20,7 → 20,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav |
|
# Options : |
# -i or --install |
1191,48 → 1191,51 |
param_nfsen() |
{ |
#Decompression tarball |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/ |
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/ |
#Création groupe et utilisteur |
if grep "^www-data:" /etc/group > /dev/null; then |
echo "Group already exists !" |
else |
groupadd www-data |
echo "Group 'www-data' created !" |
fi |
if grep "^nfsen:" /etc/passwd > /dev/null; then |
echo "User already exists !" |
else |
useradd -m nfsen |
echo "User 'nfsen' created !" |
fi |
usermod -G www-data nfsen |
if grep "^www-data:" /etc/group > /dev/null; then |
echo "Group already exists !" |
else |
groupadd www-data |
echo "Group 'www-data' created !" |
fi |
if grep "^nfsen:" /etc/passwd > /dev/null; then |
echo "User already exists !" |
else |
useradd -m nfsen |
echo "User 'nfsen' created !" |
fi |
usermod -G www-data nfsen |
#Ajout du plugin nfsen : PortTracker |
mkdir -p /var/www/nfsen/plugins |
chown -R nfsen:www-data /var/www/nfsen |
mkdir -p /var/www/nfsen/plugins |
chown -R nfsen:www-data /var/www/nfsen |
#Ajout du plugin PortTracker |
mkdir -p /var/log/netflow/porttracker /usr/share/nfsen/plugins |
chown -R apache:apache /var/log/netflow/porttracker /usr/share/nfsen |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/ |
mkdir -p /var/log/netflow/porttracker |
mkdir -p /usr/share/nfsen/plugins |
chown -R apache:apache /usr/share/nfsen |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/ |
chown apache /var/log/netflow/porttracker |
#Copie du fichier de conf modifié de nfsen |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/ |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/ |
#Copie du script d'initialisation de nfsen |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/ |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/ |
systemctl enable nfsen.service |
#Installation de nfsen via le scrip Perl |
DirTmp=$(pwd) |
cd /tmp/nfsen-1.3.6p1/ |
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger, |
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable" |
DirTmp=$(pwd) |
cd /tmp/nfsen-1.3.6p1/ |
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger, |
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable" |
#Création de la DB pour rrdtool |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/ |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/ |
sudo -u apache nftrack -I -d /var/log/netflow/porttracker |
chown -R apache:www-data /var/log/netflow/porttracker/ |
chmod -R 775 /var/log/netflow/porttracker |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/ |
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/ |
sudo -u apache nftrack -I -d /var/log/netflow/porttracker |
chown -R apache:www-data /var/log/netflow/porttracker/ |
chmod -R 775 /var/log/netflow/porttracker |
#Configuration du fichier de conf d'apache |
if [ -f /etc/httpd/conf.d/nfsen.conf ];then |
rm -f /etc/httpd/conf.d/nfsen.conf |
fi |
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf |
if [ -f /etc/httpd/conf.d/nfsen.conf ];then |
rm -f /etc/httpd/conf.d/nfsen.conf |
fi |
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf |
Alias /nfsen /var/www/nfsen |
<Directory /var/www/nfsen/> |
DirectoryIndex nfsen.php |
1246,10 → 1249,10 |
</Directory> |
EOF |
#Configuration du délais d'expiration des captures du profile "live" |
nfsen -m live -e 62d |
nfsen -m live -e 62d |
#Suppression des sources de nfsen |
cd $DirTmp |
rm -rf /tmp/nfsen-1.3.6p1/ |
cd $DirTmp |
rm -rf /tmp/nfsen-1.3.6p1/ |
} # End of param_nfsen |
|
########################################################## |
1305,18 → 1308,18 |
EOF |
|
# Init file modification |
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default |
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default |
# Start and stop a 2nd process for the "DNS blackhole" |
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq |
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq |
# Start after chilli (65) which create tun0 |
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq |
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq |
# Optionnellement on pré-active les logs DNS des clients |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default |
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default |
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq |
# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire |
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq |
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq |
# Optionnellement, exemple de configuration avec un A.D. |
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq |
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq |
} # End dnsmasq |
|
########################################################## |
1423,7 → 1426,7 |
EOF |
cat << EOF > /etc/cron.d/alcasar-netflow |
# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05) |
05 0 * * 5 root $DIR_DEST_BIN/alcasar-netflow.sh |
15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh |
EOF |
|
# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin). |
1533,8 → 1536,13 |
done |
# export des logs en 'retard' dans /var/Save/logs |
/usr/local/bin/alcasar-log.sh --export |
# creation of the unit of alcasar-load_balancing |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
# processus lancés par défaut au démarrage |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen |
do |
/sbin/chkconfig --add $i |
done |
|
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
1558,27 → 1566,17 |
[Install] |
WantedBy=multi-user.target |
EOF |
|
# process launch at boot time |
for service in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam |
do |
/sbin/chkconfig --add $service |
done |
for service in alcasar-load_balancing.service nfsen.service |
systemctl enable alcasar-load_balancing.service |
|
do |
/bin/systemctl enable $service |
done |
|
# On applique les préconisations ANSSI |
# Apply French Security Agency rules |
# ignorer les broadcast ICMP. (attaque smurf) |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
# ignorer les erreurs ICMP bogus |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
# désactiver l'envoi et la réponse aux ICMP redirects |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
if [ "$accept_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
1837,7 → 1835,7 |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install |
do |
$func |
# echo "*** 'debug' : end of function $func ***"; read a |
echo "*** 'debug' : end of function $func ***"; read a |
done |
;; |
-u | --uninstall) |