG/lists/bannedurllist
1335
	cat <<EOF > $DIR_DG/lists/bannedurllist
1334
# E2guardian filter config for ALCASAR
1336
# E2guardian filter config for ALCASAR
1335
EOF
1337
EOF
1336
# Creation of files for rehabilited domains and urls
1338
# Creation of files for rehabilited domains and urls
1337
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1339
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1338
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1340
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1339
	touch $DIR_DG/lists/exceptionsitelist
1341
	touch $DIR_DG/lists/exceptionsitelist
1340
	touch $DIR_DG/lists/exceptionurllist
1342
	touch $DIR_DG/lists/exceptionurllist
1341
# Add Bing to the safesearch url regext list (parental control)
1343
# Add Bing to the safesearch url regext list (parental control)
1342
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1344
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1343
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1345
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1344
 
1346
 
1345
# Bing - add 'adlt=strict'
1347
# Bing - add 'adlt=strict'
1346
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1348
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1347
EOF
1349
EOF
1348
# 'Safesearch' regex actualisation
1350
# 'Safesearch' regex actualisation
1349
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1351
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1350
# change the google safesearch ("safe=strict" instead of "safe=vss")
1352
# change the google safesearch ("safe=strict" instead of "safe=vss")
1351
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1353
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1352
 
1354
 
1353
# Create & adapt the second group conf file (av + av_wl)
1355
# Create & adapt the second group conf file (av + av_wl)
1354
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1356
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1355
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1357
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1356
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1358
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1357
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1359
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1358
 
1360
 
1359
# create log folder
1361
# create log folder
1360
    mkdir -p /var/log/e2guardian
1362
    mkdir -p /var/log/e2guardian
1361
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1363
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1362
} # End of e2guardian()
1364
} # End of e2guardian()
1363
 
1365
 
1364
##################################################################
1366
##################################################################
1365
##                     Function "antivirus"                     ##
1367
##                     Function "antivirus"                     ##
1366
## - Set the parameters of clamav and freshclam                 ##
1368
## - Set the parameters of clamav and freshclam                 ##
1367
##################################################################
1369
##################################################################
1368
antivirus()
1370
antivirus()
1369
{
1371
{
1370
# Clamd adaptation to e2guardian
1372
# Clamd adaptation to e2guardian
1371
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1373
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
1372
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1374
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1373
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1375
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
1374
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1376
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
1375
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1377
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1376
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1378
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
1377
	
1379
	
1378
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1380
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1379
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1381
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
1380
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1382
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1381
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1383
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
1382
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1384
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
1383
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1385
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1384
	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1386
	$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
1385
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1387
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1386
	chmod 775 /var/log/clamav /var/lib/clamav
1388
	chmod 775 /var/log/clamav /var/lib/clamav
1387
	chmod 664 /var/log/clamav/*
1389
	chmod 664 /var/log/clamav/*
1388
# update virus database every 4 hours (24h/6)
1390
# update virus database every 4 hours (24h/6)
1389
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1391
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1390
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1392
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1391
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1393
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1392
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1394
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
1393
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1395
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1394
	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1396
	$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1395
# update now
1397
# update now
1396
	/usr/bin/freshclam --no-warnings --quiet
1398
	/usr/bin/freshclam --no-warnings --quiet
1397
} # End of antivirus()
1399
} # End of antivirus()
1398
 
1400
 
1399
##############################################################
1401
##############################################################
1400
##                            function "ulogd"              ##
1402
##                            function "ulogd"              ##
1401
## - Ulog config for multi-log files                        ##
1403
## - Ulog config for multi-log files                        ##
1402
##############################################################
1404
##############################################################
1403
ulogd()
1405
ulogd()
1404
{
1406
{
1405
# Three instances of ulogd (three different logfiles)
1407
# Three instances of ulogd (three different logfiles)
1406
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1408
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1407
	nl=1
1409
	nl=1
1408
	for log_type in traceability ssh ext-access
1410
	for log_type in traceability ssh ext-access
1409
	do
1411
	do
1410
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1412
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1411
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1413
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1412
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1414
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1413
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1415
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1414
		cat << EOF >> /etc/ulogd-$log_type.conf
1416
		cat << EOF >> /etc/ulogd-$log_type.conf
1415
[emu1]
1417
[emu1]
1416
file="/var/log/firewall/$log_type.log"
1418
file="/var/log/firewall/$log_type.log"
1417
sync=1
1419
sync=1
1418
EOF
1420
EOF
1419
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1421
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1420
		nl=`expr $nl + 1`
1422
		nl=`expr $nl + 1`
1421
	done
1423
	done
1422
	chown -R root:apache /var/log/firewall
1424
	chown -R root:apache /var/log/firewall
1423
	chmod 750 /var/log/firewall
1425
	chmod 750 /var/log/firewall
1424
	chmod 640 /var/log/firewall/*
1426
	chmod 640 /var/log/firewall/*
1425
}  # End of ulogd()
1427
}  # End of ulogd()
1426
 
1428
 
1427
##########################################################
1429
##########################################################
1428
##                    Function "nfsen"                  ##
1430
##                    Function "nfsen"                  ##
1429
## - configure NetFlow collector (nfcapd)               ##
1431
## - configure NetFlow collector (nfcapd)               ##
1430
## - configure NetFlow grapher (nfsen-ng)               ##
1432
## - configure NetFlow grapher (nfsen-ng)               ##
1431
##########################################################
1433
##########################################################
1432
nfsen()
1434
nfsen()
1433
{
1435
{
1434
	groupadd -f nfcapd
1436
	groupadd -f nfcapd
1435
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1437
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
1436
# nfcapd unit for systemd
1438
# nfcapd unit for systemd
1437
	cat << EOF > /lib/systemd/system/nfcapd.service
1439
	cat << EOF > /lib/systemd/system/nfcapd.service
1438
#  This file is part of systemd.
1440
#  This file is part of systemd.
1439
#
1441
#
1440
#  systemd is free software; you can redistribute it and/or modify it
1442
#  systemd is free software; you can redistribute it and/or modify it
1441
#  under the terms of the GNU General Public License as published by
1443
#  under the terms of the GNU General Public License as published by
1442
#  the Free Software Foundation; either version 2 of the License, or
1444
#  the Free Software Foundation; either version 2 of the License, or
1443
#  (at your option) any later version.
1445
#  (at your option) any later version.
1444
 
1446
 
1445
# This unit launches nfcapd (a Netflow collector).
1447
# This unit launches nfcapd (a Netflow collector).
1446
[Unit]
1448
[Unit]
1447
Description=Netflow Capture Daemon
1449
Description=Netflow Capture Daemon
1448
After=network-online.target iptables.service
1450
After=network-online.target iptables.service
1449
 
1451
 
1450
[Service]
1452
[Service]
1451
Type=exec
1453
Type=exec
1452
ExecStartPre=/bin/mkdir -p /run/nfcapd
1454
ExecStartPre=/bin/mkdir -p /run/nfcapd
1453
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
1455
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
1454
PIDFile=/run/nfcapd/nfcapd.pid
1456
PIDFile=/run/nfcapd/nfcapd.pid
1455
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
1457
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profiles-data/live/alcasar_netflow
1456
ExecReload=/bin/kill -HUP $MAINPID
1458
ExecReload=/bin/kill -HUP $MAINPID
1457
 
1459
 
1458
[Install]
1460
[Install]
1459
WantedBy=multi-user.target
1461
WantedBy=multi-user.target
1460
EOF
1462
EOF
1461
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
1463
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
1462
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1464
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1463
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1465
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1464
} # End of nfsen()
1466
} # End of nfsen()
1465
 
1467
 
1466
###########################################################
1468
###########################################################
1467
##                     Function "vnstat"                 ##
1469
##                     Function "vnstat"                 ##
1468
## - Initialization of vnstat and vnstat-dashboard       ##
1470
## - Initialization of vnstat and vnstat-dashboard       ##
1469
###########################################################
1471
###########################################################
1470
vnstat()
1472
vnstat()
1471
{
1473
{
1472
    # vnstat
1474
    # vnstat
1473
    [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1475
    [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1474
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1476
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1475
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1477
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1476
    # vnstat-dashboard
1478
    # vnstat-dashboard
1477
    $SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1479
    $SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
1478
	[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
1480
	[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
1479
    $SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
1481
    $SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
1480
} # End of vnstat()
1482
} # End of vnstat()
1481
 
1483
 
1482
###################################################################
1484
###################################################################
1483
##                     Function "dnsmasq"                        ##
1485
##                     Function "dnsmasq"                        ##
1484
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1486
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1485
###################################################################
1487
###################################################################
1486
dnsmasq()
1488
dnsmasq()
1487
{
1489
{
1488
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1490
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1489
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1491
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1490
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1492
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1491
	cat << EOF > /etc/dnsmasq-whitelist.conf
1493
	cat << EOF > /etc/dnsmasq-whitelist.conf
1492
# Configuration file for "dnsmasq with whitelist"
1494
# Configuration file for "dnsmasq with whitelist"
1493
# ADD Toulouse university whitelist domains
1495
# ADD Toulouse university whitelist domains
1494
pid-file=/run/dnsmasq-whitelist.pid
1496
pid-file=/run/dnsmasq-whitelist.pid
1495
listen-address=127.0.0.1
1497
listen-address=127.0.0.1
1496
port=55
1498
port=55
1497
no-dhcp-interface=lo
1499
no-dhcp-interface=lo
1498
bind-interfaces
1500
bind-interfaces
1499
cache-size=1024
1501
cache-size=1024
1500
domain-needed
1502
domain-needed
1501
expand-hosts
1503
expand-hosts
1502
bogus-priv
1504
bogus-priv
1503
filterwin2k
1505
filterwin2k
1504
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1506
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1505
server=$DNS1
1507
server=$DNS1
1506
server=$DNS2
1508
server=$DNS2
1507
EOF
1509
EOF
1508
	# Create dnsmasq-whitelist unit
1510
	# Create dnsmasq-whitelist unit
1509
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1511
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1510
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1512
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1511
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1513
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1512
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1514
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1513
} # End of dnsmasq()
1515
} # End of dnsmasq()
1514
 
1516
 
1515
#########################################################
1517
#########################################################
1516
##              Function "unbound"                     ##
1518
##              Function "unbound"                     ##
1517
## - create the conf files for 4 unbound services      ##
1519
## - create the conf files for 4 unbound services      ##
1518
## - create the systemd files for 4 unbound services   ##
1520
## - create the systemd files for 4 unbound services   ##
1519
#########################################################
1521
#########################################################
1520
unbound ()
1522
unbound ()
1521
{
1523
{
1522
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1524
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1523
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1525
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1524
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1526
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1525
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1527
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1526
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1528
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1527
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1529
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1528
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1530
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1529
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1531
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1530
	[ -d /var/log/unbound ] || mkdir /var/log/unbound
1532
	[ -d /var/log/unbound ] || mkdir /var/log/unbound
1531
	chown unbound:unbound /var/log/unbound
1533
	chown unbound:unbound /var/log/unbound
1532
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1534
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1533
 
1535
 
1534
# Forward zone configuration file for all unbound dns servers
1536
# Forward zone configuration file for all unbound dns servers
1535
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1537
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1536
forward-zone:
1538
forward-zone:
1537
	name: "."
1539
	name: "."
1538
	forward-addr: $DNS1
1540
	forward-addr: $DNS1
1539
	forward-addr: $DNS2
1541
	forward-addr: $DNS2
1540
EOF
1542
EOF
1541
 
1543
 
1542
# Custom configuration file for manual DNS configuration
1544
# Custom configuration file for manual DNS configuration
1543
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1545
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1544
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1546
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1545
## Add one block for each domain name managed by an other DNS server
1547
## Add one block for each domain name managed by an other DNS server
1546
##
1548
##
1547
## Example:
1549
## Example:
1548
##
1550
##
1549
## server:
1551
## server:
1550
##     local-zone: "<your_domain>." transparent
1552
##     local-zone: "<your_domain>." transparent
1551
## forward-zone:
1553
## forward-zone:
1552
##     name: "<your_domain>."
1554
##     name: "<your_domain>."
1553
##     forward-addr: <@IP_domain_server>
1555
##     forward-addr: <@IP_domain_server>
1554
##
1556
##
1555
EOF
1557
EOF
1556
 
1558
 
1557
# Configuration file of ALCASAR main domains for $INTIF
1559
# Configuration file of ALCASAR main domains for $INTIF
1558
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1560
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1559
server:
1561
server:
1560
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1562
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1561
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1563
	local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN"
1562
EOF
1564
EOF
1563
 
1565
 
1564
# Configuration file for lo of forward unbound
1566
# Configuration file for lo of forward unbound
1565
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1567
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1566
server:
1568
server:
1567
	interface: 127.0.0.1@53
1569
	interface: 127.0.0.1@53
1568
	access-control-view: 127.0.0.1/8 lo
1570
	access-control-view: 127.0.0.1/8 lo
1569
view:
1571
view:
1570
	name: "lo"
1572
	name: "lo"
1571
	local-data: "$HOSTNAME A 127.0.0.1"
1573
	local-data: "$HOSTNAME A 127.0.0.1"
1572
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1574
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1573
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1575
	local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN"
1574
	view-first: yes
1576
	view-first: yes
1575
EOF
1577
EOF
1576
 
1578
 
1577
# Configuration file for $INTIF of forward unbound
1579
# Configuration file for $INTIF of forward unbound
1578
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1580
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1579
server:
1581
server:
1580
	interface: ${PRIVATE_IP}@53
1582
	interface: ${PRIVATE_IP}@53
1581
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1583
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1582
view:
1584
view:
1583
	name: "$INTIF"
1585
	name: "$INTIF"
1584
	view-first: yes
1586
	view-first: yes
1585
EOF
1587
EOF
1586
 
1588
 
1587
# Configuration file for main unbound
1589
# Configuration file for main unbound
1588
	cat << EOF > /etc/unbound/unbound.conf
1590
	cat << EOF > /etc/unbound/unbound.conf
1589
server:
1591
server:
1590
	verbosity: 1
1592
	verbosity: 1
1591
	hide-version: yes
1593
	hide-version: yes
1592
	hide-identity: yes
1594
	hide-identity: yes
1593
	do-ip6: no
1595
	do-ip6: no
1594
	include: /etc/unbound/conf.d/common/forward-zone.conf
1596
	include: /etc/unbound/conf.d/common/forward-zone.conf
1595
	include: /etc/unbound/conf.d/common/local-forward/*
1597
	include: /etc/unbound/conf.d/common/local-forward/*
1596
	include: /etc/unbound/conf.d/common/local-dns/*
1598
	include: /etc/unbound/conf.d/common/local-dns/*
1597
	include: /etc/unbound/conf.d/forward/*
1599
	include: /etc/unbound/conf.d/forward/*
1598
EOF
1600
EOF
1599
 
1601
 
1600
# Configuration file for $INTIF of blacklist unbound
1602
# Configuration file for $INTIF of blacklist unbound
1601
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1603
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1602
server:
1604
server:
1603
	interface: ${PRIVATE_IP}@54
1605
	interface: ${PRIVATE_IP}@54
1604
	access-control: $PRIVATE_IP_MASK allow
1606
	access-control: $PRIVATE_IP_MASK allow
1605
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1607
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1606
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1608
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1607
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1609
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1608
EOF
1610
EOF
1609
 
1611
 
1610
# Configuration file for blacklist unbound
1612
# Configuration file for blacklist unbound
1611
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1613
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1612
server:
1614
server:
1613
	verbosity: 1
1615
	verbosity: 1
1614
	hide-version: yes
1616
	hide-version: yes
1615
	hide-identity: yes
1617
	hide-identity: yes
1616
	do-ip6: no
1618
	do-ip6: no
1617
	logfile: "/var/log/unbound/unbound-blacklist.log"
1619
	logfile: "/var/log/unbound/unbound-blacklist.log"
1618
	chroot: ""
1620
	chroot: ""
1619
	define-tag: "blacklist"
1621
	define-tag: "blacklist"
1620
	log-local-actions: yes
1622
	log-local-actions: yes
1621
	include: /etc/unbound/conf.d/common/forward-zone.conf
1623
	include: /etc/unbound/conf.d/common/forward-zone.conf
1622
	include: /etc/unbound/conf.d/common/local-forward/*
1624
	include: /etc/unbound/conf.d/common/local-forward/*
1623
	include: /etc/unbound/conf.d/common/local-dns/*
1625
	include: /etc/unbound/conf.d/common/local-dns/*
1624
	include: /etc/unbound/conf.d/blacklist/*
1626
	include: /etc/unbound/conf.d/blacklist/*
1625
	include: /usr/local/share/unbound-bl-enabled/*
1627
	include: /usr/local/share/unbound-bl-enabled/*
1626
EOF
1628
EOF
1627
 
1629
 
1628
# Configuration file for $INTIF of whitelist unbound
1630
# Configuration file for $INTIF of whitelist unbound
1629
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1631
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1630
server:
1632
server:
1631
	interface: ${PRIVATE_IP}@55
1633
	interface: ${PRIVATE_IP}@55
1632
	access-control: $PRIVATE_IP_MASK allow
1634
	access-control: $PRIVATE_IP_MASK allow
1633
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1635
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1634
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1636
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1635
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1637
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1636
EOF
1638
EOF
1637
 
1639
 
1638
# Configuration file for whitelist unbound
1640
# Configuration file for whitelist unbound
1639
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1641
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1640
server:
1642
server:
1641
	verbosity: 1
1643
	verbosity: 1
1642
	hide-version: yes
1644
	hide-version: yes
1643
	hide-identity: yes
1645
	hide-identity: yes
1644
	do-ip6: no
1646
	do-ip6: no
1645
	do-not-query-localhost: no
1647
	do-not-query-localhost: no
1646
	define-tag: "whitelist"
1648
	define-tag: "whitelist"
1647
	local-zone: "." transparent
1649
	local-zone: "." transparent
1648
	local-zone-tag: "." "whitelist"
1650
	local-zone-tag: "." "whitelist"
1649
	include: /etc/unbound/conf.d/common/local-forward/*
1651
	include: /etc/unbound/conf.d/common/local-forward/*
1650
	include: /etc/unbound/conf.d/common/local-dns/*
1652
	include: /etc/unbound/conf.d/common/local-dns/*
1651
	include: /etc/unbound/conf.d/whitelist/*
1653
	include: /etc/unbound/conf.d/whitelist/*
1652
	include: /usr/local/share/unbound-wl-enabled/*
1654
	include: /usr/local/share/unbound-wl-enabled/*
1653
forward-zone:
1655
forward-zone:
1654
	name: "."
1656
	name: "."
1655
	forward-addr: 127.0.0.1@55
1657
	forward-addr: 127.0.0.1@55
1656
EOF
1658
EOF
1657
 
1659
 
1658
# Configuration file for $INTIF of blackhole unbound
1660
# Configuration file for $INTIF of blackhole unbound
1659
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1661
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1660
server:
1662
server:
1661
	interface: ${PRIVATE_IP}@56
1663
	interface: ${PRIVATE_IP}@56
1662
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1664
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1663
view:
1665
view:
1664
	name: "$INTIF"
1666
	name: "$INTIF"
1665
	local-zone: "." redirect
1667
	local-zone: "." redirect
1666
	local-data: ". A $PRIVATE_IP"
1668
	local-data: ". A $PRIVATE_IP"
1667
EOF
1669
EOF
1668
 
1670
 
1669
# Configuration file for blackhole unbound
1671
# Configuration file for blackhole unbound
1670
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1672
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1671
server:
1673
server:
1672
	verbosity: 1
1674
	verbosity: 1
1673
	hide-version: yes
1675
	hide-version: yes
1674
	hide-identity: yes
1676
	hide-identity: yes
1675
	do-ip6: no
1677
	do-ip6: no
1676
	include: /etc/unbound/conf.d/common/local-forward/*
1678
	include: /etc/unbound/conf.d/common/local-forward/*
1677
	include: /etc/unbound/conf.d/common/local-dns/*
1679
	include: /etc/unbound/conf.d/common/local-dns/*
1678
	include: /etc/unbound/conf.d/blackhole/*
1680
	include: /etc/unbound/conf.d/blackhole/*
1679
EOF
1681
EOF
1680
 
1682
 
1681
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1683
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1682
	then
1684
	then
1683
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1685
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1684
	fi
1686
	fi
1685
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1687
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1686
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1688
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1687
	for list in blacklist blackhole whitelist
1689
	for list in blacklist blackhole whitelist
1688
	do
1690
	do
1689
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1691
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1690
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1692
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1691
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1693
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1692
	done
1694
	done
1693
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1695
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1694
} # End of unbound()
1696
} # End of unbound()
1695
 
1697
 
1696
##################################################
1698
##################################################
1697
##              Function "dhcpd"                ##
1699
##              Function "dhcpd"                ##
1698
##################################################
1700
##################################################
1699
dhcpd()
1701
dhcpd()
1700
{
1702
{
1701
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1703
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1702
	cat <<EOF > /etc/dhcpd.conf
1704
	cat <<EOF > /etc/dhcpd.conf
1703
ddns-update-style none;
1705
ddns-update-style none;
1704
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1706
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1705
	option routers $PRIVATE_IP;
1707
	option routers $PRIVATE_IP;
1706
	option subnet-mask $PRIVATE_NETMASK;
1708
	option subnet-mask $PRIVATE_NETMASK;
1707
	option domain-name-servers $PRIVATE_IP;
1709
	option domain-name-servers $PRIVATE_IP;
1708
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1710
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1709
	default-lease-time 21600;
1711
	default-lease-time 21600;
1710
	max-lease-time 43200;
1712
	max-lease-time 43200;
1711
}
1713
}
1712
EOF
1714
EOF
1713
} # End of dhcpd()
1715
} # End of dhcpd()
1714
 
1716
 
1715
##########################################################
1717
##########################################################
1716
##                      Function "BL"                   ##
1718
##                      Function "BL"                   ##
1717
## - copy & adapt Toulouse BL to ALCASAR architecture   ##
1719
## - copy & adapt Toulouse BL to ALCASAR architecture   ##
1718
##     - domain names for unbound-bl & unbound-wl       ##
1720
##     - domain names for unbound-bl & unbound-wl       ##
1719
##     - URLs for E²guardian                            ##
1721
##     - URLs for E²guardian                            ##
1720
##     - IPs for NetFilter                              ##
1722
##     - IPs for NetFilter                              ##
1721
## - copy additional BLs (TOR + Ultrasurf + C&C)        ##
1723
## - copy additional BLs (TOR + Ultrasurf + C&C)        ##
1722
##########################################################
1724
##########################################################
1723
BL()
1725
BL()
1724
{
1726
{
1725
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1727
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1726
	rm -rf $DIR_DG/lists/blacklists
1728
	rm -rf $DIR_DG/lists/blacklists
1727
	mkdir -p /tmp/blacklists
1729
	mkdir -p /tmp/blacklists
1728
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1730
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1729
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1731
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
1730
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1732
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1731
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1733
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1732
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1734
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1733
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1735
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1734
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1736
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1735
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1737
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1736
# add additional BL files
1738
# add additional BL files
1737
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
1739
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists")
1738
	do
1740
	do
1739
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1741
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1740
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1742
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1741
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1743
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1742
	done
1744
	done
1743
	chown -R e2guardian:apache $DIR_DG
1745
	chown -R e2guardian:apache $DIR_DG
1744
	chown -R root:apache $DIR_DEST_SHARE
1746
	chown -R root:apache $DIR_DEST_SHARE
1745
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1747
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1746
# adapt the Toulouse BL to ALCASAR architecture
1748
# adapt the Toulouse BL to ALCASAR architecture
1747
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1749
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1748
# enable the default categories
1750
# enable the default categories
1749
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1751
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1750
	rm -rf /tmp/blacklists
1752
	rm -rf /tmp/blacklists
1751
} # End of BL()
1753
} # End of BL()
1752
 
1754
 
1753
#######################################################
1755
#######################################################
1754
##                  Function "cron"                  ##
1756
##                  Function "cron"                  ##
1755
## - write all cron & anacron files                  ##
1757
## - write all cron & anacron files                  ##
1756
#######################################################
1758
#######################################################
1757
cron()
1759
cron()
1758
{
1760
{
1759
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1761
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1760
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1762
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1761
	cat <<EOF > /etc/crontab
1763
	cat <<EOF > /etc/crontab
1762
SHELL=/usr/bin/bash
1764
SHELL=/usr/bin/bash
1763
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1765
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1764
MAILTO=root
1766
MAILTO=root
1765
HOME=/
1767
HOME=/
1766
 
1768
 
1767
# run-parts
1769
# run-parts
1768
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1770
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1769
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1771
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1770
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1772
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1771
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1773
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1772
EOF
1774
EOF
1773
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1775
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1774
	cat <<EOF >> /etc/anacrontab
1776
	cat <<EOF >> /etc/anacrontab
1775
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1777
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1776
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1778
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1777
EOF
1779
EOF
1778
	cat <<EOF > /etc/cron.d/alcasar-mysql
1780
	cat <<EOF > /etc/cron.d/alcasar-mysql
1779
# Verify, repair and export users database (every monday at 4:45 am)
1781
# Verify, repair and export users database (every monday at 4:45 am)
1780
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1782
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1781
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1783
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1782
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1784
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1783
EOF
1785
EOF
1784
	cat <<EOF > /etc/cron.d/alcasar-archive
1786
	cat <<EOF > /etc/cron.d/alcasar-archive
1785
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1787
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1786
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1788
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1787
EOF
1789
EOF
1788
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1790
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1789
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1791
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1790
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1792
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1791
EOF
1793
EOF
1792
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1794
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1793
# Update the system (everyday at 3:30 am)
1795
# Update the system (everyday at 3:30 am)
1794
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1796
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1795
EOF
1797
EOF
1796
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1798
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1797
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1799
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1798
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1800
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1799
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1801
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1800
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1802
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1801
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1803
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1802
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1804
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1803
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1805
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1804
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1806
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1805
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1807
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1806
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1808
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1807
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1809
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1808
EOF
1810
EOF
1809
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1811
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1810
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1812
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1811
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1813
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1812
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
1814
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
1813
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1815
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1814
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1816
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1815
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1817
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1816
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
1818
@daily root $DIR_DEST_BIN/alcasar-watchdog.sh --disconnect-permanent-users > /dev/null 2>&1
1817
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1819
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1818
EOF
1820
EOF
1819
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1821
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1820
# start dead daemons (after boot process and every 20')
1822
# start dead daemons (after boot process and every 20')
1821
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1823
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1822
*/20 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1824
*/20 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1823
EOF
1825
EOF
1824
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1826
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1825
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1827
# Automatic update the BL (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1826
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl-autoupdate.sh --update_cat > /dev/null 2>&1
1828
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl-autoupdate.sh --update_cat > /dev/null 2>&1
1827
EOF
1829
EOF
1828
	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
1830
	cat <<EOF > /etc/cron.d/alcasar-rsync-ossi_bl
1829
# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
1831
# Automatic update the OSSI BLs (every 12 hours) by running the custom update scripts specified in '/usr/local/etc/update_ossi_cat.conf'.
1830
0 */12 * * * root /bin/bash /usr/local/etc/update_ossi_cat.conf > /dev/null 2>&1
1832
0 */12 * * * root /bin/bash /usr/local/etc/update_ossi_cat.conf > /dev/null 2>&1
1831
EOF
1833
EOF
1832
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1834
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1833
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1835
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1834
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1836
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1835
EOF
1837
EOF
1836
	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
1838
	cat <<EOF > /etc/cron.d/alcasar-nfcapd-expire
1837
# Remove netflow files older than one year (daily --> see "cron.daily")
1839
# Remove netflow files older than one year (daily --> see "cron.daily")
1838
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
1840
@daily root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/live/alcasar_netflow -t 365d
1839
EOF
1841
EOF
1840
# removing the users crons
1842
# removing the users crons
1841
	rm -f /var/spool/cron/*
1843
	rm -f /var/spool/cron/*
1842
} # End of cron()
1844
} # End of cron()
1843
 
1845
 
1844
########################################################################
1846
########################################################################
1845
##                        Fonction "Fail2Ban"                         ##
1847
##                        Fonction "Fail2Ban"                         ##
1846
##- Adapt conf file to ALCASAR                                        ##
1848
##- Adapt conf file to ALCASAR                                        ##
1847
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1849
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1848
########################################################################
1850
########################################################################
1849
fail2ban()
1851
fail2ban()
1850
{
1852
{
1851
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1853
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1852
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1854
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1853
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1855
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1854
 
1856
 
1855
# add 5 jails and their filters
1857
# add 5 jails and their filters
1856
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1858
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1857
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1859
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1858
[sshd]
1860
[sshd]
1859
enabled = true
1861
enabled = true
1860
#enabled  = false
1862
#enabled  = false
1861
maxretry = 3
1863
maxretry = 3
1862
bantime = 3m
1864
bantime = 3m
1863
findtime = 5m
1865
findtime = 5m
1864
EOF
1866
EOF
1865
 
1867
 
1866
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1868
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1867
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1869
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1868
[lighttpd-auth]
1870
[lighttpd-auth]
1869
enabled = true
1871
enabled = true
1870
#enabled  = false
1872
#enabled  = false
1871
maxretry = 3
1873
maxretry = 3
1872
bantime = 3m
1874
bantime = 3m
1873
findtime = 3m
1875
findtime = 3m
1874
EOF
1876
EOF
1875
 
1877
 
1876
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1878
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1877
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1879
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1878
[alcasar_mod-evasive]
1880
[alcasar_mod-evasive]
1879
#enabled = true
1881
#enabled = true
1880
enabled = false
1882
enabled = false
1881
backend = auto
1883
backend = auto
1882
filter = alcasar_mod-evasive
1884
filter = alcasar_mod-evasive
1883
action = iptables-allports[name=alcasar_mod-evasive]
1885
action = iptables-allports[name=alcasar_mod-evasive]
1884
logpath = /var/log/lighttpd/access.log
1886
logpath = /var/log/lighttpd/access.log
1885
maxretry = 3
1887
maxretry = 3
1886
bantime = 3m
1888
bantime = 3m
1887
findtime = 3m
1889
findtime = 3m
1888
EOF
1890
EOF
1889
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1891
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1890
[Definition]
1892
[Definition]
1891
failregex =  <HOST> .+\] "[^"]+" 403
1893
failregex =  <HOST> .+\] "[^"]+" 403
1892
ignoreregex =
1894
ignoreregex =
1893
EOF
1895
EOF
1894
 
1896
 
1895
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
1897
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
1896
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
1898
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
1897
[alcasar_intercept]
1899
[alcasar_intercept]
1898
enabled = true
1900
enabled = true
1899
#enabled = false
1901
#enabled = false
1900
backend = auto
1902
backend = auto
1901
filter = alcasar_intercept
1903
filter = alcasar_intercept
1902
action = iptables-allports[name=alcasar_intercept]
1904
action = iptables-allports[name=alcasar_intercept]
1903
logpath = /var/log/lighttpd/access.log
1905
logpath = /var/log/lighttpd/access.log
1904
maxretry = 5
1906
maxretry = 5
1905
bantime = 3m
1907
bantime = 3m
1906
findtime = 3m
1908
findtime = 3m
1907
EOF
1909
EOF
1908
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1910
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1909
[Definition]
1911
[Definition]
1910
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1912
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1911
ignoreregex =
1913
ignoreregex =
1912
EOF
1914
EOF
1913
 
1915
 
1914
## alcasar_change-pwd : ban after 5 failed user change password attempts
1916
## alcasar_change-pwd : ban after 5 failed user change password attempts
1915
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
1917
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
1916
[alcasar_change-pwd]
1918
[alcasar_change-pwd]
1917
enabled = true
1919
enabled = true
1918
#enabled = false
1920
#enabled = false
1919
backend = auto
1921
backend = auto
1920
filter = alcasar_change-pwd
1922
filter = alcasar_change-pwd
1921
action = iptables-allports[name=alcasar_change-pwd]
1923
action = iptables-allports[name=alcasar_change-pwd]
1922
logpath = /var/log/lighttpd/access.log
1924
logpath = /var/log/lighttpd/access.log
1923
maxretry = 5
1925
maxretry = 5
1924
bantime = 3m
1926
bantime = 3m
1925
findtime = 3m
1927
findtime = 3m
1926
EOF
1928
EOF
1927
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1929
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1928
[Definition]
1930
[Definition]
1929
failregex = <HOST> .* \"POST \/password\.php
1931
failregex = <HOST> .* \"POST \/password\.php
1930
ignoreregex =
1932
ignoreregex =
1931
EOF
1933
EOF
1932
 
1934
 
1933
# allow reading of 2 log files (fail2ban & watchdog).
1935
# allow reading of 2 log files (fail2ban & watchdog).
1934
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1936
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1935
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1937
	[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
1936
	chmod 644 /var/log/fail2ban.log
1938
	chmod 644 /var/log/fail2ban.log
1937
	chmod 644 $DIR_SAVE/security/watchdog.log
1939
	chmod 644 $DIR_SAVE/security/watchdog.log
1938
	/usr/bin/touch /var/log/auth.log
1940
	/usr/bin/touch /var/log/auth.log
1939
# fail2ban unit
1941
# fail2ban unit
1940
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1942
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1941
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1943
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1942
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1944
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1943
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1945
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1944
} # End of fail2ban()
1946
} # End of fail2ban()
1945
 
1947
 
1946
#########################################################
1948
#########################################################
1947
##                   Fonction "gammu_smsd"             ##
1949
##                   Fonction "gammu_smsd"             ##
1948
## - Creating of SMS management database               ##
1950
## - Creating of SMS management database               ##
1949
## - Write the gammu a gammu_smsd conf files           ##
1951
## - Write the gammu a gammu_smsd conf files           ##
1950
#########################################################
1952
#########################################################
1951
gammu_smsd()
1953
gammu_smsd()
1952
{
1954
{
1953
# Create 'gammu' system user
1955
# Create 'gammu' system user
1954
	groupadd -f gammu_smsd
1956
	groupadd -f gammu_smsd
1955
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1957
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1956
	usermod -a -G dialout gammu_smsd
1958
	usermod -a -G dialout gammu_smsd
1957
 
1959
 
1958
# Create 'gammu' database
1960
# Create 'gammu' database
1959
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1961
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1960
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1962
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1961
# Add a gammu database structure
1963
# Add a gammu database structure
1962
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1964
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1963
 
1965
 
1964
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1966
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1965
	cat << EOF > /etc/gammurc
1967
	cat << EOF > /etc/gammurc
1966
[gammu]
1968
[gammu]
1967
device = /dev/ttyUSB0
1969
device = /dev/ttyUSB0
1968
connection = at115200
1970
connection = at115200
1969
EOF
1971
EOF
1970
 
1972
 
1971
	cat << EOF > /etc/gammu_smsd_conf
1973
	cat << EOF > /etc/gammu_smsd_conf
1972
[gammu]
1974
[gammu]
1973
port = /dev/ttyUSB0
1975
port = /dev/ttyUSB0
1974
connection = at115200
1976
connection = at115200
1975
 
1977
 
1976
[smsd]
1978
[smsd]
1977
PIN = 1234
1979
PIN = 1234
1978
logfile = /var/log/gammu-smsd/gammu-smsd.log
1980
logfile = /var/log/gammu-smsd/gammu-smsd.log
1979
logformat = textall
1981
logformat = textall
1980
debuglevel = 0
1982
debuglevel = 0
1981
 
1983
 
1982
service = sql
1984
service = sql
1983
driver = native_mysql
1985
driver = native_mysql
1984
user = $DB_USER
1986
user = $DB_USER
1985
password = $radiuspwd
1987
password = $radiuspwd
1986
pc = localhost
1988
pc = localhost
1987
database = $DB_GAMMU
1989
database = $DB_GAMMU
1988
 
1990
 
1989
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1991
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1990
 
1992
 
1991
StatusFrequency = 30
1993
StatusFrequency = 30
1992
;LoopSleep = 2
1994
;LoopSleep = 2
1993
 
1995
 
1994
;ResetFrequency = 300
1996
;ResetFrequency = 300
1995
;HardResetFrequency = 120
1997
;HardResetFrequency = 120
1996
 
1998
 
1997
CheckSecurity = 1
1999
CheckSecurity = 1
1998
CheckSignal = 1
2000
CheckSignal = 1
1999
CheckBattery = 0
2001
CheckBattery = 0
2000
EOF
2002
EOF
2001
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2003
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2002
 
2004
 
2003
# Create the systemd unit
2005
# Create the systemd unit
2004
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2006
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2005
[Unit]
2007
[Unit]
2006
Description=SMS daemon for Gammu
2008
Description=SMS daemon for Gammu
2007
Documentation=man:gammu-smsd(1)
2009
Documentation=man:gammu-smsd(1)
2008
After=network.target mysql.service
2010
After=network.target mysql.service
2009
 
2011
 
2010
[Service]
2012
[Service]
2011
Type=forking
2013
Type=forking
2012
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2014
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2013
ExecReload=/bin/kill -HUP $MAINPID
2015
ExecReload=/bin/kill -HUP $MAINPID
2014
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2016
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2015
PIDFile=/run/gammu-smsd.pid
2017
PIDFile=/run/gammu-smsd.pid
2016
 
2018
 
2017
[Install]
2019
[Install]
2018
WantedBy=multi-user.target
2020
WantedBy=multi-user.target
2019
EOF
2021
EOF
2020
 
2022
 
2021
# Log folder for gammu-smsd
2023
# Log folder for gammu-smsd
2022
	[ -d /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2024
	[ -d /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2023
	chmod 755 /var/log/gammu-smsd
2025
	chmod 755 /var/log/gammu-smsd
2024
 
2026
 
2025
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2027
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2026
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2028
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2027
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2029
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2028
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2030
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2029
#EOF
2031
#EOF
2030
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2032
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2031
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2033
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2032
 
2034
 
2033
} # End of gammu_smsd()
2035
} # End of gammu_smsd()
2034
 
2036
 
2035
############################################################
2037
############################################################
2036
##                 Fonction "msec"                        ##
2038
##                 Fonction "msec"                        ##
2037
## - Apply the "fileserver" security level                ##
2039
## - Apply the "fileserver" security level                ##
2038
## - remove the "system request" for rebooting            ##
2040
## - remove the "system request" for rebooting            ##
2039
## - Fix several file permissions                         ##
2041
## - Fix several file permissions                         ##
2040
############################################################
2042
############################################################
2041
msec()
2043
msec()
2042
{
2044
{
2043
 
2045
 
2044
# Apply fileserver security level
2046
# Apply fileserver security level
2045
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2047
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2046
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2048
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2047
 
2049
 
2048
# Set permissions monitoring and enforcement
2050
# Set permissions monitoring and enforcement
2049
cat <<EOF > /etc/security/msec/perm.local
2051
cat <<EOF > /etc/security/msec/perm.local
2050
/var/log/firewall/                      root.apache     750
2052
/var/log/firewall/                      root.apache     750
2051
/var/log/firewall/*                     root.apache     640
2053
/var/log/firewall/*                     root.apache     640
2052
/etc/security/msec/perm.local           root.root       640
2054
/etc/security/msec/perm.local           root.root       640
2053
/etc/security/msec/level.local          root.root       640
2055
/etc/security/msec/level.local          root.root       640
2054
/etc/freeradius-web                     root.apache     750
2056
/etc/freeradius-web                     root.apache     750
2055
/etc/freeradius-web/admin.conf          root.apache     640
2057
/etc/freeradius-web/admin.conf          root.apache     640
2056
/etc/raddb/client.conf                  radius.radius   640
2058
/etc/raddb/client.conf                  radius.radius   640
2057
/etc/raddb/radius.conf                  radius.radius   640
2059
/etc/raddb/radius.conf                  radius.radius   640
2058
/etc/raddb/mods-available/ldap          radius.apache   660
2060
/etc/raddb/mods-available/ldap          radius.apache   660
2059
/etc/raddb/sites-available/alcasar      radius.apache   660
2061
/etc/raddb/sites-available/alcasar      radius.apache   660
2060
/etc/pki/CA/                            root.apache     750 force
2062
/etc/pki/CA/                            root.apache     750 force
2061
/etc/pki/CA/*                           root.apache     640 force 
2063
/etc/pki/CA/*                           root.apache     640 force 
2062
/etc/pki/CA/private/                    root.root       700 force
2064
/etc/pki/CA/private/                    root.root       700 force
2063
/etc/pki/CA/private/*                   root.root       600 force
2065
/etc/pki/CA/private/*                   root.root       600 force
2064
/etc/pki/tls/private/                   root.apache     750 force
2066
/etc/pki/tls/private/                   root.apache     750 force
2065
/etc/pki/tls/private/*                  root.apache     640 force
2067
/etc/pki/tls/private/*                  root.apache     640 force
2066
/var/log/clamav/                        e2guardian.e2guardian   755 force
2068
/var/log/clamav/                        e2guardian.e2guardian   755 force
2067
/var/log/clamav/*                       e2guardian.e2guardian   764 force
2069
/var/log/clamav/*                       e2guardian.e2guardian   764 force
2068
/var/lib/clamav/                        e2guardian.e2guardian   755 force
2070
/var/lib/clamav/                        e2guardian.e2guardian   755 force
2069
EOF
2071
EOF
2070
# apply now hourly & daily checks
2072
# apply now hourly & daily checks
2071
/usr/sbin/msec
2073
/usr/sbin/msec
2072
/etc/cron.weekly/msec
2074
/etc/cron.weekly/msec
2073
 
2075
 
2074
} # End of msec()
2076
} # End of msec()
2075
 
2077
 
2076
##################################################################
2078
##################################################################
2077
##                   Fonction "letsencrypt"                     ##
2079
##                   Fonction "letsencrypt"                     ##
2078
## - Install Let's Encrypt client                               ##
2080
## - Install Let's Encrypt client                               ##
2079
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2081
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2080
##################################################################
2082
##################################################################
2081
letsencrypt()
2083
letsencrypt()
2082
{
2084
{
2083
	echo "Installing Let's Encrypt client..."
2085
	echo "Installing Let's Encrypt client..."
2084
	# Remove potential old installers
2086
	# Remove potential old installers
2085
	rm -rf /tmp/acme.sh-*
2087
	rm -rf /tmp/acme.sh-*
2086
	# Extract acme.sh
2088
	# Extract acme.sh
2087
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2089
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2088
	pwdInstall=$(pwd)
2090
	pwdInstall=$(pwd)
2089
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2091
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2090
	acmesh_installDir="/opt/acme.sh"
2092
	acmesh_installDir="/opt/acme.sh"
2091
	acmesh_confDir="/usr/local/etc/letsencrypt"
2093
	acmesh_confDir="/usr/local/etc/letsencrypt"
2092
	acmesh_userAgent="ALCASAR"
2094
	acmesh_userAgent="ALCASAR"
2093
	# Install acme.sh
2095
	# Install acme.sh
2094
	./acme.sh --install \
2096
	./acme.sh --install \
2095
		--home $acmesh_installDir \
2097
		--home $acmesh_installDir \
2096
		--config-home $acmesh_confDir/data \
2098
		--config-home $acmesh_confDir/data \
2097
		--certhome $acmesh_confDir/certs \
2099
		--certhome $acmesh_confDir/certs \
2098
		--accountkey $acmesh_confDir/ca/account.key \
2100
		--accountkey $acmesh_confDir/ca/account.key \
2099
		--accountconf $acmesh_confDir/data/account.conf \
2101
		--accountconf $acmesh_confDir/data/account.conf \
2100
		--useragent $acmesh_userAgent \
2102
		--useragent $acmesh_userAgent \
2101
		--nocron \
2103
		--nocron \
2102
		> /dev/null
2104
		> /dev/null
2103
	if [ $? -ne 0 ]; then
2105
	if [ $? -ne 0 ]; then
2104
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2106
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2105
	fi
2107
	fi
2106
	# Create configuration file
2108
	# Create configuration file
2107
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2109
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2108
email=
2110
email=
2109
dateIssueRequest=
2111
dateIssueRequest=
2110
domainRequest=
2112
domainRequest=
2111
challenge=
2113
challenge=
2112
dateIssued=
2114
dateIssued=
2113
dnsapi=
2115
dnsapi=
2114
dateNextRenewal=
2116
dateNextRenewal=
2115
EOF
2117
EOF
2116
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2118
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2117
	rm -rf /tmp/acme.sh-*
2119
	rm -rf /tmp/acme.sh-*
2118
} # End of letsencrypt()
2120
} # End of letsencrypt()
2119
 
2121
 
2120
##################################################################
2122
##################################################################
2121
##                    Fonction "post_install"                   ##
2123
##                    Fonction "post_install"                   ##
2122
## - Modifying banners (locals et ssh) & prompts                ##
2124
## - Modifying banners (locals et ssh) & prompts                ##
2123
## - SSH config                                                 ##
2125
## - SSH config                                                 ##
2124
## - sudoers config & files security                            ##
2126
## - sudoers config & files security                            ##
2125
## - log rotate & ANSSI security parameters                     ##
2127
## - log rotate & ANSSI security parameters                     ##
2126
## - Apply former conf in case of an update                     ##
2128
## - Apply former conf in case of an update                     ##
2127
##################################################################
2129
##################################################################
2128
post_install()
2130
post_install()
2129
{
2131
{
2130
# change the SSHD options
2132
# change the SSHD options
2131
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2133
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2132
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2134
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2133
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2135
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2134
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2136
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2135
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2137
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2136
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2138
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2137
# sshd listens on EXTIF & INTIF
2139
# sshd listens on EXTIF & INTIF
2138
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2140
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2139
# sshd authorized certificate for root login
2141
# sshd authorized certificate for root login
2140
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2142
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2141
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
2143
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
2142
 
2144
 
2143
# postfix banner anonymisation
2145
# postfix banner anonymisation
2144
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2146
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2145
	chown -R postfix:postfix /var/lib/postfix
2147
	chown -R postfix:postfix /var/lib/postfix
2146
# ALCASAR conf file
2148
# ALCASAR conf file
2147
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2149
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2148
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2150
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2149
	echo "SSH=on" >> $CONF_FILE
2151
	echo "SSH=on" >> $CONF_FILE
2150
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2152
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2151
	echo "LDAP=off" >> $CONF_FILE
2153
	echo "LDAP=off" >> $CONF_FILE
2152
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2154
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2153
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2155
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2154
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2156
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2155
	echo "LDAP_FILTER=" >> $CONF_FILE
2157
	echo "LDAP_FILTER=" >> $CONF_FILE
2156
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2158
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2157
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2159
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2158
	echo "LDAP_SSL=on" >> $CONF_FILE
2160
	echo "LDAP_SSL=on" >> $CONF_FILE
2159
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2161
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2160
	echo "SMS=off" >> $CONF_FILE
2162
	echo "SMS=off" >> $CONF_FILE
2161
	echo "SMS_NUM=" >> $CONF_FILE
2163
	echo "SMS_NUM=" >> $CONF_FILE
2162
	echo "MULTIWAN=off" >> $CONF_FILE
2164
	echo "MULTIWAN=off" >> $CONF_FILE
2163
	echo "FAILOVER=30" >> $CONF_FILE
2165
	echo "FAILOVER=30" >> $CONF_FILE
2164
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2166
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2165
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2167
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2166
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2168
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2167
	echo "BL_PUREIP=on" >> $CONF_FILE
2169
	echo "BL_PUREIP=on" >> $CONF_FILE
2168
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2170
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2169
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2171
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2170
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2172
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2171
# Prompt customisation (colors)
2173
# Prompt customisation (colors)
2172
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2174
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2173
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2175
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2174
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2176
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2175
# sudoers configuration for "apache" & "sysadmin"
2177
# sudoers configuration for "apache" & "sysadmin"
2176
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2178
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2177
	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2179
	cp -f $DIR_CONF/sudoers /etc/ ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2178
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2180
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2179
# Modify some logrotate files (gammu, ulogd)
2181
# Modify some logrotate files (gammu, ulogd)
2180
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2182
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2181
	chmod 644 /etc/logrotate.d/*
2183
	chmod 644 /etc/logrotate.d/*
2182
# Log compression
2184
# Log compression
2183
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2185
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2184
# actualisation des fichiers logs compressés
2186
# actualisation des fichiers logs compressés
2185
	for dir in firewall e2guardian lighttpd
2187
	for dir in firewall e2guardian lighttpd
2186
	do
2188
	do
2187
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2189
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2188
	done
2190
	done
2189
# create the alcasar-load_balancing unit
2191
# create the alcasar-load_balancing unit
2190
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2192
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2191
#  This file is part of systemd.
2193
#  This file is part of systemd.
2192
#
2194
#
2193
#  systemd is free software; you can redistribute it and/or modify it
2195
#  systemd is free software; you can redistribute it and/or modify it
2194
#  under the terms of the GNU General Public License as published by
2196
#  under the terms of the GNU General Public License as published by
2195
#  the Free Software Foundation; either version 2 of the License, or
2197
#  the Free Software Foundation; either version 2 of the License, or
2196
#  (at your option) any later version.
2198
#  (at your option) any later version.
2197
 
2199
 
2198
# This unit lauches alcasar-load-balancing.sh script.
2200
# This unit lauches alcasar-load-balancing.sh script.
2199
[Unit]
2201
[Unit]
2200
Description=alcasar-load_balancing.sh execution
2202
Description=alcasar-load_balancing.sh execution
2201
After=network.target iptables.service
2203
After=network.target iptables.service
2202
 
2204
 
2203
[Service]
2205
[Service]
2204
Type=oneshot
2206
Type=oneshot
2205
RemainAfterExit=yes
2207
RemainAfterExit=yes
2206
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2208
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2207
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2209
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2208
TimeoutSec=0
2210
TimeoutSec=0
2209
 
2211
 
2210
[Install]
2212
[Install]
2211
WantedBy=multi-user.target
2213
WantedBy=multi-user.target
2212
EOF
2214
EOF
2213
	/usr/bin/systemctl daemon-reload
2215
	/usr/bin/systemctl daemon-reload
2214
# processes launched at boot time (Systemctl)
2216
# processes launched at boot time (Systemctl)
2215
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2217
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2216
	do
2218
	do
2217
		/usr/bin/systemctl -q enable $i.service
2219
		/usr/bin/systemctl -q enable $i.service
2218
	done
2220
	done
2219
 
2221
 
2220
# disable processes at boot time (Systemctl)
2222
# disable processes at boot time (Systemctl)
2221
	for i in ulogd gpm dhcpd
2223
	for i in ulogd gpm dhcpd
2222
	do
2224
	do
2223
		/usr/bin/systemctl -q disable $i.service
2225
		/usr/bin/systemctl -q disable $i.service
2224
	done
2226
	done
2225
 
2227
 
2226
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2228
# Apply some security rules (some are from French cybersecurity Agency - ANSSI)
2227
# ignore ICMP broadcast (smurf attack)
2229
# ignore ICMP broadcast (smurf attack)
2228
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2230
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2229
# ignore ICMP errors bogus
2231
# ignore ICMP errors bogus
2230
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2232
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2231
# remove ICMP redirects responces
2233
# remove ICMP redirects responces
2232
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2234
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2233
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2235
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2234
# enable SYN Cookies (Syn flood attacks)
2236
# enable SYN Cookies (Syn flood attacks)
2235
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2237
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2236
# enable kernel antispoofing
2238
# enable kernel antispoofing
2237
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2239
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2238
# ignore source routing
2240
# ignore source routing
2239
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2241
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2240
# set conntrack timer to 1h (3600s) instead of 5 weeks
2242
# set conntrack timer to 1h (3600s) instead of 5 weeks
2241
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2243
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2242
# disable log_martians (ALCASAR is often installed between two private network addresses)
2244
# disable log_martians (ALCASAR is often installed between two private network addresses)
2243
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2245
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2244
# disable iptables_helpers
2246
# disable iptables_helpers
2245
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2247
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2246
# Switch to the router mode
2248
# Switch to the router mode
2247
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2249
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2248
# Remove unused service ipv6
2250
# Remove unused service ipv6
2249
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2251
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2250
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2252
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2251
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2253
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2252
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2254
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2253
# switch to multi-users runlevel (instead of x11)
2255
# switch to multi-users runlevel (instead of x11)
2254
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2256
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2255
# disable Core dump file
2257
# disable Core dump file
2256
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
2258
	[ -e /etc/security/limits.conf.default ]  || cp /etc/security/limits.conf /etc/security/limits.conf.default
2257
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
2259
	$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf
2258
 
2260
 
2259
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2261
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2260
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2262
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2261
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2263
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2262
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2264
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2263
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2265
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2264
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2266
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2265
	if [ $vm_vga == 0 ] # is not a VM
2267
	if [ $vm_vga == 0 ] # is not a VM
2266
	then
2268
	then
2267
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2269
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2268
		echo >> /etc/mageia-release
2270
		echo >> /etc/mageia-release
2269
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2271
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2270
	fi
2272
	fi
2271
	if [ $Lang == "fr" ]
2273
	if [ $Lang == "fr" ]
2272
	then
2274
	then
2273
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2275
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2274
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2276
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2275
	else
2277
	else
2276
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2278
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2277
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2279
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2278
	fi
2280
	fi
2279
	/usr/bin/update-grub2
2281
	/usr/bin/update-grub2
2280
# Load and apply the previous conf file
2282
# Load and apply the previous conf file
2281
	if [ "$mode" = "update" ]
2283
	if [ "$mode" = "update" ]
2282
	then
2284
	then
2283
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2285
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in $DIR_SAVE/archive
2284
		$DIR_DEST_BIN/alcasar-conf.sh --load
2286
		$DIR_DEST_BIN/alcasar-conf.sh --load
2285
		PARENT_SCRIPT=`basename $0`
2287
		PARENT_SCRIPT=`basename $0`
2286
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2288
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2287
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2289
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2288
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2290
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2289
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2291
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2290
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2292
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2291
	fi
2293
	fi
2292
	rm -f /var/tmp/alcasar-conf*
2294
	rm -f /var/tmp/alcasar-conf*
2293
	chown -R root:apache $DIR_DEST_ETC/*
2295
	chown -R root:apache $DIR_DEST_ETC/*
2294
	chmod -R 660 $DIR_DEST_ETC/*
2296
	chmod -R 660 $DIR_DEST_ETC/*
2295
	chmod ug+x $DIR_DEST_ETC/digest
2297
	chmod ug+x $DIR_DEST_ETC/digest
2296
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2298
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2297
	echo ""
2299
	echo ""
2298
	echo "#############################################################################"
2300
	echo "#############################################################################"
2299
	if [ $Lang == "fr" ]
2301
	if [ $Lang == "fr" ]
2300
		then
2302
		then
2301
		echo "#                        Fin d'installation d'ALCASAR                       #"
2303
		echo "#                        Fin d'installation d'ALCASAR                       #"
2302
		echo "#                                                                           #"
2304
		echo "#                                                                           #"
2303
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2305
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2304
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2306
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2305
		echo "#                                                                           #"
2307
		echo "#                                                                           #"
2306
		echo "#############################################################################"
2308
		echo "#############################################################################"
2307
		echo
2309
		echo
2308
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2310
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2309
		echo
2311
		echo
2310
		echo "- Lisez attentivement la documentation d'exploitation"
2312
		echo "- Lisez attentivement la documentation d'exploitation"
2311
		echo
2313
		echo
2312
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2314
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2313
		echo
2315
		echo
2314
		echo "                   Appuyez sur 'Entrée' pour continuer"
2316
		echo "                   Appuyez sur 'Entrée' pour continuer"
2315
	else
2317
	else
2316
		echo "#                        End of ALCASAR install process                     #"
2318
		echo "#                        End of ALCASAR install process                     #"
2317
		echo "#                                                                           #"
2319
		echo "#                                                                           #"
2318
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2320
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2319
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2321
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2320
		echo "#                                                                           #"
2322
		echo "#                                                                           #"
2321
		echo "#############################################################################"
2323
		echo "#############################################################################"
2322
		echo
2324
		echo
2323
		echo "- The system will be rebooted in order to operate ALCASAR"
2325
		echo "- The system will be rebooted in order to operate ALCASAR"
2324
		echo
2326
		echo
2325
		echo "- Read the exploitation documentation"
2327
		echo "- Read the exploitation documentation"
2326
		echo
2328
		echo
2327
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2329
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2328
		echo
2330
		echo
2329
		echo "                   Hit 'Enter' to continue"
2331
		echo "                   Hit 'Enter' to continue"
2330
	fi
2332
	fi
2331
	sleep 2
2333
	sleep 2
2332
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2334
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2333
	then
2335
	then
2334
		read
2336
		read
2335
	fi
2337
	fi
2336
	clear
2338
	clear
2337
	reboot
2339
	reboot
2338
} # End of post_install()
2340
} # End of post_install()
2339
 
2341
 
2340
#####################################################################################
2342
#####################################################################################
2341
#                                   Main Install loop                               #
2343
#                                   Main Install loop                               #
2342
#####################################################################################
2344
#####################################################################################
2343
dir_exec=`dirname "$0"`
2345
dir_exec=`dirname "$0"`
2344
if [ $dir_exec != "." ]
2346
if [ $dir_exec != "." ]
2345
then
2347
then
2346
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2348
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2347
	echo "Launch this program from the ALCASAR archive directory"
2349
	echo "Launch this program from the ALCASAR archive directory"
2348
	exit 0
2350
	exit 0
2349
fi
2351
fi
2350
if [ $EUID -gt 0 ]
2352
if [ $EUID -gt 0 ]
2351
then
2353
then
2352
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2354
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2353
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2355
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2354
	exit 0
2356
	exit 0
2355
fi
2357
fi
2356
VERSION=`cat $DIR_INSTALL/VERSION`
2358
VERSION=`cat $DIR_INSTALL/VERSION`
2357
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2359
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2358
nb_args=$#
2360
nb_args=$#
2359
args=$1
2361
args=$1
2360
if [ $nb_args -eq 0 ]
2362
if [ $nb_args -eq 0 ]
2361
then
2363
then
2362
	nb_args=1
2364
	nb_args=1
2363
	args="-h"
2365
	args="-h"
2364
fi
2366
fi
2365
chmod -R u+x $DIR_SCRIPTS/*
2367
chmod -R u+x $DIR_SCRIPTS/*
2366
case $args in
2368
case $args in
2367
	-\? | -h* | --h*)
2369
	-\? | -h* | --h*)
2368
		echo "$usage"
2370
		echo "$usage"
2369
		exit 0
2371
		exit 0
2370
		;;
2372
		;;
2371
	-i | --install)
2373
	-i | --install)
2372
		for func in license testing_system
2374
		for func in license testing_system
2373
		do
2375
		do
2374
			header_install
2376
			header_install
2375
			$func
2377
			$func
2376
			if [ $DEBUG_ALCASAR == "on" ]
2378
			if [ $DEBUG_ALCASAR == "on" ]
2377
			then
2379
			then
2378
				echo "*** 'debug' : end of function '$func' ***"
2380
				echo "*** 'debug' : end of function '$func' ***"
2379
				read
2381
				read
2380
			fi
2382
			fi
2381
		done
2383
		done
2382
# RPMs install
2384
# RPMs install
2383
		$DIR_SCRIPTS/alcasar-urpmi.sh
2385
		$DIR_SCRIPTS/alcasar-urpmi.sh
2384
		if [ "$?" != "0" ]
2386
		if [ "$?" != "0" ]
2385
		then
2387
		then
2386
			exit 0
2388
			exit 0
2387
		fi
2389
		fi
2388
		if [ -e $CONF_FILE ]
2390
		if [ -e $CONF_FILE ]
2389
		then
2391
		then
2390
# Uninstall or update the running version
2392
# Uninstall or update the running version
2391
			if [ "$mode" == "update" ]
2393
			if [ "$mode" == "update" ]
2392
			then
2394
			then
2393
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2395
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2394
			else
2396
			else
2395
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2397
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2396
			fi
2398
			fi
2397
		fi
2399
		fi
2398
		if [ $DEBUG_ALCASAR == "on" ]
2400
		if [ $DEBUG_ALCASAR == "on" ]
2399
		then
2401
		then
2400
			echo "*** 'debug' : end of cleaning ***"
2402
			echo "*** 'debug' : end of cleaning ***"
2401
			read
2403
			read
2402
		fi
2404
		fi
2403
# Test if conf file
2405
# Test if conf file
2404
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2406
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2405
		then
2407
		then
2406
# Extract some info from the previous configuration file
2408
# Extract some info from the previous configuration file
2407
			cd /var/tmp
2409
			cd /var/tmp
2408
			tar -xf /var/tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
2410
			tar -xf /var/tmp/alcasar-conf.tar.gz conf/etc/alcasar.conf
2409
			if [ "$mode" == "install" ] # don't display this if updating a running version
2411
			if [ "$mode" == "install" ] # don't display this if updating a running version
2410
			then
2412
			then
2411
				header_install
2413
				header_install
2412
				ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2414
				ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2413
				PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2415
				PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2414
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2416
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2415
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2417
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2416
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2418
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2417
				if [ $Lang == "fr" ]
2419
				if [ $Lang == "fr" ]
2418
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2420
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2419
					else echo "The configuration file of an old version has been found";
2421
					else echo "The configuration file of an old version has been found";
2420
				fi
2422
				fi
2421
				response=0
2423
				response=0
2422
				PTN='^[oOnNyY]?$'
2424
				PTN='^[oOnNyY]?$'
2423
				until [[ "$response" =~ $PTN ]]
2425
				until [[ "$response" =~ $PTN ]]
2424
				do
2426
				do
2425
					if [ $Lang == "fr" ]
2427
					if [ $Lang == "fr" ]
2426
						then echo -n "Voulez-vous l'utiliser (O/n)? ";
2428
						then echo -n "Voulez-vous l'utiliser (O/n)? ";
2427
						else echo -n "Do you want to use it (Y/n)?";
2429
						else echo -n "Do you want to use it (Y/n)?";
2428
					fi
2430
					fi
2429
					read response
2431
					read response
2430
					if [ "$response" = "n" ] || [ "$response" = "N" ]
2432
					if [ "$response" = "n" ] || [ "$response" = "N" ]
2431
					then
2433
					then
2432
						rm -f /var/tmp/alcasar-conf*
2434
						rm -f /var/tmp/alcasar-conf*
2433
						rm -rf /var/tmp/conf
2435
						rm -rf /var/tmp/conf
2434
					fi
2436
					fi
2435
				done
2437
				done
2436
			fi
2438
			fi
2437
			cd $DIR_INSTALL
2439
			cd $DIR_INSTALL
2438
		fi
2440
		fi
2439
# Test if update
2441
# Test if update
2440
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2442
		if [ -e /var/tmp/alcasar-conf.tar.gz ]
2441
		then
2443
		then
2442
			if [ $Lang == "fr" ]
2444
			if [ $Lang == "fr" ]
2443
				then echo "#### Installation avec mise à jour ####";
2445
				then echo "#### Installation avec mise à jour ####";
2444
				else echo "#### Installation with update     ####";
2446
				else echo "#### Installation with update     ####";
2445
			fi
2447
			fi
2446
			mode="update"
2448
			mode="update"
2447
		fi
2449
		fi
2448
		for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2450
		for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2449
		do
2451
		do
2450
			$func
2452
			$func
2451
			if [ $DEBUG_ALCASAR == "on" ]
2453
			if [ $DEBUG_ALCASAR == "on" ]
2452
			then
2454
			then
2453
				echo "*** 'debug' : end of function '$func' ***"
2455
				echo "*** 'debug' : end of function '$func' ***"
2454
				read
2456
				read
2455
			fi
2457
			fi
2456
		done
2458
		done
2457
		;;
2459
		;;
2458
	-u | --uninstall)
2460
	-u | --uninstall)
2459
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2461
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2460
		then
2462
		then
2461
			if [ $Lang == "fr" ]
2463
			if [ $Lang == "fr" ]
2462
				then echo "ALCASAR n'est pas installé!";
2464
				then echo "ALCASAR n'est pas installé!";
2463
				else echo "ALCASAR isn't installed!";
2465
				else echo "ALCASAR isn't installed!";
2464
			fi
2466
			fi
2465
			exit 0
2467
			exit 0
2466
		fi
2468
		fi
2467
		response=0
2469
		response=0
2468
		PTN='^[oOyYnN]?$'
2470
		PTN='^[oOyYnN]?$'
2469
		until [[ "$response" =~ $PTN ]]
2471
		until [[ "$response" =~ $PTN ]]
2470
		do
2472
		do
2471
			if [ $Lang == "fr" ]
2473
			if [ $Lang == "fr" ]
2472
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2474
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (O/n)? ";
2473
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2475
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2474
			fi
2476
			fi
2475
			read response
2477
			read response
2476
		done
2478
		done
2477
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2479
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2478
		then
2480
		then
2479
			$DIR_SCRIPTS/alcasar-conf.sh --create
2481
			$DIR_SCRIPTS/alcasar-conf.sh --create
2480
		else
2482
		else
2481
			rm -f /var/tmp/alcasar-conf*
2483
			rm -f /var/tmp/alcasar-conf*
2482
		fi
2484
		fi
2483
# Uninstall the running version
2485
# Uninstall the running version
2484
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2486
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2485
		;;
2487
		;;
2486
	*)
2488
	*)
2487
		echo "Argument inconnu :$1";
2489
		echo "Argument inconnu :$1";
2488
		echo "Unknown argument :$1";
2490
		echo "Unknown argument :$1";
2489
		echo "$usage"
2491
		echo "$usage"
2490
		exit 1
2492
		exit 1
2491
		;;
2493
		;;
2492
esac
2494
esac
2493
# end of script
2495
# end of script
2494
 
2496
 
2495
 
2497
 
2496

Generated by GNU Enscript 1.6.6.
2498

Generated by GNU Enscript 1.6.6.
2497
 
2499
 
2498
 
2500
 
2499
 
2501