20,7 → 20,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
|
# Options : |
# -i or --install |
39,7 → 39,7 |
# param_squid : Configuration du proxy squid en mode 'cache' |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian |
# antivirus : Installation havp + libclamav |
# param_awstats : Configuration de l'interface des statistiques de consultation WEB |
# param_nfsen : Configuration du grapheur nfsen pour apache |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours |
# BL : Configuration de la BlackList |
# cron : Mise en place des exports de logs (+ chiffrement) |
497,6 → 497,8 |
# load conntrack ftp module |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
echo "ip_conntrack_ftp" >> /etc/modprobe.preload |
# load ipt_NETFLOW module |
echo "ipt_NETFLOW" >> /etc/modprobe.preload |
# |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh |
} # End of network () |
1035,21 → 1037,9 |
$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf |
# Configuration du cache local |
$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf |
# emplacement et formatage standard des logs |
echo '#logformat common %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st %Ss:%Sh' >> /etc/squid/squid.conf |
echo '#logformat combined %>a %ui %un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh' >> /etc/squid/squid.conf |
echo "access_log /var/log/squid/access.log" >> /etc/squid/squid.conf |
# compatibilité des logs avec awstats |
echo "emulate_httpd_log on" >> /etc/squid/squid.conf |
echo "half_closed_clients off" >> /etc/squid/squid.conf |
echo "server_persistent_connections off" >> /etc/squid/squid.conf |
echo "client_persistent_connections on" >> /etc/squid/squid.conf |
echo "client_lifetime 1440 minutes" >> /etc/squid/squid.conf |
echo "request_timeout 5 minutes" >> /etc/squid/squid.conf |
echo "persistent_request_timeout 2 minutes" >> /etc/squid/squid.conf |
echo "cache_mem 256 MB" >> /etc/squid/squid.conf |
echo "maximum_object_size_in_memory 4096 KB" >> /etc/squid/squid.conf |
echo "maximum_object_size 4096 KB" >> /etc/squid/squid.conf |
# désactivation des "access log" |
echo '#Disable access log' >> /etc/squid/squid.conf |
echo "access_log none" >> /etc/squid/squid.conf |
# anonymisation of squid version |
echo "via off" >> /etc/squid/squid.conf |
# remove the 'X_forwarded' http option |
1191,62 → 1181,73 |
cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd |
} # End of param_ulogd () |
|
################################################################################## |
## Fonction param_awstats ## |
## - configuration de l'interface des logs de consultation WEB (AWSTAT) ## |
################################################################################## |
param_awstats() |
|
########################################################## |
## Fonction param_nfsen ## |
########################################################## |
param_nfsen() |
{ |
cp -rf /usr/share/awstats/www/ $DIR_ACC/awstats/ |
chown -R apache:apache $DIR_ACC/awstats |
cp /etc/awstats/awstats.conf /etc/awstats/awstats.conf.default |
$SED "s?^LogFile=.*?LogFile=\"/var/log/squid/access.log\"?g" /etc/awstats/awstats.conf |
$SED "s?^LogFormat=.*?LogFormat=4?g" /etc/awstats/awstats.conf |
$SED "s?^SiteDomain=.*?SiteDomain=\"$HOSTNAME\"?g" /etc/awstats/awstats.conf |
$SED "s?^HostAliases=.*?HostAliases=\"$PRIVATE_IP\"?g" /etc/awstats/awstats.conf |
$SED "s?^DNSLookup=.*?DNSLookup=0?g" /etc/awstats/awstats.conf |
$SED "s?^DirData=.*?DirData=\"/var/lib/awstats\"?g" /etc/awstats/awstats.conf |
$SED "s?^DirIcons=.*?DirIcons=\"/acc/awstats/icon\"?g" /etc/awstats/awstats.conf |
$SED "s?^StyleSheet=.*?StyleSheet=\"/css/style.css\"?g" /etc/awstats/awstats.conf |
$SED "s?^BuildReportFormat=.*?BuildReportFormat=xhtml?g" /etc/awstats/awstats.conf |
$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf |
$SED "s?^UseFramesWhenCGI=.*?UseFramesWhenCGI=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf |
$SED "s?^ShowSummary=.*?ShowSummary=VPHB?g" /etc/awstats/awstats.conf |
$SED "s?^ShowMonthStats=.*?ShowMonthStats=VPHB?g" /etc/awstats/awstats.conf |
$SED "s?^ShowDaysOfMonthStats=.*?ShowDaysOfMonthStats=PHB?g" /etc/awstats/awstats.conf |
$SED "s?^ShowDaysOfWeekStats=.*?ShowDaysOfWeekStats=PHB?g" /etc/awstats/awstats.conf |
$SED "s?^ShowHoursStats=.*?ShowHoursStats=PHB?g" /etc/awstats/awstats.conf |
$SED "s?^ShowDomainsStats=.*?ShowDomainsStats=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowHostsStats=.*?ShowHostsStats=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowAuthenticatedUsers=.*?ShowAuthenticatedUsers=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowRobotsStats=.*?ShowRobotsStats=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowFileTypesStats=.*?ShowFileTypesStats=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowFileSizesStats=.*?ShowFileSizesStats=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowOSStats=.*?ShowOSStats=0?g" /etc/awstats/awstats.conf |
$SED "s?^ShowScreenSizeStats=.*?ShowScreenSizeStats=0?g" /etc/awstats/awstats.conf |
|
cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf |
<Directory $DIR_ACC/awstats> |
SSLRequireSSL |
Options ExecCGI |
AddHandler cgi-script .pl |
DirectoryIndex awstats.pl |
Order deny,allow |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On |
AuthUserFile $DIR_DEST_ETC/digest/key_admin |
ErrorDocument 404 https://$HOSTNAME/ |
#Decompression tarball |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/ |
#Création groupe et utilisteur |
if grep "^www-data:" /etc/group > /dev/null; then |
echo "Group already exists !" |
else |
groupadd www-data |
echo "Group 'www-data' created !" |
fi |
if grep "^nfsen:" /etc/passwd > /dev/null; then |
echo "User already exists !" |
else |
useradd -m nfsen |
echo "User 'nfsen' created !" |
fi |
usermod -G www-data nfsen |
#Ajout du plugin nfsen : PortTracker |
mkdir -p /var/www/nfsen/plugins |
chown -R nfsen:www-data /var/www/nfsen |
#Ajout du plugin PortTracker |
mkdir -p /var/log/netflow/porttracker |
mkdir -p /usr/share/nfsen/plugins |
chown -R apache:apache /usr/share/nfsen |
cp -f ./conf/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/ |
chown apache /var/log/netflow/porttracker |
#Copie du fichier de conf modifié de nfsen |
cp ./conf/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/ |
#Copie du script d'initialisation de nfsen |
cp ./conf/nfsen/nfsen-init /etc/init.d/nfsen |
#Installation de nfsen via le scrip Perl |
cd /tmp/nfsen-1.3.6p1/ |
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger, |
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable" |
#Création de la DB pour rrdtool |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/ |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/ |
sudo -u apache nftrack -I -d /var/log/netflow/porttracker |
chown -R apache:www-data /var/log/netflow/porttracker/ |
chmod -R 775 /var/log/netflow/porttracker |
#Configuration du fichier de conf d'apache |
if [ -f /etc/httpd/conf.d/nfsen.conf ];then |
rm -f /etc/httpd/conf.d/nfsen.conf |
fi |
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf |
Alias /nfsen /var/www/nfsen |
<Directory /var/www/nfsen/> |
DirectoryIndex nfsen.php |
Options -Indexes |
AllowOverride all |
order allow,deny |
allow from all |
AddType application/x-httpd-php .php |
php_flag magic_quotes_gpc on |
php_flag track_vars on |
</Directory> |
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins |
EOF |
} # End of param_awstats () |
#Configuration du délais d'expiration des captures du profile "ALCASAR" |
nfsen -m ALCASAR -e 365d |
#Suppression des sources de nfsen |
rm -rf /tmp/nfsen-1.3.6p1/ |
} # End of param_nfsen |
|
########################################################## |
## Fonction param_dnsmasq ## |
1410,10 → 1411,6 |
# Archive des logs et de la base de données (tous les lundi à 5h35) |
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now |
EOF |
cat << EOF > /etc/cron.d/awstats |
# mise à jour des stats de consultation WEB toutes les 30' |
*/30 * * * * root $DIR_ACC/awstats/awstats.pl -config=localhost -update >/dev/null 2>&1 |
EOF |
cat << EOF > /etc/cron.d/alcasar-clean_import |
# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h |
30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh |
1422,6 → 1419,11 |
# mise à jour automatique de la distribution tous les jours 3h30 |
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1 |
EOF |
cat << EOF > /etc/cron.d/alcasar-netflow |
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05) |
05 0 * * 5 root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/ALCASAR/ipt_netflow/ -t 1y -w 90 |
EOF |
|
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin). |
# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739). |
# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct') |
1515,7 → 1517,7 |
# export des logs en 'retard' dans /var/Save/logs |
/usr/local/bin/alcasar-log.sh --export |
# processus lancés par défaut au démarrage |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen |
do |
/sbin/chkconfig --add $i |
done |
1743,6 → 1745,8 |
fi |
# RPMs install |
$DIR_SCRIPTS/alcasar-urpmi.sh |
echo "Mise à jour des modules noyau installés" |
#depmod -a |
if [ "$?" != "0" ] |
then |
exit 0 |
1792,7 → 1796,7 |
else |
mode="install" |
fi |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron post_install |
do |
$func |
# echo "*** 'debug' : end of function $func ***"; read a |