| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 3169 2024-01-18 16:15:23Z rexy $
|
2 |
# $Id: alcasar.sh 3170 2024-02-22 17:28:40Z rexy $
|
| 3 |
|
3 |
|
| 4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
| 5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
| 6 |
# contact : info@alcasar.net
|
6 |
# contact : info@alcasar.net
|
| 7 |
|
7 |
|
| 8 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
8 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
| 9 |
# This script is distributed under the Gnu General Public License (GPLV3)
|
9 |
# This script is distributed under the Gnu General Public License (GPLV3)
|
| 10 |
|
10 |
|
| Line 21... |
Line 21... |
| 21 |
# time_server : NTPd configuration
|
21 |
# time_server : NTPd configuration
|
| 22 |
# init_db : Initilization of radius database managed with MariaDB
|
22 |
# init_db : Initilization of radius database managed with MariaDB
|
| 23 |
# freeradius : FreeRadius initialisation
|
23 |
# freeradius : FreeRadius initialisation
|
| 24 |
# chilli : Coovachilli initialisation (+authentication page)
|
24 |
# chilli : Coovachilli initialisation (+authentication page)
|
| 25 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
25 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
| 26 |
# antivirus : Clamav & freshclam configuration
|
- |
|
| 27 |
# ulogd : Log system in userland (match NFLOG target of iptables)
|
26 |
# ulogd : Log system in userland (match NFLOG target of iptables)
|
| 28 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
27 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
| 29 |
# unbound : Name server configuration
|
28 |
# unbound : Name server configuration
|
| 30 |
# vnstat : Little network stat daemon
|
29 |
# vnstat : Little network stat daemon
|
| 31 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
30 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
| Line 210... |
Line 209... |
| 210 |
mode="update"
|
209 |
mode="update"
|
| 211 |
fi
|
210 |
fi
|
| 212 |
fi
|
211 |
fi
|
| 213 |
# Free /var (when updating) and test free space
|
212 |
# Free /var (when updating) and test free space
|
| 214 |
[ -d /var/log/netflow ] && rm -rf /var/log/netflow # remove old porttracker RRD database
|
213 |
[ -d /var/log/netflow ] && rm -rf /var/log/netflow # remove old porttracker RRD database
|
| 215 |
[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database
|
- |
|
| 216 |
journalctl -q --vacuum-files 1 # remove previous journal logs
|
214 |
journalctl -q --vacuum-files 1 # remove previous journal logs
|
| 217 |
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
|
215 |
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
|
| 218 |
if [ $free_space -lt 10 ]
|
216 |
if [ $free_space -lt 10 ]
|
| 219 |
then
|
217 |
then
|
| 220 |
if [ $Lang == "fr" ]
|
218 |
if [ $Lang == "fr" ]
|
| Line 777... |
Line 775... |
| 777 |
chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
|
775 |
chown root:apache /etc/pki/CA/alcasar-ca.crt; chmod 640 /etc/pki/CA/alcasar-ca.crt
|
| 778 |
chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
|
776 |
chown root:root /etc/pki/CA/private; chmod 700 /etc/pki/CA/private
|
| 779 |
chmod 600 /etc/pki/CA/private/*
|
777 |
chmod 600 /etc/pki/CA/private/*
|
| 780 |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
|
778 |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
|
| 781 |
chmod 640 /etc/pki/tls/private/*
|
779 |
chmod 640 /etc/pki/tls/private/*
|
| 782 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
|
780 |
chmod 644 /etc/pki/tls/certs/*
|
| 783 |
} # End of CA()
|
781 |
} # End of CA()
|
| 784 |
|
782 |
|
| 785 |
######################################################
|
783 |
######################################################
|
| 786 |
## "ACC" ##
|
784 |
## "ACC" ##
|
| 787 |
## - copy ALCASAR Control Center (ACC) files ##
|
785 |
## - copy ALCASAR Control Center (ACC) files ##
|
| Line 1305... |
Line 1303... |
| 1305 |
# Disable HTML content control (weighted & banned)
|
1303 |
# Disable HTML content control (weighted & banned)
|
| 1306 |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
|
1304 |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
|
| 1307 |
# Enable authport plugin
|
1305 |
# Enable authport plugin
|
| 1308 |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
|
1306 |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
|
| 1309 |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
|
1307 |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
|
| 1310 |
# Enable clamd scanner
|
- |
|
| 1311 |
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
|
- |
|
| 1312 |
# Set Max RAM cache to 10Mb
|
1308 |
# Set Max RAM cache to 10Mb
|
| 1313 |
$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
|
1309 |
$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
|
| 1314 |
# Set Max file size cache to 20Mb
|
1310 |
# Set Max file size cache to 20Mb
|
| 1315 |
$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
|
1311 |
$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
|
| 1316 |
# Adapt the first group conf file
|
1312 |
# Adapt the first group conf file
|
| Line 1388... |
Line 1384... |
| 1388 |
# create log folder
|
1384 |
# create log folder
|
| 1389 |
mkdir -p /var/log/e2guardian
|
1385 |
mkdir -p /var/log/e2guardian
|
| 1390 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1386 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
| 1391 |
} # End of e2guardian()
|
1387 |
} # End of e2guardian()
|
| 1392 |
|
1388 |
|
| 1393 |
##################################################################
|
- |
|
| 1394 |
## "antivirus" ##
|
- |
|
| 1395 |
## - Set the parameters of clamav and freshclam ##
|
- |
|
| 1396 |
##################################################################
|
- |
|
| 1397 |
antivirus()
|
- |
|
| 1398 |
{
|
- |
|
| 1399 |
# Clamd unit adaptation to e2guardian
|
- |
|
| 1400 |
cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
|
- |
|
| 1401 |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
|
- |
|
| 1402 |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
|
- |
|
| 1403 |
$SED "s?^StandardOuput=.*?StandardOutput=journal?g" /etc/systemd/system/clamav-daemon.service
|
- |
|
| 1404 |
cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
|
- |
|
| 1405 |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
|
- |
|
| 1406 |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
|
- |
|
| 1407 |
# Clamd conf adaptation to e2guardian
|
- |
|
| 1408 |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
|
- |
|
| 1409 |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
|
- |
|
| 1410 |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
|
- |
|
| 1411 |
$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
|
- |
|
| 1412 |
$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
|
- |
|
| 1413 |
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
|
- |
|
| 1414 |
$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf
|
- |
|
| 1415 |
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
|
- |
|
| 1416 |
chmod 775 /var/log/clamav /var/lib/clamav
|
- |
|
| 1417 |
chmod 664 /var/log/clamav/*
|
- |
|
| 1418 |
# update virus database every 4 hours (24h/6)
|
- |
|
| 1419 |
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
|
- |
|
| 1420 |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
|
- |
|
| 1421 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
|
- |
|
| 1422 |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf
|
- |
|
| 1423 |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
|
- |
|
| 1424 |
$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
|
- |
|
| 1425 |
# update now
|
- |
|
| 1426 |
/usr/bin/freshclam --no-warnings --quiet
|
- |
|
| 1427 |
} # End of antivirus()
|
- |
|
| 1428 |
|
- |
|
| 1429 |
##############################################################
|
1389 |
##############################################################
|
| 1430 |
## "ulogd" ##
|
1390 |
## "ulogd" ##
|
| 1431 |
## - Ulog config for multi-log files ##
|
1391 |
## - Ulog config for multi-log files ##
|
| 1432 |
##############################################################
|
1392 |
##############################################################
|
| 1433 |
ulogd()
|
1393 |
ulogd()
|
| Line 2057... |
Line 2017... |
| 2057 |
/etc/pki/CA/* root.apache 640 force
|
2017 |
/etc/pki/CA/* root.apache 640 force
|
| 2058 |
/etc/pki/CA/private/ root.root 700 force
|
2018 |
/etc/pki/CA/private/ root.root 700 force
|
| 2059 |
/etc/pki/CA/private/* root.root 600 force
|
2019 |
/etc/pki/CA/private/* root.root 600 force
|
| 2060 |
/etc/pki/tls/private/ root.apache 750 force
|
2020 |
/etc/pki/tls/private/ root.apache 750 force
|
| 2061 |
/etc/pki/tls/private/* root.apache 640 force
|
2021 |
/etc/pki/tls/private/* root.apache 640 force
|
| 2062 |
/var/log/clamav/ e2guardian.e2guardian 755 force
|
- |
|
| 2063 |
/var/log/clamav/* e2guardian.e2guardian 764 force
|
- |
|
| 2064 |
/var/lib/clamav/ e2guardian.e2guardian 755 force
|
- |
|
| 2065 |
EOF
|
2022 |
EOF
|
| 2066 |
# apply now hourly & daily checks
|
2023 |
# apply now hourly & daily checks
|
| 2067 |
/usr/sbin/msec
|
2024 |
/usr/sbin/msec
|
| 2068 |
/etc/cron.weekly/msec
|
2025 |
/etc/cron.weekly/msec
|
| 2069 |
|
2026 |
|
| Line 2074... |
Line 2031... |
| 2074 |
## - Install Let's Encrypt client ##
|
2031 |
## - Install Let's Encrypt client ##
|
| 2075 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
2032 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
| 2076 |
##################################################################
|
2033 |
##################################################################
|
| 2077 |
letsencrypt()
|
2034 |
letsencrypt()
|
| 2078 |
{
|
2035 |
{
|
| 2079 |
echo "Installing Let's Encrypt client..."
|
2036 |
acmesh_installDir="/opt/acme.sh"
|
| - |
|
2037 |
acmesh_confDir="/usr/local/etc/letsencrypt"
|
| - |
|
2038 |
acmesh_userAgent="ALCASAR"
|
| 2080 |
# Remove potential old installers
|
2039 |
# Remove potential old installers
|
| 2081 |
rm -rf /tmp/acme.sh-*
|
2040 |
rm -rf /tmp/acme.sh-*
|
| - |
|
2041 |
[ -d $acmesh_confDir ] && rm -rf $acmesh_confDir
|
| 2082 |
# Extract acme.sh
|
2042 |
# Extract acme.sh
|
| 2083 |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
|
2043 |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
|
| 2084 |
pwdInstall=$(pwd)
|
2044 |
pwdInstall=$(pwd)
|
| 2085 |
cd /tmp/acme.sh-* || { echo "Unable to find tmp ACME directory"; exit 1; }
|
2045 |
cd /tmp/acme.sh-* || { echo "Unable to find tmp ACME directory"; exit 1; }
|
| 2086 |
acmesh_installDir="/opt/acme.sh"
|
2046 |
mkdir $acmesh_confDir ; chown root:apache $acmesh_confDir ; chmod 440 $acmesh_confDir
|
| 2087 |
acmesh_confDir="/usr/local/etc/letsencrypt"
|
2047 |
mkdir $acmesh_confDir/{data,certs,ca} ; chown root:apache $acmesh_confDir/{data,certs,ca} ; chmod 440 $acmesh_confDir/{data,certs,ca}
|
| 2088 |
acmesh_userAgent="ALCASAR"
|
- |
|
| 2089 |
# Install acme.sh
|
2048 |
# Install acme.sh
|
| 2090 |
./acme.sh --install \
|
2049 |
./acme.sh --install \
|
| 2091 |
--home $acmesh_installDir \
|
2050 |
--home $acmesh_installDir \
|
| 2092 |
--config-home $acmesh_confDir/data \
|
2051 |
--config-home $acmesh_confDir/data \
|
| 2093 |
--certhome $acmesh_confDir/certs \
|
2052 |
--certhome $acmesh_confDir/certs \
|
| 2094 |
--accountkey $acmesh_confDir/ca/account.key \
|
2053 |
--accountkey $acmesh_confDir/ca/account.key \
|
| 2095 |
--accountconf $acmesh_confDir/data/account.conf \
|
2054 |
--accountconf $acmesh_confDir/data/account.conf \
|
| 2096 |
--useragent $acmesh_userAgent \
|
2055 |
--useragent $acmesh_userAgent \
|
| 2097 |
--nocron \
|
2056 |
--nocron \
|
| 2098 |
--set-default-ca --server letsencrypt \
|
- |
|
| 2099 |
> /dev/null
|
2057 |
> /dev/null
|
| 2100 |
if [ $? -ne 0 ]; then
|
2058 |
if [ $? -ne 0 ]; then
|
| 2101 |
echo "Error during installation of Let's Encrypt client (acme.sh)."
|
2059 |
echo "Error during installation of Let's Encrypt client (acme.sh)."
|
| 2102 |
fi
|
2060 |
fi
|
| 2103 |
# Create configuration file
|
2061 |
# Create configuration file
|
| Line 2212... |
Line 2170... |
| 2212 |
do
|
2170 |
do
|
| 2213 |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
|
2171 |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
|
| 2214 |
done
|
2172 |
done
|
| 2215 |
/usr/bin/systemctl daemon-reload
|
2173 |
/usr/bin/systemctl daemon-reload
|
| 2216 |
# processes started at boot time (Systemctl)
|
2174 |
# processes started at boot time (Systemctl)
|
| 2217 |
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
|
2175 |
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
|
| 2218 |
do
|
2176 |
do
|
| 2219 |
/usr/bin/systemctl -q enable $i.service
|
2177 |
/usr/bin/systemctl -q enable $i.service
|
| 2220 |
done
|
2178 |
done
|
| 2221 |
|
2179 |
|
| 2222 |
# disable processes at boot time (Systemctl)
|
2180 |
# disable processes at boot time (Systemctl)
|
| Line 2404... |
Line 2362... |
| 2404 |
read
|
2362 |
read
|
| 2405 |
fi
|
2363 |
fi
|
| 2406 |
# Avoid some RPM automatic updates
|
2364 |
# Avoid some RPM automatic updates
|
| 2407 |
echo "/^kernel/" > /etc/urpmi/skip.list
|
2365 |
echo "/^kernel/" > /etc/urpmi/skip.list
|
| 2408 |
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list
|
2366 |
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list
|
| 2409 |
echo "/^clamd/" >> /etc/urpmi/skip.list
|
- |
|
| 2410 |
echo "/^clamav/" >> /etc/urpmi/skip.list
|
- |
|
| 2411 |
echo "/^freeradius/" >> /etc/urpmi/skip.list
|
2367 |
echo "/^freeradius/" >> /etc/urpmi/skip.list
|
| 2412 |
if [ `egrep '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then
|
2368 |
if [ `egrep '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then
|
| 2413 |
$SED "s?^exclude=.*?exclude=kernel\* wkhtmltopdf clamd clamav freeradius?g" /etc/dnf/dnf.conf
|
2369 |
$SED "s?^exclude=.*?exclude=kernel\* wkhtmltopdf freeradius?g" /etc/dnf/dnf.conf
|
| 2414 |
else
|
2370 |
else
|
| 2415 |
echo "exclude=kernel* wkhtmltopdf clamd clamav freeradius" >> /etc/dnf/dnf.conf
|
2371 |
echo "exclude=kernel* wkhtmltopdf freeradius" >> /etc/dnf/dnf.conf
|
| 2416 |
fi
|
2372 |
fi
|
| 2417 |
# Test if conf file
|
2373 |
# Test if conf file
|
| 2418 |
if [ -e /var/tmp/alcasar-conf.tar.gz ]
|
2374 |
if [ -e /var/tmp/alcasar-conf.tar.gz ]
|
| 2419 |
then
|
2375 |
then
|
| 2420 |
# Extract some info from the previous configuration file
|
2376 |
# Extract some info from the previous configuration file
|
| Line 2457... |
Line 2413... |
| 2457 |
then echo "#### Installation avec mise à jour ####";
|
2413 |
then echo "#### Installation avec mise à jour ####";
|
| 2458 |
else echo "#### Installation with update ####";
|
2414 |
else echo "#### Installation with update ####";
|
| 2459 |
fi
|
2415 |
fi
|
| 2460 |
mode="update"
|
2416 |
mode="update"
|
| 2461 |
fi
|
2417 |
fi
|
| 2462 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
|
2418 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
|
| 2463 |
do
|
2419 |
do
|
| 2464 |
$func
|
2420 |
$func
|
| 2465 |
if [ $DEBUG_ALCASAR == "on" ]
|
2421 |
if [ $DEBUG_ALCASAR == "on" ]
|
| 2466 |
then
|
2422 |
then
|
| 2467 |
echo "*** 'debug' : end of function '$func' ***"
|
2423 |
echo "*** 'debug' : end of function '$func' ***"
|