12,7 → 12,8 |
# -i or --install |
# -u or --uninstall |
# Functions : |
# testing : connectivity tests, free space test and mageia version test |
# system_testing : Free space test and mageia version test |
# network_testing : Internet connectivity tests |
# init : Installation of RPM and scripts |
# network : Network parameters |
# ACC : ALCASAR Control Center installation |
20,14 → 21,14 |
# time_server : NTPd configuration |
# init_db : Initilization of radius database managed with MariaDB |
# freeradius : FreeRadius initialisation |
# chilli : coovachilli initialisation (+authentication page) |
# chilli : Coovachilli initialisation (+authentication page) |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : clamav & freshclam configuration |
# ulogd : log system in userland (match NFLOG target of iptables) |
# antivirus : Clamav & freshclam configuration |
# ulogd : Log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : little network stat daemon |
# vnstat : Little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
34,6 → 35,7 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
# msec : Mageia security package configuration |
# letsencrypt : Let's Encrypt client |
# mail_service : Mail service for email authentification method |
# post_install : Security, log rotation, etc. |
|
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
104,13 → 106,13 |
} # End of header_install() |
|
######################################################## |
## Function "testing_system" ## |
## "system_testing" ## |
## - Test Mageia version ## |
## - Test ALCASAR version (if already installed) ## |
## - Test free space on /var (>10G) ## |
## - Test Internet access ## |
######################################################## |
testing_system() |
system_testing() |
{ |
# Test of Mageia version |
# extract the current Mageia version and hardware architecture (i586 ou X64) |
222,13 → 224,13 |
fi |
exit 0 |
fi |
} # End of testing_system |
} # End of system_testing |
|
######################################################## |
## Function "testing_network" ## |
## - Test Internet access ## |
## "network_testing" ## |
## - Internet access test ## |
######################################################## |
testing_network() |
network_testing() |
{ |
# Detect external/internal interfaces |
if [ -z "$EXTIF" ]; then |
393,10 → 395,10 |
exit 1 |
fi |
echo ". : ok" |
} # End of testing_network() |
} # End of network_testing() |
|
####################################################################### |
## Function "init" ## |
## "init" ## |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
## - Creation of random password for GRUB, mariadb (admin and user) ## |
####################################################################### |
472,7 → 474,7 |
} # End of init() |
|
######################################################### |
## Function "network" ## |
## "network" ## |
## - Define the several network address ## |
## - Define the DNS naming ## |
## - INTIF parameters (consultation network) ## |
753,7 → 755,7 |
} # End of network() |
|
################################################################## |
## Fonction "CA" ## |
## "CA" ## |
## - Creating the CA and the server certificate (lighttpd) ## |
################################################################## |
CA() |
769,13 → 771,13 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
} # End of CA() |
|
################################################### |
## Function "ACC" ## |
## - copy ALCASAR Control Center (ACC) files ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the ACC access ## |
################################################### |
###################################################### |
## "ACC" ## |
## - copy ALCASAR Control Center (ACC) files ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the ACC access ## |
###################################################### |
ACC() |
{ |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
891,7 → 893,7 |
} # End of ACC() |
|
############################################################# |
## Function "time_server" ## |
## "time_server" ## |
## - Configuring NTP server ## |
############################################################# |
time_server() |
922,7 → 924,7 |
} # End of time_server() |
|
##################################################################### |
## Function "init_db" ## |
## "init_db" ## |
## - Mysql initialization ## |
## - Set admin (root) password ## |
## - Remove unused users & databases ## |
975,7 → 977,7 |
} # End of init_db() |
|
################################################################### |
## Function "freeradius" ## |
## "freeradius" ## |
## - Set the configuration files ## |
## - Set the shared secret between coova-chilli and freeradius ## |
## - Adapt the Mysql conf file and counters ## |
1061,7 → 1063,7 |
} # End of freeradius() |
|
############################################################################# |
## Function "chilli" ## |
## "chilli" ## |
## - Creation of the conf file and init file (systemd) for coova-chilli ## |
## - Adapt the authentication web page (intercept.php) ## |
############################################################################# |
1262,7 → 1264,7 |
} # End of chilli() |
|
################################################################ |
## Function "e2guardian" ## |
## "e2guardian" ## |
## - Set the parameters of this HTML proxy (as controler) ## |
################################################################ |
e2guardian() |
1373,7 → 1375,7 |
} # End of e2guardian() |
|
################################################################## |
## Function "antivirus" ## |
## "antivirus" ## |
## - Set the parameters of clamav and freshclam ## |
################################################################## |
antivirus() |
1408,7 → 1410,7 |
} # End of antivirus() |
|
############################################################## |
## function "ulogd" ## |
## "ulogd" ## |
## - Ulog config for multi-log files ## |
############################################################## |
ulogd() |
1436,7 → 1438,7 |
} # End of ulogd() |
|
########################################################## |
## Function "nfsen" ## |
## "nfsen" ## |
## - configure NetFlow collector (nfcapd) ## |
## - configure NetFlow grapher (nfsen-ng) ## |
########################################################## |
1475,17 → 1477,17 |
} # End of nfsen() |
|
########################################################### |
## Function "vnstat" ## |
## "vnstat" ## |
## - Initialization of vnstat and vnstat-dashboard ## |
########################################################### |
vnstat() |
{ |
# vnstat |
# vnstat |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf |
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf |
# vnstat-dashboard |
# vnstat-dashboard |
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service |
$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service |
1492,7 → 1494,7 |
} # End of vnstat() |
|
################################################################### |
## Function "dnsmasq" ## |
## "dnsmasq" ## |
## - creation of the conf files of dnsmasq (whitelist for ipset )## |
################################################################### |
dnsmasq() |
1517,7 → 1519,8 |
server=$DNS1 |
server=$DNS2 |
EOF |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit |
|
# Don't run dnsmasq service. Create dnsmasq-whitelist unit |
systemctl disable dnsmasq.service |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service |
1525,7 → 1528,7 |
} # End of dnsmasq() |
|
######################################################### |
## Function "unbound" ## |
## "unbound" ## |
## - create the conf files for 4 unbound services ## |
## - create the systemd files for 4 unbound services ## |
######################################################### |
1689,7 → 1692,6 |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/blackhole/* |
EOF |
|
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service |
1703,7 → 1705,7 |
} # End of unbound() |
|
################################################## |
## Function "dhcpd" ## |
## "dhcpd" ## |
################################################## |
dhcpd() |
{ |
1722,7 → 1724,7 |
} # End of dhcpd() |
|
########################################################## |
## Function "BL" ## |
## "BL" ## |
## - copy & adapt Toulouse BL to ALCASAR architecture ## |
## - domain names for unbound-bl & unbound-wl ## |
## - URLs for EĀ²guardian ## |
1731,7 → 1733,7 |
########################################################## |
BL() |
{ |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt) |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt) |
rm -rf $DIR_DG/lists/blacklists |
mkdir -p /tmp/blacklists |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/ |
1760,7 → 1762,7 |
} # End of BL() |
|
####################################################### |
## Function "cron" ## |
## "cron" ## |
## - write all cron & anacron files ## |
####################################################### |
cron() |
1851,7 → 1853,7 |
} # End of cron() |
|
######################################################################## |
## Fonction "Fail2Ban" ## |
## "Fail2Ban" ## |
##- Adapt conf file to ALCASAR ## |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ## |
######################################################################## |
1858,12 → 1860,12 |
fail2ban() |
{ |
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour |
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default |
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf |
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default |
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf |
|
# add 5 jails and their filters |
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter. |
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf |
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf |
[sshd] |
enabled = true |
#enabled = false |
1873,7 → 1875,7 |
EOF |
|
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter. |
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf |
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf |
[lighttpd-auth] |
enabled = true |
#enabled = false |
1883,7 → 1885,7 |
EOF |
|
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page) |
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf |
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf |
[alcasar_mod-evasive] |
#enabled = true |
enabled = false |
1895,7 → 1897,7 |
bantime = 3m |
findtime = 3m |
EOF |
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf |
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf |
[Definition] |
failregex = <HOST> .+\] "[^"]+" 403 |
ignoreregex = |
1902,7 → 1904,7 |
EOF |
|
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php |
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf |
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf |
[alcasar_intercept] |
enabled = true |
#enabled = false |
1914,7 → 1916,7 |
bantime = 3m |
findtime = 3m |
EOF |
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf |
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf |
[Definition] |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject |
ignoreregex = |
1921,7 → 1923,7 |
EOF |
|
## alcasar_change-pwd : ban after 5 failed user change password attempts |
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf |
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf |
[alcasar_change-pwd] |
enabled = true |
#enabled = false |
1933,7 → 1935,7 |
bantime = 3m |
findtime = 3m |
EOF |
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf |
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf |
[Definition] |
failregex = <HOST> .* \"POST \/password\.php |
ignoreregex = |
1946,17 → 1948,17 |
chmod 644 $DIR_SAVE/security/watchdog.log |
/usr/bin/touch /var/log/auth.log |
# fail2ban unit |
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service |
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service |
} # End of fail2ban() |
|
######################################################### |
## Fonction "gammu_smsd" ## |
## - Creating of SMS management database ## |
## - Write the gammu a gammu_smsd conf files ## |
######################################################### |
######################################################## |
## "gammu_smsd" ## |
## - Creating of SMS management database ## |
## - Write the gammu a gammu_smsd conf files ## |
######################################################## |
gammu_smsd() |
{ |
# Create 'gammu' system user |
2041,18 → 2043,18 |
|
} # End of gammu_smsd() |
|
############################################################ |
## Fonction "msec" ## |
## - Apply the "fileserver" security level ## |
## - remove the "system request" for rebooting ## |
## - Fix several file permissions ## |
############################################################ |
######################################################## |
## "msec" ## |
## - Apply the "fileserver" security level ## |
## - remove the "system request" for rebooting ## |
## - Fix several file permissions ## |
######################################################## |
msec() |
{ |
|
# Apply fileserver security level |
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default |
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf |
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default |
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf |
|
# Set permissions monitoring and enforcement |
cat <<EOF > /etc/security/msec/perm.local |
2077,8 → 2079,8 |
/var/lib/clamav/ e2guardian.e2guardian 755 force |
EOF |
# apply now hourly & daily checks |
/usr/sbin/msec |
/etc/cron.weekly/msec |
/usr/sbin/msec |
/etc/cron.weekly/msec |
|
} # End of msec() |
|
2090,9 → 2092,9 |
letsencrypt() |
{ |
echo "Installing Let's Encrypt client..." |
# Remove potential old installers |
# Remove potential old installers |
rm -rf /tmp/acme.sh-* |
# Extract acme.sh |
# Extract acme.sh |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/ |
pwdInstall=$(pwd) |
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; } |
2099,7 → 2101,7 |
acmesh_installDir="/opt/acme.sh" |
acmesh_confDir="/usr/local/etc/letsencrypt" |
acmesh_userAgent="ALCASAR" |
# Install acme.sh |
# Install acme.sh |
./acme.sh --install \ |
--home $acmesh_installDir \ |
--config-home $acmesh_confDir/data \ |
2112,7 → 2114,7 |
if [ $? -ne 0 ]; then |
echo "Error during installation of Let's Encrypt client (acme.sh)." |
fi |
# Create configuration file |
# Create configuration file |
cat <<EOF > /usr/local/etc/alcasar-letsencrypt |
email= |
dateIssueRequest= |
2127,6 → 2129,27 |
} # End of letsencrypt() |
|
################################################################## |
## "mail_service" ## |
## - Install mail service for email registration method ## |
################################################################## |
mail_service() |
{ |
[ -e /etc/postfix/main.cf.default ] || cp /etc/postfix/main.cf /etc/postfix/main.cf.default |
cat << EOT >> /etc/postfix/main.cf |
myhostname = $HOSTNAME.$DOMAIN |
# Enable SASL authentication |
smtp_sasl_auth_enable = yes |
# Disallow methods that allow anonymous authentication |
smtp_sasl_security_options = noanonymous |
# Location of sasl_passwd |
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd |
EOT |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
} # end of mail_service |
|
################################################################## |
## Fonction "post_install" ## |
## - Modifying banners (locals et ssh) & prompts ## |
## - SSH config ## |
2148,10 → 2171,6 |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config |
|
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
2353,7 → 2372,7 |
exit 0 |
;; |
-i | --install) |
for func in license testing_system testing_network |
for func in license system_testing network_testing |
do |
header_install |
$func |
2440,7 → 2459,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |