Subversion Repositories ALCASAR

Rev

Rev 3192 | Rev 3194 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3192 Rev 3193
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 3192 2024-04-18 22:33:57Z rexy $
 2 
#  $Id: alcasar.sh 3193 2024-04-21 22:33:19Z rexy $
3 
 
 3 
 
4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
 5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6 
# contact : info@alcasar.net
 6 
# contact : info@alcasar.net
7 
 
 7 
 
Line 907... Line 907...
907 
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
 907 
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
908 
	# Log file for ACC access imputability
 908 
	# Log file for ACC access imputability
909 
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
 909 
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
910 
	chown root:apache $DIR_SAVE/security/acc_access.log
 910 
	chown root:apache $DIR_SAVE/security/acc_access.log
911 
	chmod 664 $DIR_SAVE/security/acc_access.log
 911 
	chmod 664 $DIR_SAVE/security/acc_access.log
912 
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
 - 
 
913 
    cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
 - 
 
914 
} # End of ACC()
 912 
} # End of ACC()
915 
 
 913 
 
916 
#############################################################
 914 
#############################################################
917 
##                     "time_server"                       ##
 915 
##                     "time_server"                       ##
918 
## - Configuring NTP server                                ##
 916 
## - Configuring NTP server                                ##
919 
#############################################################
 917 
#############################################################
920 
time_server()
 918 
time_server()
921 
{
 919 
{
922 
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
 920 
[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
923 
$SED "s?^pool.*?pool fr.pool.ntp.org iburst?g" /etc/ntp.conf
 921 
$SED "s?^pool.*?pool fr.pool.ntp.org iburst?g" /etc/ntp.conf
924 
$SED '$ainterface ignore wildcard' /etc/ntp.conf
 922 
echo "interface ignore wildcard" >> /etc/ntp.conf
925 
$SED '$ainterface listen lo' /etc/ntp.conf
 923 
echo "interface listen lo" >> /etc/ntp.conf
926 
$SED '$ainterface listen $INTIF' /etc/ntp.conf
 924 
echo "interface listen $INTIF" >> /etc/ntp.conf
927 
# Synchronize now
 925 
# Synchronize now
928 
	ntpdate fr.pool.ntp.org &
 926 
	ntpdate fr.pool.ntp.org &
- 
 
 927 
sleep 2 # wait for time server responce
929 
} # End of time_server()
 928 
} # End of time_server()
930 
 
 929 
 
931 
#####################################################################
 930 
#####################################################################
932 
##                           "init_db"                             ##
 931 
##                           "init_db"                             ##
933 
## - Mysql initialization                                          ##
 932 
## - Mysql initialization                                          ##
Line 1268... Line 1267...
1268 
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
 1267 
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1269 
}  # End of chilli()
 1268 
}  # End of chilli()
1270 
 
 1269 
 
1271 
################################################################
 1270 
################################################################
1272 
##                        "e2guardian"                        ##
 1271 
##                        "e2guardian"                        ##
1273 
## - Set the parameters of this HTML proxy (as controler)     ##
 1272 
## - Set the parameters of this HTTP proxy (as controler)     ##
1274 
################################################################
 1273 
################################################################
1275 
e2guardian()
 1274 
e2guardian()
1276 
{
 1275 
{
1277 
# Adapt systemd unit
 1276 
# Adapt systemd unit
1278 
	cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
 1277 
	cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
Line 1282... Line 1281...
1282 
 
 1281 
 
1283 
# Adapt the main conf file
 1282 
# Adapt the main conf file
1284 
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
 1283 
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1285 
# French deny HTML page
 1284 
# French deny HTML page
1286 
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
 1285 
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
- 
 
 1286 
# +++ listen & loop prevention on loopback
- 
 
 1287 
	$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
1287 
# 2 filtergroups (8080 & 8090)
 1288 
# 2 filtergroups (8080 & 8090)
1288 
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
 1289 
	$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1289 
# Listen on 8080 (HTTP for BL users) only on LAN side
 1290 
# Listen on LAN only
1290 
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
 1291 
	$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
- 
 
 1292 
# Listen on 8080 (group1 : BL users on HTTP)
1291 
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
 1293 
	$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1292 
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
 1294 
# Listen on 8081 (group2 : previously AV users --> to be redefine)
1293 
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
 1295 
#	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
1294 
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
 1296 
	$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_DG/e2guardian.conf
1295 
# E2guardian doesn't listen transparently on 8443 (HTTPS) (only in future version)
 1297 
# for now we don't listen transparently on 8443 (HTTPS) (only in future version)
1296 
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
 1298 
	$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1297 
# Don't log
 1299 
# Don't log
1298 
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
 1300 
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1299 
# Disable HTML content control (weighted & banned)
 1301 
# Disable HTML content control (weighted & banned)
1300 
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
 1302 
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1301 
# Enable authport plugin
 1303 
# Enable authport plugin
1302 
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
 1304 
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
1303 
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
 1305 
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
1304 
# Set Max RAM cache to 10Mb
 1306 
	# !!! Set Max RAM cache to 10Mb (for antimalware/EDR)
1305 
	$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
 1307 
	#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf
1306 
# Set Max file size cache to 20Mb
 1308 
	# !!! Set Max file size cache to 20Mb (for antimalware/EDR)
1307 
	$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
 1309 
	#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf
1308 
# Adapt the first group conf file
 - 
 
1309 
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
 - 
 
1310 
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 - 
 
1311 
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
 - 
 
1312 
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
 - 
 
1313 
 
 1310 
 
1314 
# copy & adapt HTML templates
 1311 
# copy & adapt HTML templates
1315 
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
 1312 
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1316 
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
 1313 
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1317 
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
 1314 
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
1318 
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
 1315 
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1319 
 
 1316 
 
1320 
###### ALCASAR special filtering ####
 1317 
###### ALCASAR filtering for group1 (blacklisted_users) ####
- 
 
 1318 
# Adapt group1 conf file
- 
 
 1319 
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
- 
 
 1320 
	$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
- 
 
 1321 
	$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_DG/e2guardianf1.conf
- 
 
 1322 
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
- 
 
 1323 
	$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_DG/lists/group1/g" $DIR_DG/e2guardianf1.conf
- 
 
 1324 
	DIR_GROUP1="$DIR_DG/lists/group1"
- 
 
 1325 
	cp -r $DIR_DG/lists/example.group $DIR_GROUP1
- 
 
 1326 
	chown -R e2guardian:root $DIR_GROUP1
1321 
# RAZ bannedphraselist
 1327 
# RAZ bannedphraselist
1322 
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
 - 
 
1323 
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 1328 
	$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedphraselist # (comment what is not)
1324 
# Disable URL control with regex
 1329 
# Disable URL control with regex
1325 
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
 - 
 
1326 
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
 1330 
	$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedregexpurllist # (comment what is not)
1327 
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
- 
 
1328 
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
 - 
 
1329 
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
 - 
 
1330 
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
 - 
 
1331 
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
 - 
 
1332 
# Dont filtering files by extension or mime-type (empty list)
 1331 
# Dont filtering files by extension or mime-type (empty list)
1333 
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
 - 
 
1334 
	touch $DIR_DG/lists/bannedextensionlist
 1332 
	> $DIR_GROUP1/bannedextensionlist
1335 
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
 - 
 
1336 
	touch $DIR_DG/lists/bannedmimetypelist
 1333 
	> $DIR_GROUP1/bannedmimetypelist
1337 
# Empty LAN IP list that won't be WEB filtered
 - 
 
1338 
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
 - 
 
1339 
	touch $DIR_DG/lists/exceptioniplist
 - 
 
1340 
# Creation of ALCASAR banned site list
 1334 
# Creation of ALCASAR banned site list
1341 
	[ -e $DIR_DG/lists/greysitelist.default ] || mv $DIR_DG/lists/greysitelist $DIR_DG/lists/greysitelist.default
 1335 
	[ -e $DIR_GROUP1/greysitelist.default ] || mv $DIR_GROUP1/greysitelist $DIR_GROUP1/greysitelist.default
1342 
	cat <<EOF > $DIR_DG/lists/greysitelist
 1336 
	cat <<EOF > $DIR_GROUP1/greysitelist
1343 
# E2guardian filter config for ALCASAR
 1337 
# E2guardian filter config for ALCASAR
1344 
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
 1338 
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1345 
# block all SSL and CONNECT tunnels
 1339 
# block all SSL and CONNECT tunnels
1346 
**s
 1340 
**s
1347 
# block all SSL and CONNECT tunnels specified only as an IP
 1341 
# block all SSL and CONNECT tunnels specified only as an IP
1348 
*ips
 1342 
*ips
1349 
# block all sites specified only by an IP
 1343 
# block all sites specified only by an IP
1350 
*ip
 1344 
*ip
1351 
EOF
 1345 
EOF
1352 
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
 1346 
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1353 
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
 1347 
	[ -e $DIR_GROUP1/bannedurllist.default ] || mv $DIR_GROUP1/bannedurllist $DIR_GROUP1/bannedurllist.default
1354 
	cat <<EOF > $DIR_DG/lists/bannedurllist
 1348 
	cat <<EOF > $DIR_GROUP1/bannedurllist
1355 
# E2guardian filter config for ALCASAR
 1349 
# E2guardian URL filter config for ALCASAR
1356 
EOF
 1350 
EOF
1357 
# Creation of files for rehabilited domains and urls
 1351 
# Creation of files for rehabilited domains and urls
1358 
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
 1352 
	[ -e $DIR_GROUP1/exceptionsitelist.default ] || mv $DIR_GROUP1/exceptionsitelist $DIR_GROUP1/exceptionsitelist.default
1359 
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
 1353 
	[ -e $DIR_GROUP1/exceptionurllist.default ] || mv $DIR_GROUP1/exceptionurllist $DIR_GROUP1/exceptionurllist.default
1360 
	touch $DIR_DG/lists/exceptionsitelist
 1354 
	touch $DIR_GROUP1/exceptionsitelist
1361 
	touch $DIR_DG/lists/exceptionurllist
 1355 
	touch $DIR_GROUP1/exceptionurllist
1362 
# Add Bing to the safesearch url regext list (parental control)
 1356 
# Add Bing to the safesearch url regext list (parental control)
1363 
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
 1357 
	[ -e $DIR_GROUP1/urlregexplist.default ] || cp $DIR_GROUP1/urlregexplist $DIR_GROUP1/urlregexplist.default
1364 
	cat <<EOF >> $DIR_DG/lists/urlregexplist
 1358 
	cat <<EOF >> $DIR_GROUP1/urlregexplist
1365 
 
 - 
 
1366 
# Bing - add 'adlt=strict'
 1359 
# Bing - add 'adlt=strict'
1367 
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
 1360 
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1368 
EOF
 1361 
EOF
1369 
# 'Safesearch' regex actualisation
 1362 
# 'Safesearch' regex actualisation
1370 
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
 1363 
	$SED "s?images?search?g" $DIR_GROUP1/urlregexplist
1371 
# change the google safesearch ("safe=strict" instead of "safe=vss")
 1364 
# change the google safesearch ("safe=strict" instead of "safe=vss")
1372 
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
 1365 
	$SED "s?safe=vss?safe=strict?g" $DIR_GROUP1/urlregexplist
1373 
 
 1366 
 
1374 
# Create & adapt the second group conf file (av + av_wl)
 1367 
# Create & adapt group2 conf file (av + av_wl)
1375 
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
 1368 
	cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf
1376 
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
 1369 
	$SED "s?^reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf
1377 
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
 1370 
	$SED "s?^groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf
1378 
	$SED "s?^urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist'?urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
 1371 
	$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTEN__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTEN__/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls
1379 
 
 1372 
 
1380 
# create log folder
 1373 
# create log folder
1381 
    mkdir -p /var/log/e2guardian
 1374 
	mkdir -p /var/log/e2guardian
1382 
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
 1375 
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1383 
} # End of e2guardian()
 1376 
} # End of e2guardian()
1384 
 
 1377 
 
1385 
##############################################################
 1378 
##############################################################
1386 
##                        "ulogd"                           ##
 1379 
##                        "ulogd"                           ##