48,7 → 48,7 |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files) |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log) |
DIR_WEB="/var/www/html" # directory of Lighttpd |
DIR_DG="/etc/e2guardian" # directory of E2Guardian |
DIR_E2G="/etc/e2guardian" # directory of E2Guardian |
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center' |
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts |
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files |
921,7 → 921,7 |
$SED "s?^pool.*?pool fr.pool.ntp.org iburst?g" /etc/ntp.conf |
echo "interface ignore wildcard" >> /etc/ntp.conf |
echo "interface listen lo" >> /etc/ntp.conf |
echo "interface listen $INTIF" >> /etc/ntp.conf |
echo "interface listen tun0" >> /etc/ntp.conf |
# Synchronize now |
ntpdate fr.pool.ntp.org & |
sleep 2 # wait for time server responce |
1280,33 → 1280,33 |
$SED "/^PIDFile=/d" /etc/systemd/system/e2guardian.service |
|
# Adapt the main conf file |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
[ -e $DIR_E2G/e2guardian.conf.default ] || cp $DIR_E2G/e2guardian.conf $DIR_E2G/e2guardian.conf.default |
# French deny HTML page |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
$SED "s?^language =.*?language = 'french'?g" $DIR_E2G/e2guardian.conf |
# +++ listen & loop prevention on loopback |
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_DG/e2guardian.conf |
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_E2G/e2guardian.conf |
# 2 filtergroups (8080 & 8090) |
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf |
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_E2G/e2guardian.conf |
# Listen on LAN only |
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_E2G/e2guardian.conf |
# Listen on 8080 (group1 : BL users on HTTP) |
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_E2G/e2guardian.conf |
# Listen on 8081 (group2 : previously AV users --> to be redefine) |
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf |
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_DG/e2guardian.conf |
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_E2G/e2guardian.conf |
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_E2G/e2guardian.conf |
# for now we don't listen transparently on 8443 (HTTPS) (only in future version) |
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_E2G/e2guardian.conf |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_E2G/e2guardian.conf |
# Disable HTML content control (weighted & banned) |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_E2G/e2guardian.conf |
# Enable authport plugin |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_E2G/e2guardian.conf |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_E2G/e2guardian.conf |
# !!! Set Max RAM cache to 10Mb (for antimalware/EDR) |
#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf |
#$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_E2G/e2guardian.conf |
# !!! Set Max file size cache to 20Mb (for antimalware/EDR) |
#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_DG/e2guardian.conf |
#$SED "s?^maxcontentfilecachescansize =.*?maxcontentfilecachescansize = 20480?g" $DIR_E2G/e2guardian.conf |
|
# copy & adapt HTML templates |
cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html |
1316,26 → 1316,23 |
|
###### ALCASAR filtering for group1 (blacklisted_users) #### |
# Adapt group1 conf file |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf |
$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_DG/lists/group1/g" $DIR_DG/e2guardianf1.conf |
DIR_COMMON="$DIR_DG/lists/common" |
cp -r $DIR_DG/lists/example.group $DIR_GROUP1 |
chown -R e2guardian:root $DIR_GROUP1 |
[ -e $DIR_E2G/e2guardianf1.conf.default ] || cp $DIR_E2G/e2guardianf1.conf $DIR_E2G/e2guardianf1.conf.default |
$SED "s/^#reportinglevel =.*/reportinglevel = 3/g" $DIR_E2G/e2guardianf1.conf |
$SED "s/^#groupname =.*/groupname = 'blacklisted_users'/g" $DIR_E2G/e2guardianf1.conf |
$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_E2G/e2guardianf1.conf |
$SED "s/^.Define LISTDIR.*/.Define LISTDIR <$DIR_E2G/lists/group1/g" $DIR_E2G/e2guardianf1.conf |
DIR_E2G_GROUP1="$DIR_E2G/lists/group1" |
cp -r $DIR_E2G/lists/example.group $DIR_E2G_GROUP1 |
chown -R e2guardian:root $DIR_E2G_GROUP1 |
# RAZ bannedphraselist |
[ -e $DIR_GROUP1/bannedphraselist.default ] || mv $DIR_GROUP1/bannedphraselist $DIR_GROUP1/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedphraselist # (comment what is not) |
$SED "s?^[^#]?#&?g" $DIR_E2G_GROUP1/bannedphraselist # (comment what is not) |
# Disable URL control with regex |
[ -e $DIR_GROUP1/banned.regexpurllist.default ] || mv $DIR_GROUP1/regexpurllist $DIR_GROUP1/regexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_GROUP1/bannedregexpurllist # (comment what is not) |
$SED "s?^[^#]?#&?g" $DIR_E2G_GROUP1/bannedregexpurllist # (comment what is not) |
# Dont filtering files by extension or mime-type (empty list) |
> $DIR_GROUP1/bannedextensionlist |
> $DIR_GROUP1/bannedmimetypelist |
> $DIR_E2G_GROUP1/bannedextensionlist |
> $DIR_E2G_GROUP1/bannedmimetypelist |
# Creation of ALCASAR banned site list |
[ -e $DIR_GROUP1/greysitelist.default ] || mv $DIR_GROUP1/greysitelist $DIR_GROUP1/greysitelist.default |
cat <<EOF > $DIR_GROUP1/greysitelist |
cat <<EOF > $DIR_E2G_GROUP1/greysitelist |
# E2guardian filter config for ALCASAR |
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound) |
# block all SSL and CONNECT tunnels |
1346,32 → 1343,29 |
*ip |
EOF |
# Creation of file for banned URLs (filled later with Toulouse BL --> see BL function) |
[ -e $DIR_GROUP1/bannedurllist.default ] || mv $DIR_GROUP1/bannedurllist $DIR_GROUP1/bannedurllist.default |
cat <<EOF > $DIR_GROUP1/bannedurllist |
cat <<EOF > $DIR_E2G_GROUP1/bannedurllist |
# E2guardian URL filter config for ALCASAR |
EOF |
# Creation of files for rehabilited domains |
[ -e $DIR_GROUP1/exceptionsitelist.default ] || mv $DIR_GROUP1/exceptionsitelist $DIR_GROUP1/exceptionsitelist.default |
touch $DIR_GROUP1/exceptionsitelist |
> $DIR_E2G_GROUP1/exceptionsitelist |
# Creation of files for rehabilited IP |
[ -e $DIR_DG/lists/common/exceptioniplist.default ] || mv $DIR_DG/lists/common/exceptioniplist $DIR_DG/lists/common/exceptioniplist.default |
touch $DIR_DG/lists/common/exceptioniplist |
[ -e $DIR_E2G/lists/common/exceptioniplist.default ] || mv $DIR_E2G/lists/common/exceptioniplist $DIR_E2G/lists/common/exceptioniplist.default |
touch $DIR_E2G/lists/common/exceptioniplist |
# Add Bing to the safesearch url regext list (parental control) |
[ -e $DIR_GROUP1/urlregexplist.default ] || cp $DIR_GROUP1/urlregexplist $DIR_GROUP1/urlregexplist.default |
cat <<EOF >> $DIR_GROUP1/urlregexplist |
cat <<EOF >> $DIR_E2G_GROUP1/urlregexplist |
# Bing - add 'adlt=strict' |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
EOF |
# 'Safesearch' regex actualisation |
$SED "s?images?search?g" $DIR_GROUP1/urlregexplist |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_GROUP1/urlregexplist |
# 'Safesearch' regex actualisation |
$SED "s?images?search?g" $DIR_E2G_GROUP1/urlregexplist |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_E2G_GROUP1/urlregexplist |
|
# Create & adapt group2 conf file (av + av_wl) |
cp $DIR_DG/e2guardianf1.conf.default $DIR_DG/e2guardianf2.conf |
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_DG/e2guardianf2.conf |
$SED "s?^#groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_DG/e2guardianf2.conf |
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist.default'?g" $DIR_DG/e2guardianf2.conf # no banned urls |
cp $DIR_E2G/e2guardianf1.conf.default $DIR_E2G/e2guardianf2.conf |
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_E2G/e2guardianf2.conf |
$SED "s?^#groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_E2G/e2guardianf2.conf |
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist.default'?g" $DIR_E2G/e2guardianf2.conf # no banned urls |
|
# create log folder |
mkdir -p /var/log/e2guardian |
1670,26 → 1664,26 |
BL() |
{ |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt) |
rm -rf $DIR_DG/lists/blacklists |
rm -rf $DIR_E2G/lists/blacklists |
mkdir -p /tmp/blacklists |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/ |
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only) |
mkdir -p $DIR_DG/lists/blacklists/ossi-bl |
touch $DIR_DG/lists/blacklists/ossi-bl/domains |
mkdir -p $DIR_E2G/lists/blacklists/ossi-bl |
touch $DIR_E2G/lists/blacklists/ossi-bl/domains |
echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled |
mkdir -p $DIR_DG/lists/blacklists/ossi-wl |
touch $DIR_DG/lists/blacklists/ossi-wl/domains |
mkdir -p $DIR_E2G/lists/blacklists/ossi-wl |
touch $DIR_E2G/lists/blacklists/ossi-wl/domains |
echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled |
# add additional BL files |
for x in $(ls $DIR_BLACKLIST | grep -v "^blacklists") |
do |
mkdir $DIR_DG/lists/blacklists/ossi-bl-$x |
cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains |
mkdir $DIR_E2G/lists/blacklists/ossi-bl-$x |
cp $DIR_BLACKLIST/$x $DIR_E2G/lists/blacklists/ossi-bl-$x/domains |
echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled |
done |
chown -R e2guardian:apache $DIR_DG |
chown -R e2guardian:apache $DIR_E2G |
chown -R root:apache $DIR_DEST_SHARE |
chmod -R g+rw $DIR_DG $DIR_DEST_SHARE |
chmod -R g+rw $DIR_E2G $DIR_DEST_SHARE |
# adapt the Toulouse BL to ALCASAR architecture |
$DIR_DEST_BIN/alcasar-bl.sh --adapt |
# enable the default categories |