Subversion Repositories ALCASAR

Rev

Rev 2088 | Rev 2114 | Go to most recent revision | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2088 Rev 2111
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2088 2016-12-12 06:57:16Z raphael.pion $ 
2
#  $Id: alcasar.sh 2111 2017-01-08 17:42:44Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
32
#	ACC			: ALCASAR Control Center installation
32
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
33
#	CA			: Certification Authority initialization
34
#	time_server		: NTPd configuration
34
#	time_server		: NTPd configuration
35
#	init_db			: Initilization of radius database managed with MariaDB
35
#	init_db			: Initilization of radius database managed with MariaDB
36
#	radius			: FreeRadius initialisation
36
#	radius			: FreeRadius initialisation
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	post_install		: Security, log rotation, etc.
49
#	post_install		: Security, log rotation, etc.
50
 
50
 
51
DATE=`date '+%d %B %Y - %Hh%M'`
51
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
52
DATE_SHORT=`date '+%d/%m/%Y'`
53
Lang=`echo $LANG|cut -c 1-2`
53
Lang=`echo $LANG|cut -c 1-2`
54
mode="install"
54
mode="install"
55
# ******* Files parameters - paramètres fichiers *********
55
# ******* Files parameters - paramètres fichiers *********
56
DIR_INSTALL=`pwd`				# current directory 
56
DIR_INSTALL=`pwd`				# current directory 
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
57
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
58
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
59
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
60
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
60
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
61
DIR_WEB="/var/www/html"				# directory of APACHE
61
DIR_WEB="/var/www/html"				# directory of APACHE
62
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
62
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
63
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
63
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
64
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
64
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
65
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
66
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
67
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
68
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
# ******* DBMS parameters - paramètres SGBD ********
69
# ******* DBMS parameters - paramètres SGBD ********
70
DB_RADIUS="radius"				# database name used by FreeRadius server
70
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_USER="radius"				# user name allows to request the users database
71
DB_USER="radius"				# user name allows to request the users database
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
72
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
# ******* Network parameters - paramètres réseau *******
73
# ******* Network parameters - paramètres réseau *******
74
HOSTNAME="alcasar"				# default hostname
74
HOSTNAME="alcasar"				# default hostname
75
DOMAIN="localdomain"				# default local domain
75
DOMAIN="localdomain"				# default local domain
76
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
76
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
77
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
MTU="1500"
78
MTU="1500"
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
79
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
# ****** Paths - chemin des commandes *******
80
# ****** Paths - chemin des commandes *******
81
SED="/bin/sed -i"
81
SED="/bin/sed -i"
82
# ****************** End of global parameters *********************
82
# ****************** End of global parameters *********************
83
 
83
 
84
license ()
84
license ()
85
{
85
{
86
	if [ $Lang == "fr" ]
86
	if [ $Lang == "fr" ]
87
	then
87
	then
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
88
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
	else
89
	else
90
		cat $DIR_INSTALL/gpl-warning.txt | more
90
		cat $DIR_INSTALL/gpl-warning.txt | more
91
	fi
91
	fi
92
	response=0
92
	response=0
93
	PTN='^[oOyYnN]$'
93
	PTN='^[oOyYnN]$'
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
94
	until [[ $(expr $response : $PTN) -gt 0 ]]
95
	do
95
	do
96
		if [ $Lang == "fr" ]
96
		if [ $Lang == "fr" ]
97
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
97
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
98
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
		fi
99
		fi
100
		read response
100
		read response
101
	done
101
	done
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
102
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	then
103
	then
104
		exit 1
104
		exit 1
105
	fi
105
	fi
106
}
106
}
107
 
107
 
108
header_install ()
108
header_install ()
109
{
109
{
110
	clear
110
	clear
111
	echo "-----------------------------------------------------------------------------"
111
	echo "-----------------------------------------------------------------------------"
112
	echo "                     ALCASAR V$VERSION Installation"
112
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
113
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
}
115
}
116
 
116
 
117
##################################################################
117
##################################################################
118
##			Function "testing"			##
118
##			Function "testing"			##
119
## - Test of Mageia version					##
119
## - Test of Mageia version					##
120
## - Test of ALCASAR version (if already installed)		##
120
## - Test of ALCASAR version (if already installed)		##
121
## - Test of free space on /var  (>10G)				##
121
## - Test of free space on /var  (>10G)				##
122
## - Test of Internet access					##
122
## - Test of Internet access					##
123
##################################################################
123
##################################################################
124
testing ()
124
testing ()
125
{
125
{
126
# Test of Mageia version
126
# Test of Mageia version
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
127
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
	fic=`cat /etc/product.id`
128
	fic=`cat /etc/product.id`
129
	unknown_os=0
129
	unknown_os=0
130
	old="$IFS"
130
	old="$IFS"
131
	IFS=","
131
	IFS=","
132
	set $fic
132
	set $fic
133
	for i in $*
133
	for i in $*
134
	do
134
	do
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
135
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
			then 
136
			then 
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
137
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			unknown_os=`expr $unknown_os + 1`
138
			unknown_os=`expr $unknown_os + 1`
139
		fi
139
		fi
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
140
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
			then 
141
			then 
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
142
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			unknown_os=`expr $unknown_os + 1`
143
			unknown_os=`expr $unknown_os + 1`
144
		fi
144
		fi
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
145
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
			then 
146
			then 
147
			ARCH=`echo $i|cut -d"=" -f2`
147
			ARCH=`echo $i|cut -d"=" -f2`
148
			unknown_os=`expr $unknown_os + 1`
148
			unknown_os=`expr $unknown_os + 1`
149
		fi
149
		fi
150
	done
150
	done
151
	IFS="$old"
151
	IFS="$old"
152
# Test if ALCASAR is already installed
152
# Test if ALCASAR is already installed
153
	if [ -e $CONF_FILE ]
153
	if [ -e $CONF_FILE ]
154
	then
154
	then
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
155
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
157
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
158
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
159
		fi
159
		fi
160
		response=0
160
		response=0
161
		PTN='^[oOnNyY]$'
161
		PTN='^[oOnNyY]$'
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
162
		until [[ $(expr $response : $PTN) -gt 0 ]]
163
		do
163
		do
164
			if [ $Lang == "fr" ]
164
			if [ $Lang == "fr" ]
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
165
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
166
				else echo -n "Do you want to update (Y/n)?";
166
				else echo -n "Do you want to update (Y/n)?";
167
			 fi
167
			 fi
168
			read response
168
			read response
169
		done
169
		done
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
170
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
171
		then
171
		then
172
			rm -f /tmp/alcasar-conf*
172
			rm -f /tmp/alcasar-conf*
173
		else
173
		else
174
# Retrieve former NICname
174
# Retrieve former NICname
175
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
175
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
176
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
176
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
177
# Create the current conf file
177
# Create the current conf file
178
			$DIR_SCRIPTS/alcasar-conf.sh --create
178
			$DIR_SCRIPTS/alcasar-conf.sh --create
179
			mode="update"
179
			mode="update"
180
		fi
180
		fi
181
	fi
181
	fi
182
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
182
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
183
		then
183
		then
184
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
184
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
185
			then
185
			then
186
			echo
186
			echo
187
			if [ $Lang == "fr" ]
187
			if [ $Lang == "fr" ]
188
				then	
188
				then	
189
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
189
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
190
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
190
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
191
				echo "2 - Installez Linux-Mageia 5 et ALCASAR (cf. doc d'installation)"
191
				echo "2 - Installez Linux-Mageia 5 et ALCASAR (cf. doc d'installation)"
192
				echo "3 - Importez votre base des usagers"
192
				echo "3 - Importez votre base des usagers"
193
			else
193
			else
194
				echo "The automatic update of ALCASAR can't be performed."
194
				echo "The automatic update of ALCASAR can't be performed."
195
				echo "1 - Save your traceability files and the user database"
195
				echo "1 - Save your traceability files and the user database"
196
				echo "2 - Install Linux-Mageia 5 & ALCASAR (cf. installation doc)"
196
				echo "2 - Install Linux-Mageia 5 & ALCASAR (cf. installation doc)"
197
				echo "3 - Import your users database"
197
				echo "3 - Import your users database"
198
			fi
198
			fi
199
		else
199
		else
200
			if [ $Lang == "fr" ]
200
			if [ $Lang == "fr" ]
201
				then	
201
				then	
202
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
202
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
203
			else
203
			else
204
				echo "The installation of ALCASAR can't be performed."
204
				echo "The installation of ALCASAR can't be performed."
205
			fi
205
			fi
206
		fi
206
		fi
207
		echo
207
		echo
208
		if [ $Lang == "fr" ]
208
		if [ $Lang == "fr" ]
209
			then	
209
			then	
210
			echo "Le système d'exploitation doit être remplacé (Mageia5)"
210
			echo "Le système d'exploitation doit être remplacé (Mageia5)"
211
		else
211
		else
212
			echo "The OS must be replaced (Mageia5)"
212
			echo "The OS must be replaced (Mageia5)"
213
		fi
213
		fi
214
		exit 0
214
		exit 0
215
	fi
215
	fi
216
	if [ ! -d /var/log/netflow/porttracker ]
216
	if [ ! -d /var/log/netflow/porttracker ]
217
		then
217
		then
218
# Test of free space on /var
218
# Test of free space on /var
219
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
219
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
220
		if [ $free_space -lt 10 ]
220
		if [ $free_space -lt 10 ]
221
			then
221
			then
222
			if [ $Lang == "fr" ]
222
			if [ $Lang == "fr" ]
223
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
223
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
224
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
224
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
225
			fi
225
			fi
226
		exit 0
226
		exit 0
227
		fi
227
		fi
228
	fi
228
	fi
229
	if [ $Lang == "fr" ]
229
	if [ $Lang == "fr" ]
230
		then echo -n "Tests des paramètres réseau : "
230
		then echo -n "Tests des paramètres réseau : "
231
		else echo -n "Network parameters tests : "
231
		else echo -n "Network parameters tests : "
232
	fi
232
	fi
233
# Test of Ethernet links state
233
# Test of Ethernet links state
234
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
234
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
235
	for i in $DOWN_IF
235
	for i in $DOWN_IF
236
	do
236
	do
237
		if [ $Lang == "fr" ]
237
		if [ $Lang == "fr" ]
238
		then 
238
		then 
239
			echo "Échec"
239
			echo "Échec"
240
			echo "Le lien réseau de la carte $i n'est pas actif."
240
			echo "Le lien réseau de la carte $i n'est pas actif."
241
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
241
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
242
		else
242
		else
243
			echo "Failed"
243
			echo "Failed"
244
			echo "The link state of $i interface is down."
244
			echo "The link state of $i interface is down."
245
			echo "Make sure that this network card is connected to a switch or an A.P."
245
			echo "Make sure that this network card is connected to a switch or an A.P."
246
		fi
246
		fi
247
		exit 0
247
		exit 0
248
	done
248
	done
249
	echo -n "."
249
	echo -n "."
250
 
250
 
251
# Test EXTIF config files
251
# Test EXTIF config files
252
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
252
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
253
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
253
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
254
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
254
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
255
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
255
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
256
	then
256
	then
257
		if [ $Lang == "fr" ]
257
		if [ $Lang == "fr" ]
258
		then 
258
		then 
259
			echo "Échec"
259
			echo "Échec"
260
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
260
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
261
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
261
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
262
			echo "Appliquez les changements : 'systemctl restart network'"
262
			echo "Appliquez les changements : 'systemctl restart network'"
263
		else
263
		else
264
			echo "Failed"
264
			echo "Failed"
265
			echo "The Internet connected network card ($EXTIF) isn't well configured."
265
			echo "The Internet connected network card ($EXTIF) isn't well configured."
266
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
266
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
267
			echo "Apply the new configuration 'systemctl restart network'"
267
			echo "Apply the new configuration 'systemctl restart network'"
268
		fi
268
		fi
269
		echo "DEVICE=$EXTIF"
269
		echo "DEVICE=$EXTIF"
270
		echo "IPADDR="
270
		echo "IPADDR="
271
		echo "NETMASK="
271
		echo "NETMASK="
272
		echo "GATEWAY="
272
		echo "GATEWAY="
273
		echo "DNS1="
273
		echo "DNS1="
274
		echo "DNS2="
274
		echo "DNS2="
275
		echo "ONBOOT=yes"
275
		echo "ONBOOT=yes"
276
		exit 0
276
		exit 0
277
	fi
277
	fi
278
	echo -n "."
278
	echo -n "."
279
 
279
 
280
# Test if router is alive (Box FAI)
280
# Test if router is alive (Box FAI)
281
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
281
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
282
		if [ $Lang == "fr" ]
282
		if [ $Lang == "fr" ]
283
		then 
283
		then 
284
			echo "Échec"
284
			echo "Échec"
285
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
285
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
286
			echo "Réglez ce problème puis relancez ce script."
286
			echo "Réglez ce problème puis relancez ce script."
287
		else
287
		else
288
			echo "Failed"
288
			echo "Failed"
289
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
289
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
290
			echo "Resolv this problem, then restart this script."
290
			echo "Resolv this problem, then restart this script."
291
		fi
291
		fi
292
		exit 0
292
		exit 0
293
	fi
293
	fi
294
	echo -n "."
294
	echo -n "."
295
# On teste le lien vers le routeur par defaut
295
# On teste le lien vers le routeur par defaut
296
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
296
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
297
	if [ $(expr $arp_reply) -eq 0 ]
297
	if [ $(expr $arp_reply) -eq 0 ]
298
	       	then
298
	       	then
299
		if [ $Lang == "fr" ]
299
		if [ $Lang == "fr" ]
300
		then 
300
		then 
301
			echo "Échec"
301
			echo "Échec"
302
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
302
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
303
			echo "Réglez ce problème puis relancez ce script."
303
			echo "Réglez ce problème puis relancez ce script."
304
		else
304
		else
305
			echo "Failed"
305
			echo "Failed"
306
			echo "The Internet gateway doesn't answered"
306
			echo "The Internet gateway doesn't answered"
307
			echo "Resolv this problem, then restart this script."
307
			echo "Resolv this problem, then restart this script."
308
		fi
308
		fi
309
		exit 0
309
		exit 0
310
	fi
310
	fi
311
	echo -n "."
311
	echo -n "."
312
# On teste la connectivité Internet
312
# On teste la connectivité Internet
313
	rm -rf /tmp/con_ok.html
313
	rm -rf /tmp/con_ok.html
314
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
314
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
315
	if [ ! -e /tmp/con_ok.html ]
315
	if [ ! -e /tmp/con_ok.html ]
316
	then
316
	then
317
		if [ $Lang == "fr" ]
317
		if [ $Lang == "fr" ]
318
		then 
318
		then 
319
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
319
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
320
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
320
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
321
			echo "Vérifiez la validité des adresses IP des DNS."
321
			echo "Vérifiez la validité des adresses IP des DNS."
322
		else
322
		else
323
			echo "The Internet connection try failed (google.fr)."
323
			echo "The Internet connection try failed (google.fr)."
324
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
324
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
325
			echo "Verify the DNS IP addresses"
325
			echo "Verify the DNS IP addresses"
326
		fi
326
		fi
327
		exit 0
327
		exit 0
328
	fi
328
	fi
329
	rm -rf /tmp/con_ok.html
329
	rm -rf /tmp/con_ok.html
330
	echo ". : ok"
330
	echo ". : ok"
331
} # end of testing ()
331
} # end of testing ()
332
 
332
 
333
##################################################################
333
##################################################################
334
##			Function "init"				##
334
##			Function "init"				##
335
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
335
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
336
## - Installation et modification des scripts du portail	##
336
## - Installation et modification des scripts du portail	##
337
##################################################################
337
##################################################################
338
init ()
338
init ()
339
{
339
{
340
	if [ "$mode" != "update" ]
340
	if [ "$mode" != "update" ]
341
	then
341
	then
342
# On affecte le nom d'organisme
342
# On affecte le nom d'organisme
343
		header_install
343
		header_install
344
		ORGANISME=!
344
		ORGANISME=!
345
		PTN='^[a-zA-Z0-9-]*$'
345
		PTN='^[a-zA-Z0-9-]*$'
346
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
346
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
347
                do
347
                do
348
			if [ $Lang == "fr" ]
348
			if [ $Lang == "fr" ]
349
			       	then echo -n "Entrez le nom de votre organisme : "
349
			       	then echo -n "Entrez le nom de votre organisme : "
350
				else echo -n "Enter the name of your organism : "
350
				else echo -n "Enter the name of your organism : "
351
			fi
351
			fi
352
			read ORGANISME
352
			read ORGANISME
353
			if [ "$ORGANISME" == "" ]
353
			if [ "$ORGANISME" == "" ]
354
				then
354
				then
355
				ORGANISME=!
355
				ORGANISME=!
356
			fi
356
			fi
357
		done
357
		done
358
	fi
358
	fi
359
# On crée aléatoirement les mots de passe et les secrets partagés
359
# On crée aléatoirement les mots de passe et les secrets partagés
360
	rm -f $PASSWD_FILE
360
	rm -f $PASSWD_FILE
361
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
361
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
362
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
362
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
363
	echo "$grubpwd" >> $PASSWD_FILE
363
	echo "$grubpwd" >> $PASSWD_FILE
364
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
364
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
365
	$SED "/^password.*/d" /boot/grub/menu.lst
365
	$SED "/^password.*/d" /boot/grub/menu.lst
366
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
366
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
367
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
367
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
368
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
368
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
369
	echo "root / $mysqlpwd" >> $PASSWD_FILE
369
	echo "root / $mysqlpwd" >> $PASSWD_FILE
370
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
370
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
371
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
371
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
372
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
372
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
373
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
373
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
374
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
374
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
375
	echo "$secretuam" >> $PASSWD_FILE
375
	echo "$secretuam" >> $PASSWD_FILE
376
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
376
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
377
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
377
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
378
	echo "$secretradius" >> $PASSWD_FILE
378
	echo "$secretradius" >> $PASSWD_FILE
379
	chmod 640 $PASSWD_FILE
379
	chmod 640 $PASSWD_FILE
380
#  copy scripts in in /usr/local/bin
380
#  copy scripts in in /usr/local/bin
381
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
381
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
382
#  copy conf files in /usr/local/etc
382
#  copy conf files in /usr/local/etc
383
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
383
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
384
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
384
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
385
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
385
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
386
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
386
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
387
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
388
# generate central conf file
388
# generate central conf file
389
	cat <<EOF > $CONF_FILE
389
	cat <<EOF > $CONF_FILE
390
##########################################
390
##########################################
391
##                                      ##
391
##                                      ##
392
##          ALCASAR Parameters          ##
392
##          ALCASAR Parameters          ##
393
##                                      ##
393
##                                      ##
394
##########################################
394
##########################################
395
 
395
 
396
INSTALL_DATE=$DATE
396
INSTALL_DATE=$DATE
397
VERSION=$VERSION
397
VERSION=$VERSION
398
ORGANISM=$ORGANISME
398
ORGANISM=$ORGANISME
399
HOSTNAME=$HOSTNAME
399
HOSTNAME=$HOSTNAME
400
DOMAIN=$DOMAIN
400
DOMAIN=$DOMAIN
401
EOF
401
EOF
402
	chmod o-rwx $CONF_FILE
402
	chmod o-rwx $CONF_FILE
403
} # End of init ()
403
} # End of init ()
404
 
404
 
405
##################################################################
405
##################################################################
406
##			Function "network"			##
406
##			Function "network"			##
407
## - Définition du plan d'adressage du réseau de consultation	##
407
## - Définition du plan d'adressage du réseau de consultation	##
408
## - Nommage DNS du système 					##
408
## - Nommage DNS du système 					##
409
## - Configuration de l'interface INTIF (réseau de consultation)##
409
## - Configuration de l'interface INTIF (réseau de consultation)##
410
## - Modification du fichier /etc/hosts				##
410
## - Modification du fichier /etc/hosts				##
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
411
## - Renseignement des fichiers hosts.allow et hosts.deny	##
412
##################################################################
412
##################################################################
413
network ()
413
network ()
414
{
414
{
415
	header_install
415
	header_install
416
	if [ "$mode" != "update" ]
416
	if [ "$mode" != "update" ]
417
		then
417
		then
418
		if [ $Lang == "fr" ]
418
		if [ $Lang == "fr" ]
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
419
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
420
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
421
		fi
421
		fi
422
		response=0
422
		response=0
423
		PTN='^[oOyYnN]$'
423
		PTN='^[oOyYnN]$'
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
424
		until [[ $(expr $response : $PTN) -gt 0 ]]
425
		do
425
		do
426
			if [ $Lang == "fr" ]
426
			if [ $Lang == "fr" ]
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
427
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
428
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
429
			fi
429
			fi
430
			read response
430
			read response
431
		done
431
		done
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
432
		if [ "$response" = "n" ] || [ "$response" = "N" ]
433
		then
433
		then
434
			PRIVATE_IP_MASK="0"
434
			PRIVATE_IP_MASK="0"
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
435
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
436
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
437
			do
437
			do
438
				if [ $Lang == "fr" ]
438
				if [ $Lang == "fr" ]
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
439
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
440
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
441
				fi
441
				fi
442
				read PRIVATE_IP_MASK
442
				read PRIVATE_IP_MASK
443
			done
443
			done
444
		else
444
		else
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
445
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
446
		fi
446
		fi
447
	else
447
	else
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
448
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
449
		rm -rf conf/etc/alcasar.conf
449
		rm -rf conf/etc/alcasar.conf
450
	fi
450
	fi
451
# Define LAN side global parameters
451
# Define LAN side global parameters
452
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
452
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
453
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
453
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
454
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
454
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
455
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
455
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
456
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
456
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
457
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
457
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
458
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
458
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
459
		then
459
		then
460
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
460
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
461
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
461
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
462
	fi	
462
	fi	
463
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
463
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
464
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
464
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
465
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
465
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
466
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
466
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
467
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
467
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
468
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
468
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
469
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
469
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
470
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
470
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
471
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
471
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
472
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
472
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
473
# Define Internet parameters
473
# Define Internet parameters
474
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
474
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
475
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
475
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
476
	if [ $nb_dns == 2 ]
476
	if [ $nb_dns == 2 ]
477
		then
477
		then
478
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
478
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
479
	fi
479
	fi
480
	DNS1=${DNS1:=208.67.220.220}
480
	DNS1=${DNS1:=208.67.220.220}
481
	DNS2=${DNS2:=208.67.222.222}
481
	DNS2=${DNS2:=208.67.222.222}
482
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
482
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
483
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
483
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
484
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
484
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
485
# Wrtie the conf file
485
# Wrtie the conf file
486
	echo "EXTIF=$EXTIF" >> $CONF_FILE
486
	echo "EXTIF=$EXTIF" >> $CONF_FILE
487
	echo "INTIF=$INTIF" >> $CONF_FILE
487
	echo "INTIF=$INTIF" >> $CONF_FILE
488
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
488
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
489
	if [ $IP_SETTING == "dhcp" ]
489
	if [ $IP_SETTING == "dhcp" ]
490
		then
490
		then
491
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
491
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
492
		echo "GW=dhcp" >> $CONF_FILE
492
		echo "GW=dhcp" >> $CONF_FILE
493
	else
493
	else
494
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
494
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
495
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
495
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
496
	fi
496
	fi
497
	echo "DNS1=$DNS1" >> $CONF_FILE
497
	echo "DNS1=$DNS1" >> $CONF_FILE
498
	echo "DNS2=$DNS2" >> $CONF_FILE
498
	echo "DNS2=$DNS2" >> $CONF_FILE
499
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
499
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
500
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
500
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
501
	echo "DHCP=on" >> $CONF_FILE
501
	echo "DHCP=on" >> $CONF_FILE
502
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
502
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
503
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
503
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
504
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
505
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
505
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
506
	echo "INT_DNS_IP=none" >> $CONF_FILE
506
	echo "INT_DNS_IP=none" >> $CONF_FILE
507
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
507
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
508
# network default
508
# network default
509
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
509
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
510
	cat <<EOF > /etc/sysconfig/network
510
	cat <<EOF > /etc/sysconfig/network
511
NETWORKING=yes
511
NETWORKING=yes
512
FORWARD_IPV4=true
512
FORWARD_IPV4=true
513
EOF
513
EOF
514
# /etc/hosts config
514
# /etc/hosts config
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
515
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
516
	cat <<EOF > /etc/hosts
516
	cat <<EOF > /etc/hosts
517
127.0.0.1	localhost
517
127.0.0.1	localhost
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
518
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
519
EOF
519
EOF
520
# EXTIF (Internet) config
520
# EXTIF (Internet) config
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
521
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
522
	if [ $IP_SETTING == "dhcp" ]
522
	if [ $IP_SETTING == "dhcp" ]
523
		then
523
		then
524
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
524
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
525
DEVICE=$EXTIF
525
DEVICE=$EXTIF
526
BOOTPROTO=dhcp
526
BOOTPROTO=dhcp
527
DNS1=127.0.0.1
527
DNS1=127.0.0.1
528
PEERDNS=no
528
PEERDNS=no
529
RESOLV_MODS=yes
529
RESOLV_MODS=yes
530
ONBOOT=yes
530
ONBOOT=yes
531
NOZEROCONF=yes
531
NOZEROCONF=yes
532
METRIC=10
532
METRIC=10
533
MII_NOT_SUPPORTED=yes
533
MII_NOT_SUPPORTED=yes
534
IPV6INIT=no
534
IPV6INIT=no
535
IPV6TO4INIT=no
535
IPV6TO4INIT=no
536
ACCOUNTING=no
536
ACCOUNTING=no
537
USERCTL=no
537
USERCTL=no
538
MTU=$MTU
538
MTU=$MTU
539
EOF
539
EOF
540
		else	
540
		else	
541
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
541
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
542
DEVICE=$EXTIF
542
DEVICE=$EXTIF
543
BOOTPROTO=static
543
BOOTPROTO=static
544
IPADDR=$PUBLIC_IP
544
IPADDR=$PUBLIC_IP
545
NETMASK=$PUBLIC_NETMASK
545
NETMASK=$PUBLIC_NETMASK
546
GATEWAY=$PUBLIC_GATEWAY
546
GATEWAY=$PUBLIC_GATEWAY
547
DNS1=127.0.0.1
547
DNS1=127.0.0.1
548
RESOLV_MODS=yes
548
RESOLV_MODS=yes
549
ONBOOT=yes
549
ONBOOT=yes
550
METRIC=10
550
METRIC=10
551
NOZEROCONF=yes
551
NOZEROCONF=yes
552
MII_NOT_SUPPORTED=yes
552
MII_NOT_SUPPORTED=yes
553
IPV6INIT=no
553
IPV6INIT=no
554
IPV6TO4INIT=no
554
IPV6TO4INIT=no
555
ACCOUNTING=no
555
ACCOUNTING=no
556
USERCTL=no
556
USERCTL=no
557
MTU=$MTU
557
MTU=$MTU
558
EOF
558
EOF
559
	fi
559
	fi
560
# Config INTIF (consultation LAN) in normal mode
560
# Config INTIF (consultation LAN) in normal mode
561
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
561
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
562
DEVICE=$INTIF
562
DEVICE=$INTIF
563
BOOTPROTO=static
563
BOOTPROTO=static
564
ONBOOT=yes
564
ONBOOT=yes
565
NOZEROCONF=yes
565
NOZEROCONF=yes
566
MII_NOT_SUPPORTED=yes
566
MII_NOT_SUPPORTED=yes
567
IPV6INIT=no
567
IPV6INIT=no
568
IPV6TO4INIT=no
568
IPV6TO4INIT=no
569
ACCOUNTING=no
569
ACCOUNTING=no
570
USERCTL=no
570
USERCTL=no
571
EOF
571
EOF
572
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
572
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
573
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
573
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
574
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
574
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
575
DEVICE=$INTIF
575
DEVICE=$INTIF
576
BOOTPROTO=static
576
BOOTPROTO=static
577
IPADDR=$PRIVATE_IP
577
IPADDR=$PRIVATE_IP
578
NETMASK=$PRIVATE_NETMASK
578
NETMASK=$PRIVATE_NETMASK
579
ONBOOT=yes
579
ONBOOT=yes
580
METRIC=10
580
METRIC=10
581
NOZEROCONF=yes
581
NOZEROCONF=yes
582
MII_NOT_SUPPORTED=yes
582
MII_NOT_SUPPORTED=yes
583
IPV6INIT=no
583
IPV6INIT=no
584
IPV6TO4INIT=no
584
IPV6TO4INIT=no
585
ACCOUNTING=no
585
ACCOUNTING=no
586
USERCTL=no
586
USERCTL=no
587
EOF
587
EOF
588
# Renseignement des fichiers hosts.allow et hosts.deny
588
# Renseignement des fichiers hosts.allow et hosts.deny
589
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
589
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
590
	cat <<EOF > /etc/hosts.allow
590
	cat <<EOF > /etc/hosts.allow
591
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
591
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
592
sshd: ALL
592
sshd: ALL
593
ntpd: $PRIVATE_NETWORK_SHORT
593
ntpd: $PRIVATE_NETWORK_SHORT
594
EOF
594
EOF
595
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
595
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
596
	cat <<EOF > /etc/hosts.deny
596
	cat <<EOF > /etc/hosts.deny
597
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
597
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
598
EOF
598
EOF
599
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
599
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
600
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
600
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
601
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
601
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
602
# load conntrack ftp module
602
# load conntrack ftp module
603
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
603
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
604
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
604
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
605
# load ipt_NETFLOW module
605
# load ipt_NETFLOW module
606
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
606
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
607
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
607
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
608
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
608
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
609
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
609
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
610
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
610
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
611
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
611
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
612
# 
612
# 
613
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
613
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
614
} # End of network ()
614
} # End of network ()
615
 
615
 
616
##################################################################
616
##################################################################
617
##			Function "ACC"				##
617
##			Function "ACC"				##
618
## - installation of then ALCASAR Control Center (ACC)	)	##
618
## - installation of then ALCASAR Control Center (ACC)	)	##
619
## - configuration of the web server (Apache)			##
619
## - configuration of the web server (Apache)			##
620
## - creation of the first ACC admin account 			##
620
## - creation of the first ACC admin account 			##
621
## - secure the access						##
621
## - secure the access						##
622
##################################################################
622
##################################################################
623
ACC ()
623
ACC ()
624
{
624
{
625
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
625
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
626
	mkdir $DIR_WEB
626
	mkdir $DIR_WEB
627
# Copy & adapt ACC files
627
# Copy & adapt ACC files
628
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
628
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
629
	echo "$VERSION" > $DIR_WEB/VERSION
629
	echo "$VERSION" > $DIR_WEB/VERSION
630
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
630
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
631
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
631
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
632
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
632
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
633
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
633
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
634
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
634
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
635
	chown -R apache:apache $DIR_WEB/*
635
	chown -R apache:apache $DIR_WEB/*
636
# copy & adapt "freeradius-web" files
636
# copy & adapt "freeradius-web" files
637
	cp -rf $DIR_CONF/freeradius-web/ /etc/
637
	cp -rf $DIR_CONF/freeradius-web/ /etc/
638
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
638
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
639
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
639
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
640
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
640
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
641
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
641
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
642
	cat <<EOF > /etc/freeradius-web/naslist.conf
642
	cat <<EOF > /etc/freeradius-web/naslist.conf
643
nas1_name: alcasar-$ORGANISME
643
nas1_name: alcasar-$ORGANISME
644
nas1_model: Network Access Controler
644
nas1_model: Network Access Controler
645
nas1_ip: $PRIVATE_IP
645
nas1_ip: $PRIVATE_IP
646
nas1_port_num: 0
646
nas1_port_num: 0
647
nas1_community: public
647
nas1_community: public
648
EOF
648
EOF
649
	chown -R apache:apache /etc/freeradius-web/
649
	chown -R apache:apache /etc/freeradius-web/
650
# create the log & backup structure :
650
# create the log & backup structure :
651
# - base = users database
651
# - base = users database
652
# - archive = tarball of "base + http firewall + netflow"
652
# - archive = tarball of "base + http firewall + netflow"
653
# - security = watchdog log
653
# - security = watchdog log
654
	for i in base archive security;
654
	for i in base archive security;
655
	do
655
	do
656
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
656
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
657
	done
657
	done
658
	chown -R root:apache $DIR_SAVE
658
	chown -R root:apache $DIR_SAVE
659
# Configuring & securing php
659
# Configuring & securing php
660
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
660
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
661
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
661
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
662
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
662
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
663
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
663
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
664
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
664
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
665
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
665
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
666
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
666
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
667
# Configuring & sécuring Apache
667
# Configuring & sécuring Apache
668
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
668
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
669
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
669
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
670
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
670
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
671
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
671
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
672
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
672
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
673
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
673
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
674
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
674
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
675
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
675
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
676
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
676
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
677
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
677
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
678
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
678
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
679
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
679
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
680
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
680
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
681
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
681
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
682
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
682
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
683
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
683
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
684
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
684
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
685
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
685
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
686
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
686
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
687
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
687
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
688
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
688
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
689
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
689
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
690
# Error page management
690
# Error page management
691
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
691
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
692
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
692
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
693
Alias /error/ "/var/www/html/"
693
Alias /error/ "/var/www/html/"
694
<Directory "/usr/share/httpd/error">
694
<Directory "/usr/share/httpd/error">
695
    AllowOverride None
695
    AllowOverride None
696
    Options IncludesNoExec
696
    Options IncludesNoExec
697
    AddOutputFilter Includes html
697
    AddOutputFilter Includes html
698
    AddHandler type-map var
698
    AddHandler type-map var
699
    Require all granted
699
    Require all granted
700
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
700
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
701
    ForceLanguagePriority Prefer Fallback
701
    ForceLanguagePriority Prefer Fallback
702
</Directory>
702
</Directory>
703
ErrorDocument 400 /error/error.php?error=400
703
ErrorDocument 400 /error/error.php?error=400
704
ErrorDocument 401 /error/error.php?error=401
704
ErrorDocument 401 /error/error.php?error=401
705
ErrorDocument 403 /error/error.php?error=403
705
ErrorDocument 403 /error/error.php?error=403
706
ErrorDocument 404 /error/index.php
706
ErrorDocument 404 /error/index.php
707
ErrorDocument 405 /error/error.php?error=405
707
ErrorDocument 405 /error/error.php?error=405
708
ErrorDocument 408 /error/error.php?error=408
708
ErrorDocument 408 /error/error.php?error=408
709
ErrorDocument 410 /error/error.php?error=410
709
ErrorDocument 410 /error/error.php?error=410
710
ErrorDocument 411 /error/error.php?error=411
710
ErrorDocument 411 /error/error.php?error=411
711
ErrorDocument 412 /error/error.php?error=412
711
ErrorDocument 412 /error/error.php?error=412
712
ErrorDocument 413 /error/error.php?error=413
712
ErrorDocument 413 /error/error.php?error=413
713
ErrorDocument 414 /error/error.php?error=414
713
ErrorDocument 414 /error/error.php?error=414
714
ErrorDocument 415 /error/error.php?error=415
714
ErrorDocument 415 /error/error.php?error=415
715
ErrorDocument 500 /error/error.php?error=500
715
ErrorDocument 500 /error/error.php?error=500
716
ErrorDocument 501 /error/error.php?error=501
716
ErrorDocument 501 /error/error.php?error=501
717
ErrorDocument 502 /error/error.php?error=502
717
ErrorDocument 502 /error/error.php?error=502
718
ErrorDocument 503 /error/error.php?error=503
718
ErrorDocument 503 /error/error.php?error=503
719
ErrorDocument 506 /error/error.php?error=506
719
ErrorDocument 506 /error/error.php?error=506
720
EOF
720
EOF
721
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
721
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
722
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
722
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
723
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
723
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
724
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
724
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
725
</body>
725
</body>
726
</html>
726
</html>
727
EOF
727
EOF
728
# Définition du premier compte lié au profil 'admin'
728
# Définition du premier compte lié au profil 'admin'
729
if [ "$mode" = "install" ]
729
if [ "$mode" = "install" ]
730
	then
730
	then
731
		header_install
731
		header_install
732
		admin_portal=!
732
		admin_portal=!
733
		PTN='^[a-zA-Z0-9-]*$'
733
		PTN='^[a-zA-Z0-9-]*$'
734
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
734
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
735
                	do
735
                	do
736
			header_install
736
			header_install
737
			if [ $Lang == "fr" ]
737
			if [ $Lang == "fr" ]
738
			then 
738
			then 
739
				echo ""
739
				echo ""
740
				echo "Définissez un premier compte d'administration du portail :"
740
				echo "Définissez un premier compte d'administration du portail :"
741
				echo
741
				echo
742
				echo -n "Nom : "
742
				echo -n "Nom : "
743
			else
743
			else
744
				echo ""
744
				echo ""
745
				echo "Define the first account allow to administrate the portal :"
745
				echo "Define the first account allow to administrate the portal :"
746
				echo
746
				echo
747
				echo -n "Account : "
747
				echo -n "Account : "
748
			fi
748
			fi
749
			read admin_portal
749
			read admin_portal
750
			if [ "$admin_portal" == "" ]
750
			if [ "$admin_portal" == "" ]
751
				then
751
				then
752
				admin_portal=!
752
				admin_portal=!
753
			fi
753
			fi
754
			done
754
			done
755
# Creation of keys file for the admin account ("admin")
755
# Creation of keys file for the admin account ("admin")
756
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
756
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
757
		mkdir -p $DIR_DEST_ETC/digest
757
		mkdir -p $DIR_DEST_ETC/digest
758
		chmod 755 $DIR_DEST_ETC/digest
758
		chmod 755 $DIR_DEST_ETC/digest
759
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
759
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
760
			do
760
			do
761
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
761
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
762
			done
762
			done
763
		$DIR_DEST_BIN/alcasar-profil.sh --list
763
		$DIR_DEST_BIN/alcasar-profil.sh --list
764
fi
764
fi
765
# ACC partitioning
765
# ACC partitioning
766
	rm -f /etc/httpd/conf/webapps.d/alcasar*
766
	rm -f /etc/httpd/conf/webapps.d/alcasar*
767
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
767
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
768
<Directory $DIR_ACC>
768
<Directory $DIR_ACC>
769
	SSLRequireSSL
769
	SSLRequireSSL
770
	AllowOverride None
770
	AllowOverride None
771
	Order deny,allow
771
	Order deny,allow
772
	Deny from all
772
	Deny from all
773
	Allow from 127.0.0.1
773
	Allow from 127.0.0.1
774
	Allow from $PRIVATE_NETWORK_MASK
774
	Allow from $PRIVATE_NETWORK_MASK
775
	require valid-user
775
	require valid-user
776
	AuthType digest
776
	AuthType digest
777
	AuthName "ALCASAR Control Center (ACC)" 
777
	AuthName "ALCASAR Control Center (ACC)" 
778
	AuthDigestDomain $HOSTNAME.$DOMAIN
778
	AuthDigestDomain $HOSTNAME.$DOMAIN
779
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
779
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
780
	AuthUserFile $DIR_DEST_ETC/digest/key_all
780
	AuthUserFile $DIR_DEST_ETC/digest/key_all
781
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
781
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
782
</Directory>
782
</Directory>
783
<Directory $DIR_ACC/admin>
783
<Directory $DIR_ACC/admin>
784
	SSLRequireSSL
784
	SSLRequireSSL
785
	AllowOverride None
785
	AllowOverride None
786
	Order deny,allow
786
	Order deny,allow
787
	Deny from all
787
	Deny from all
788
	Allow from 127.0.0.1
788
	Allow from 127.0.0.1
789
	Allow from $PRIVATE_NETWORK_MASK
789
	Allow from $PRIVATE_NETWORK_MASK
790
	require valid-user
790
	require valid-user
791
	AuthType digest
791
	AuthType digest
792
	AuthName "ALCASAR Control Center (ACC)" 
792
	AuthName "ALCASAR Control Center (ACC)" 
793
	AuthDigestDomain $HOSTNAME.$DOMAIN
793
	AuthDigestDomain $HOSTNAME.$DOMAIN
794
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
794
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
795
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
795
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
796
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
796
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
797
</Directory>
797
</Directory>
798
<Directory $DIR_ACC/manager>
798
<Directory $DIR_ACC/manager>
799
	SSLRequireSSL
799
	SSLRequireSSL
800
	AllowOverride None
800
	AllowOverride None
801
	Order deny,allow
801
	Order deny,allow
802
	Deny from all
802
	Deny from all
803
	Allow from 127.0.0.1
803
	Allow from 127.0.0.1
804
	Allow from $PRIVATE_NETWORK_MASK
804
	Allow from $PRIVATE_NETWORK_MASK
805
	require valid-user
805
	require valid-user
806
	AuthType digest
806
	AuthType digest
807
	AuthName "ALCASAR Control Center (ACC)" 
807
	AuthName "ALCASAR Control Center (ACC)" 
808
	AuthDigestDomain $HOSTNAME.$DOMAIN
808
	AuthDigestDomain $HOSTNAME.$DOMAIN
809
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
809
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
810
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
810
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
811
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
812
</Directory>
812
</Directory>
813
<Directory $DIR_ACC/backup>
813
<Directory $DIR_ACC/backup>
814
	SSLRequireSSL
814
	SSLRequireSSL
815
	AllowOverride None
815
	AllowOverride None
816
	Order deny,allow
816
	Order deny,allow
817
	Deny from all
817
	Deny from all
818
	Allow from 127.0.0.1
818
	Allow from 127.0.0.1
819
	Allow from $PRIVATE_NETWORK_MASK
819
	Allow from $PRIVATE_NETWORK_MASK
820
	require valid-user
820
	require valid-user
821
	AuthType digest
821
	AuthType digest
822
	AuthName "ALCASAR Control Center (ACC)" 
822
	AuthName "ALCASAR Control Center (ACC)" 
823
	AuthDigestDomain $HOSTNAME.$DOMAIN
823
	AuthDigestDomain $HOSTNAME.$DOMAIN
824
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
824
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
825
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
825
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
826
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
826
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
827
</Directory>
827
</Directory>
828
Alias /save/ "$DIR_SAVE/"
828
Alias /save/ "$DIR_SAVE/"
829
<Directory $DIR_SAVE>
829
<Directory $DIR_SAVE>
830
	SSLRequireSSL
830
	SSLRequireSSL
831
	Options Indexes
831
	Options Indexes
832
	Order deny,allow
832
	Order deny,allow
833
	Deny from all
833
	Deny from all
834
	Allow from 127.0.0.1
834
	Allow from 127.0.0.1
835
	Allow from $PRIVATE_NETWORK_MASK
835
	Allow from $PRIVATE_NETWORK_MASK
836
	require valid-user
836
	require valid-user
837
	AuthType digest
837
	AuthType digest
838
	AuthName "ALCASAR Control Center (ACC)" 
838
	AuthName "ALCASAR Control Center (ACC)" 
839
	AuthDigestDomain $HOSTNAME.$DOMAIN
839
	AuthDigestDomain $HOSTNAME.$DOMAIN
840
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
840
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
841
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
841
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
842
</Directory>
842
</Directory>
843
<Directory $DIR_WEB/pass>
843
<Directory $DIR_WEB/pass>
844
	SSLRequireSSL
844
	SSLRequireSSL
845
	AllowOverride None
845
	AllowOverride None
846
	Order deny,allow
846
	Order deny,allow
847
	Deny from all
847
	Deny from all
848
	Allow from 127.0.0.1
848
	Allow from 127.0.0.1
849
	Allow from $PRIVATE_NETWORK_MASK
849
	Allow from $PRIVATE_NETWORK_MASK
850
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
850
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
851
</Directory>
851
</Directory>
852
EOF
852
EOF
853
# Replacement of the extension .cer by .der in MIME type
853
# Replacement of the extension .cer by .der in MIME type
854
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
854
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
855
# Launch after coova (in order to wait tun0 to be up)
855
# Launch after coova (in order to wait tun0 to be up)
856
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
856
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
857
} # End of ACC ()
857
} # End of ACC ()
858
 
858
 
859
##########################################################################
859
##########################################################################
860
##				Fonction "CA"				##
860
##				Fonction "CA"				##
861
## - Creating the CA and the server certificate (apache)	 	##
861
## - Creating the CA and the server certificate (apache)	 	##
862
##########################################################################
862
##########################################################################
863
CA ()
863
CA ()
864
{
864
{
865
	$DIR_DEST_BIN/alcasar-CA.sh
865
	$DIR_DEST_BIN/alcasar-CA.sh
866
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
866
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
867
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
867
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
868
	cat <<EOF > $FIC_VIRTUAL_SSL
868
	cat <<EOF > $FIC_VIRTUAL_SSL
869
# default SSL virtual host, used for all HTTPS requests that do not
869
# default SSL virtual host, used for all HTTPS requests that do not
870
# match a ServerName or ServerAlias in any <VirtualHost> block.
870
# match a ServerName or ServerAlias in any <VirtualHost> block.
871
 
871
 
872
<VirtualHost _default_:443>
872
<VirtualHost _default_:443>
873
# general configuration
873
# general configuration
874
    ServerAdmin root@localhost
874
    ServerAdmin root@localhost
875
    ServerName $HOSTNAME.$DOMAIN
875
    ServerName $HOSTNAME.$DOMAIN
876
 
876
 
877
# SSL configuration
877
# SSL configuration
878
    SSLEngine on
878
    SSLEngine on
879
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
879
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
880
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
880
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
881
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
881
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
882
    CustomLog logs/ssl_request_log \
882
    CustomLog logs/ssl_request_log \
883
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
883
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
884
    ErrorLog logs/ssl_error_log
884
    ErrorLog logs/ssl_error_log
885
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
885
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
886
</VirtualHost>
886
</VirtualHost>
887
EOF
887
EOF
888
	chown -R root:apache /etc/pki
888
	chown -R root:apache /etc/pki
889
	chmod -R 750 /etc/pki
889
	chmod -R 750 /etc/pki
890
} # End of CA ()
890
} # End of CA ()
891
 
891
 
892
##################################################################
892
##################################################################
893
##			Function "time_server"			##
893
##			Function "time_server"			##
894
## - Configuring NTP server					##
894
## - Configuring NTP server					##
895
##################################################################
895
##################################################################
896
time_server ()
896
time_server ()
897
{
897
{
898
# Set the Internet time server
898
# Set the Internet time server
899
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
899
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
900
	cat <<EOF > /etc/ntp/step-tickers
900
	cat <<EOF > /etc/ntp/step-tickers
901
0.fr.pool.ntp.org	# adapt to your country
901
0.fr.pool.ntp.org	# adapt to your country
902
1.fr.pool.ntp.org
902
1.fr.pool.ntp.org
903
2.fr.pool.ntp.org
903
2.fr.pool.ntp.org
904
EOF
904
EOF
905
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
905
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
906
	cat <<EOF > /etc/ntp.conf
906
	cat <<EOF > /etc/ntp.conf
907
server 0.fr.pool.ntp.org	# adapt to your country
907
server 0.fr.pool.ntp.org	# adapt to your country
908
server 1.fr.pool.ntp.org
908
server 1.fr.pool.ntp.org
909
server 2.fr.pool.ntp.org
909
server 2.fr.pool.ntp.org
910
server 127.127.1.0   		# local clock si NTP internet indisponible ...
910
server 127.127.1.0   		# local clock si NTP internet indisponible ...
911
fudge 127.127.1.0 stratum 10
911
fudge 127.127.1.0 stratum 10
912
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
912
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
913
restrict 127.0.0.1
913
restrict 127.0.0.1
914
driftfile /var/lib/ntp/drift
914
driftfile /var/lib/ntp/drift
915
logfile /var/log/ntp.log
915
logfile /var/log/ntp.log
916
disable monitor
916
disable monitor
917
EOF
917
EOF
918
	chown -R ntp:ntp /var/lib/ntp
918
	chown -R ntp:ntp /var/lib/ntp
919
# Synchronize now
919
# Synchronize now
920
	ntpd -q -g &
920
	ntpd -q -g &
921
} # End of time_server ()
921
} # End of time_server ()
922
 
922
 
923
##########################################################################################
923
##########################################################################################
924
##			Fonction "init_db"						##
924
##			Fonction "init_db"						##
925
## - Initialisation de la base Mysql							##
925
## - Initialisation de la base Mysql							##
926
## - Affectation du mot de passe de l'administrateur (root)				##
926
## - Affectation du mot de passe de l'administrateur (root)				##
927
## - Suppression des bases et des utilisateurs superflus				##
927
## - Suppression des bases et des utilisateurs superflus				##
928
## - Création de la base 'radius'							##
928
## - Création de la base 'radius'							##
929
## - Installation du schéma de cette base						##
929
## - Installation du schéma de cette base						##
930
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
930
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
931
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
931
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
932
##########################################################################################
932
##########################################################################################
933
init_db ()
933
init_db ()
934
{
934
{
935
	if [ `systemctl is-active mysqld` == "active" ]
935
	if [ `systemctl is-active mysqld` == "active" ]
936
	then
936
	then
937
		systemctl stop mysqld
937
		systemctl stop mysqld
938
	fi
938
	fi
939
	rm -rf /var/lib/mysql # to be sure that there is no former installation
939
	rm -rf /var/lib/mysql # to be sure that there is no former installation
940
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
940
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
941
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
941
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
942
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
942
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
943
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
943
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
944
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
944
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
945
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
945
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
946
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
946
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
947
	/usr/bin/systemctl start mysqld.service
947
	/usr/bin/systemctl start mysqld.service
948
	nb_round=1
948
	nb_round=1
949
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
949
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
950
	do
950
	do
951
		nb_round=`expr $nb_round + 1`
951
		nb_round=`expr $nb_round + 1`
952
		sleep 2
952
		sleep 2
953
	done
953
	done
954
	if [ ! -S /var/lib/mysql/mysql.sock ]
954
	if [ ! -S /var/lib/mysql/mysql.sock ]
955
	then
955
	then
956
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
956
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
957
		exit
957
		exit
958
	fi
958
	fi
959
	mysqladmin -u root password $mysqlpwd
959
	mysqladmin -u root password $mysqlpwd
960
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
960
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
961
# Secure the server
961
# Secure the server
962
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
962
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
963
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
963
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
964
# Create 'radius' database
964
# Create 'radius' database
965
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
965
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
966
# Add an empty radius database structure
966
# Add an empty radius database structure
967
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
967
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
968
# modify the start script in order to close accounting connexion when the system is comming down or up
968
# modify the start script in order to close accounting connexion when the system is comming down or up
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
970
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
970
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
971
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
971
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
972
	/usr/bin/systemctl daemon-reload
972
	/usr/bin/systemctl daemon-reload
973
} # End of init_db ()
973
} # End of init_db ()
974
 
974
 
975
##########################################################################
975
##########################################################################
976
##			Fonction "radius"				##
976
##			Fonction "radius"				##
977
## - Paramètrage des fichiers de configuration FreeRadius		##
977
## - Paramètrage des fichiers de configuration FreeRadius		##
978
## - Affectation du secret partagé entre coova-chilli et freeradius	##
978
## - Affectation du secret partagé entre coova-chilli et freeradius	##
979
## - Modification de fichier de conf pour l'accès à Mysql		##
979
## - Modification de fichier de conf pour l'accès à Mysql		##
980
##########################################################################
980
##########################################################################
981
radius ()
981
radius ()
982
{
982
{
983
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
983
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
984
	chown -R radius:radius /etc/raddb
984
	chown -R radius:radius /etc/raddb
985
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
985
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
986
# Set radius.conf parameters
986
# Set radius.conf parameters
987
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
987
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
990
# remove the proxy function
990
# remove the proxy function
991
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
991
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
992
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
992
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
993
# remove EAP module
993
# remove EAP module
994
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
994
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
995
# listen on loopback (should be modified later if EAP enabled)
995
# listen on loopback (should be modified later if EAP enabled)
996
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
996
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
997
# enable the  SQL module (and SQL counter)
997
# enable the  SQL module (and SQL counter)
998
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
998
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
999
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
999
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1000
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1000
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1001
# only include modules for ALCASAR needs
1001
# only include modules for ALCASAR needs
1002
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1002
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1003
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1003
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1004
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1004
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1005
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1005
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1006
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1006
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1007
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1007
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1008
# remvove virtual server and copy our conf file
1008
# remvove virtual server and copy our conf file
1009
	rm -f /etc/raddb/sites-enabled/*
1009
	rm -f /etc/raddb/sites-enabled/*
1010
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1010
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1011
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1011
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1012
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1012
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1013
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1013
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1014
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1014
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1015
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1015
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1016
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1016
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1017
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1017
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1018
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1018
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1019
	cat << EOF > /etc/raddb/clients.conf
1019
	cat << EOF > /etc/raddb/clients.conf
1020
client 127.0.0.1 {
1020
client 127.0.0.1 {
1021
	secret = $secretradius
1021
	secret = $secretradius
1022
	shortname = localhost
1022
	shortname = localhost
1023
}
1023
}
1024
EOF
1024
EOF
1025
# sql.conf modification
1025
# sql.conf modification
1026
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1026
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1027
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1027
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1028
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1028
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1029
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1029
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1030
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1030
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1031
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1031
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1032
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1032
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1033
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1033
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1034
# counter.conf modification (change the Max-All-Session-Time counter)
1034
# counter.conf modification (change the Max-All-Session-Time counter)
1035
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1035
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1036
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1036
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1037
	chown -R radius:radius /etc/raddb/sql/mysql/*
1037
	chown -R radius:radius /etc/raddb/sql/mysql/*
1038
# make certain that mysql is up before radius start
1038
# make certain that mysql is up before radius start
1039
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1039
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1040
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1040
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1041
	/usr/bin/systemctl daemon-reload
1041
	/usr/bin/systemctl daemon-reload
1042
} # End radius ()
1042
} # End radius ()
1043
 
1043
 
1044
##################################################################################
1044
##################################################################################
1045
##			Fonction "chilli"					##
1045
##			Fonction "chilli"					##
1046
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1046
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1047
## - Paramètrage de la page d'authentification (intercept.php)			##
1047
## - Paramètrage de la page d'authentification (intercept.php)			##
1048
##################################################################################
1048
##################################################################################
1049
chilli ()
1049
chilli ()
1050
{
1050
{
1051
# chilli unit for systemd
1051
# chilli unit for systemd
1052
cat << EOF > /lib/systemd/system/chilli.service
1052
cat << EOF > /lib/systemd/system/chilli.service
1053
#  This file is part of systemd.
1053
#  This file is part of systemd.
1054
#
1054
#
1055
#  systemd is free software; you can redistribute it and/or modify it
1055
#  systemd is free software; you can redistribute it and/or modify it
1056
#  under the terms of the GNU General Public License as published by
1056
#  under the terms of the GNU General Public License as published by
1057
#  the Free Software Foundation; either version 2 of the License, or
1057
#  the Free Software Foundation; either version 2 of the License, or
1058
#  (at your option) any later version.
1058
#  (at your option) any later version.
1059
[Unit]
1059
[Unit]
1060
Description=chilli is a captive portal daemon
1060
Description=chilli is a captive portal daemon
1061
After=network.target
1061
After=network.target
1062
 
1062
 
1063
[Service]
1063
[Service]
1064
Type=forking
1064
Type=forking
1065
ExecStart=/usr/libexec/chilli start
1065
ExecStart=/usr/libexec/chilli start
1066
ExecStop=/usr/libexec/chilli stop
1066
ExecStop=/usr/libexec/chilli stop
1067
ExecReload=/usr/libexec/chilli reload
1067
ExecReload=/usr/libexec/chilli reload
1068
PIDFile=/var/run/chilli.pid
1068
PIDFile=/var/run/chilli.pid
1069
 
1069
 
1070
[Install]
1070
[Install]
1071
WantedBy=multi-user.target
1071
WantedBy=multi-user.target
1072
EOF
1072
EOF
1073
# init file creation
1073
# init file creation
1074
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1074
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1075
	cat <<EOF > /etc/init.d/chilli
1075
	cat <<EOF > /etc/init.d/chilli
1076
#!/bin/sh
1076
#!/bin/sh
1077
#
1077
#
1078
# chilli CoovaChilli init
1078
# chilli CoovaChilli init
1079
#
1079
#
1080
# chkconfig: 2345 65 35
1080
# chkconfig: 2345 65 35
1081
# description: CoovaChilli
1081
# description: CoovaChilli
1082
### BEGIN INIT INFO
1082
### BEGIN INIT INFO
1083
# Provides:       chilli
1083
# Provides:       chilli
1084
# Required-Start: network 
1084
# Required-Start: network 
1085
# Should-Start: 
1085
# Should-Start: 
1086
# Required-Stop:  network
1086
# Required-Stop:  network
1087
# Should-Stop: 
1087
# Should-Stop: 
1088
# Default-Start:  2 3 5
1088
# Default-Start:  2 3 5
1089
# Default-Stop:
1089
# Default-Stop:
1090
# Description:    CoovaChilli access controller
1090
# Description:    CoovaChilli access controller
1091
### END INIT INFO
1091
### END INIT INFO
1092
 
1092
 
1093
[ -f /usr/sbin/chilli ] || exit 0
1093
[ -f /usr/sbin/chilli ] || exit 0
1094
. /etc/init.d/functions
1094
. /etc/init.d/functions
1095
CONFIG=/etc/chilli.conf
1095
CONFIG=/etc/chilli.conf
1096
pidfile=/var/run/chilli.pid
1096
pidfile=/var/run/chilli.pid
1097
[ -f \$CONFIG ] || {
1097
[ -f \$CONFIG ] || {
1098
    echo "\$CONFIG Not found"
1098
    echo "\$CONFIG Not found"
1099
    exit 0
1099
    exit 0
1100
}
1100
}
1101
RETVAL=0
1101
RETVAL=0
1102
prog="chilli"
1102
prog="chilli"
1103
case \$1 in
1103
case \$1 in
1104
    start)
1104
    start)
1105
	if [ -f \$pidfile ] ; then 
1105
	if [ -f \$pidfile ] ; then 
1106
		gprintf "chilli is already running"
1106
		gprintf "chilli is already running"
1107
	else
1107
	else
1108
        	gprintf "Starting \$prog: "
1108
        	gprintf "Starting \$prog: "
1109
		rm -f /var/run/chilli* # cleaning
1109
		rm -f /var/run/chilli* # cleaning
1110
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1110
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1111
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1111
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1112
		[ -e /dev/net/tun ] || {
1112
		[ -e /dev/net/tun ] || {
1113
	    	(cd /dev; 
1113
	    	(cd /dev; 
1114
			mkdir net; 
1114
			mkdir net; 
1115
			cd net; 
1115
			cd net; 
1116
			mknod tun c 10 200)
1116
			mknod tun c 10 200)
1117
		}
1117
		}
1118
		ifconfig $INTIF 0.0.0.0
1118
		ifconfig $INTIF 0.0.0.0
1119
		/usr/sbin/ethtool -K $INTIF gro off
1119
		/usr/sbin/ethtool -K $INTIF gro off
1120
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1120
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1121
        	RETVAL=$?
1121
        	RETVAL=$?
1122
	fi
1122
	fi
1123
	;;
1123
	;;
1124
 
1124
 
1125
    reload)
1125
    reload)
1126
	killall -HUP chilli
1126
	killall -HUP chilli
1127
	;;
1127
	;;
1128
 
1128
 
1129
    restart)
1129
    restart)
1130
	\$0 stop
1130
	\$0 stop
1131
        sleep 2
1131
        sleep 2
1132
	\$0 start
1132
	\$0 start
1133
	;;
1133
	;;
1134
    
1134
    
1135
    status)
1135
    status)
1136
        status chilli
1136
        status chilli
1137
        RETVAL=0
1137
        RETVAL=0
1138
        ;;
1138
        ;;
1139
 
1139
 
1140
    stop)
1140
    stop)
1141
	if [ -f \$pidfile ] ; then  
1141
	if [ -f \$pidfile ] ; then  
1142
        	gprintf "Shutting down \$prog: "
1142
        	gprintf "Shutting down \$prog: "
1143
		killproc /usr/sbin/chilli
1143
		killproc /usr/sbin/chilli
1144
		RETVAL=\$?
1144
		RETVAL=\$?
1145
		[ \$RETVAL = 0 ] && rm -f $pidfile
1145
		[ \$RETVAL = 0 ] && rm -f $pidfile
1146
	else	
1146
	else	
1147
        	gprintf "chilli is not running"
1147
        	gprintf "chilli is not running"
1148
	fi
1148
	fi
1149
	;;
1149
	;;
1150
    
1150
    
1151
    *)
1151
    *)
1152
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1152
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1153
        exit 1
1153
        exit 1
1154
esac
1154
esac
1155
echo
1155
echo
1156
EOF
1156
EOF
1157
chmod a+x /etc/init.d/chilli
1157
chmod a+x /etc/init.d/chilli
1158
ln -s /etc/init.d/chilli /usr/libexec/chilli
1158
ln -s /etc/init.d/chilli /usr/libexec/chilli
1159
# conf file creation
1159
# conf file creation
1160
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1160
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1161
	#NTP Option configuration for DHCP
1161
	#NTP Option configuration for DHCP
1162
	#DHCP Options : rfc2132
1162
	#DHCP Options : rfc2132
1163
		#dhcp option value will be convert in hexa.
1163
		#dhcp option value will be convert in hexa.
1164
		#NTP option (or 'option 42') is like :
1164
		#NTP option (or 'option 42') is like :
1165
		#			
1165
		#			
1166
		#    Code   Len         Address 1               Address 2
1166
		#    Code   Len         Address 1               Address 2
1167
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1167
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1168
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1168
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1169
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1169
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1170
		#
1170
		#
1171
		#Code : 42 => 2a
1171
		#Code : 42 => 2a
1172
		#Len : 4 => 04
1172
		#Len : 4 => 04
1173
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1173
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1174
	cat <<EOF > /etc/chilli.conf
1174
	cat <<EOF > /etc/chilli.conf
1175
# coova config for ALCASAR
1175
# coova config for ALCASAR
1176
cmdsocket	/var/run/chilli.sock
1176
cmdsocket	/var/run/chilli.sock
1177
unixipc		chilli.$INTIF.ipc
1177
unixipc		chilli.$INTIF.ipc
1178
pidfile		/var/run/chilli.pid
1178
pidfile		/var/run/chilli.pid
1179
net		$PRIVATE_NETWORK_MASK
1179
net		$PRIVATE_NETWORK_MASK
1180
dhcpif		$INTIF
1180
dhcpif		$INTIF
1181
ethers		$DIR_DEST_ETC/alcasar-ethers
1181
ethers		$DIR_DEST_ETC/alcasar-ethers
1182
#nodynip
1182
#nodynip
1183
#statip
1183
#statip
1184
dynip		$PRIVATE_NETWORK_MASK
1184
dynip		$PRIVATE_NETWORK_MASK
1185
domain		$DOMAIN
1185
domain		$DOMAIN
1186
dns1		$PRIVATE_IP
1186
dns1		$PRIVATE_IP
1187
dns2		$PRIVATE_IP
1187
dns2		$PRIVATE_IP
1188
uamlisten	$PRIVATE_IP
1188
uamlisten	$PRIVATE_IP
1189
uamport		3990
1189
uamport		3990
1190
macauth
1190
macauth
1191
macpasswd	password
1191
macpasswd	password
1192
strictmacauth
1192
strictmacauth
1193
locationname	$HOSTNAME.$DOMAIN
1193
locationname	$HOSTNAME.$DOMAIN
1194
radiusserver1	127.0.0.1
1194
radiusserver1	127.0.0.1
1195
radiusserver2	127.0.0.1
1195
radiusserver2	127.0.0.1
1196
radiussecret	$secretradius
1196
radiussecret	$secretradius
1197
radiusauthport	1812
1197
radiusauthport	1812
1198
radiusacctport	1813
1198
radiusacctport	1813
1199
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1199
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1200
radiusnasid	$HOSTNAME.$DOMAIN
1200
radiusnasid	$HOSTNAME.$DOMAIN
1201
uamsecret	$secretuam
1201
uamsecret	$secretuam
1202
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1202
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1203
coaport		3799
1203
coaport		3799
1204
conup		$DIR_DEST_BIN/alcasar-conup.sh
1204
conup		$DIR_DEST_BIN/alcasar-conup.sh
1205
condown		$DIR_DEST_BIN/alcasar-condown.sh
1205
condown		$DIR_DEST_BIN/alcasar-condown.sh
1206
include		$DIR_DEST_ETC/alcasar-uamallowed
1206
include		$DIR_DEST_ETC/alcasar-uamallowed
1207
include		$DIR_DEST_ETC/alcasar-uamdomain
1207
include		$DIR_DEST_ETC/alcasar-uamdomain
1208
dhcpopt		2a04$PRIVATE_IP_HEXA
1208
dhcpopt		2a04$PRIVATE_IP_HEXA
1209
macup		$DIR_DEST_BIN/alcasar-macup.sh
1209
macup		$DIR_DEST_BIN/alcasar-macup.sh
1210
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1210
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1211
#dhcpgateway		none
1211
#dhcpgateway		none
1212
#dhcprelayagent		none
1212
#dhcprelayagent		none
1213
#dhcpgatewayport	none
1213
#dhcpgatewayport	none
1214
EOF
1214
EOF
1215
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1215
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1216
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1216
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1217
# create files for trusted domains and urls
1217
# create files for trusted domains and urls
1218
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1218
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1219
	chown root:apache $DIR_DEST_ETC/alcasar-*
1219
	chown root:apache $DIR_DEST_ETC/alcasar-*
1220
	chmod 660 $DIR_DEST_ETC/alcasar-*
1220
	chmod 660 $DIR_DEST_ETC/alcasar-*
1221
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1221
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1222
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1222
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1223
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1223
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1224
# user 'chilli' creation (in order to run conup/off and up/down scripts
1224
# user 'chilli' creation (in order to run conup/off and up/down scripts
1225
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1225
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1226
	if [ "$chilli_exist" == "1" ]
1226
	if [ "$chilli_exist" == "1" ]
1227
	then
1227
	then
1228
	      userdel -r chilli 2>/dev/null
1228
	      userdel -r chilli 2>/dev/null
1229
	fi
1229
	fi
1230
	groupadd -f chilli
1230
	groupadd -f chilli
1231
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1231
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1232
}  # End of chilli ()
1232
}  # End of chilli ()
1233
 
1233
 
1234
##################################################################
1234
##################################################################
1235
##		Fonction "dansguardian"				##
1235
##		Fonction "dansguardian"				##
1236
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1236
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1237
##################################################################
1237
##################################################################
1238
dansguardian ()
1238
dansguardian ()
1239
{
1239
{
1240
	mkdir -p /var/dansguardian /var/log/dansguardian
1240
	mkdir -p /var/dansguardian /var/log/dansguardian
1241
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1241
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1242
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1242
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1243
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1243
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1244
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1244
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1245
# By default the filter is off 
1245
# By default the filter is off 
1246
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1246
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1247
# French deny HTML page
1247
# French deny HTML page
1248
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1248
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1249
# Listen only on LAN side
1249
# Listen only on LAN side
1250
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1250
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1251
# DG send its flow to HAVP
1251
# DG send its flow to HAVP
1252
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1252
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1253
# replace the default deny HTML page
1253
# replace the default deny HTML page
1254
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1254
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1255
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1255
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1256
# Don't log
1256
# Don't log
1257
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1257
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1258
# on désactive par défaut le controle de contenu des pages html
1258
# on désactive par défaut le controle de contenu des pages html
1259
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1259
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1260
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1260
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1261
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1261
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1262
# on désactive par défaut le contrôle d'URL par expressions régulières
1262
# on désactive par défaut le contrôle d'URL par expressions régulières
1263
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1263
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1264
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1264
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1265
 
1265
 
1266
# Configure Dansguardian for large site
1266
# Configure Dansguardian for large site
1267
# Minimum number of processus to handle connections
1267
# Minimum number of processus to handle connections
1268
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1268
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1269
# Maximum number of processus to handle connections
1269
# Maximum number of processus to handle connections
1270
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1270
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1271
# Run at least 8 daemons
1271
# Run at least 8 daemons
1272
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1272
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1273
# minimum number of processes to spawn
1273
# minimum number of processes to spawn
1274
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1274
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1275
# maximum age of a child process before it croaks it
1275
# maximum age of a child process before it croaks it
1276
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1276
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1277
	
1277
	
1278
# on désactive par défaut le contrôle de téléchargement de fichiers
1278
# on désactive par défaut le contrôle de téléchargement de fichiers
1279
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1279
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1280
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1280
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1281
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1281
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1282
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1282
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1283
	touch $DIR_DG/lists/bannedextensionlist
1283
	touch $DIR_DG/lists/bannedextensionlist
1284
	touch $DIR_DG/lists/bannedmimetypelist
1284
	touch $DIR_DG/lists/bannedmimetypelist
1285
# 'Safesearch' regex actualisation
1285
# 'Safesearch' regex actualisation
1286
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1286
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1287
# empty LAN IP list that won't be WEB filtered
1287
# empty LAN IP list that won't be WEB filtered
1288
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1288
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1289
	touch $DIR_DG/lists/exceptioniplist
1289
	touch $DIR_DG/lists/exceptioniplist
1290
# Keep a copy of URL & domain filter configuration files
1290
# Keep a copy of URL & domain filter configuration files
1291
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1291
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1292
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1292
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1293
} # End of dansguardian ()
1293
} # End of dansguardian ()
1294
 
1294
 
1295
##################################################################
1295
##################################################################
1296
##			Fonction "antivirus"			##
1296
##			Fonction "antivirus"			##
1297
## - configuration of havp, libclamav and freshclam		##
1297
## - configuration of havp, libclamav and freshclam		##
1298
##################################################################
1298
##################################################################
1299
antivirus ()		
1299
antivirus ()		
1300
{
1300
{
1301
# create 'havp' user
1301
# create 'havp' user
1302
	havp_exist=`grep havp /etc/passwd|wc -l`
1302
	havp_exist=`grep havp /etc/passwd|wc -l`
1303
	if [ "$havp_exist" == "1" ]
1303
	if [ "$havp_exist" == "1" ]
1304
	then
1304
	then
1305
	      userdel -r havp 2>/dev/null
1305
	      userdel -r havp 2>/dev/null
1306
	      groupdel havp 2>/dev/null
1306
	      groupdel havp 2>/dev/null
1307
	fi
1307
	fi
1308
	groupadd -f havp
1308
	groupadd -f havp
1309
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1309
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1310
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1310
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1311
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1311
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1312
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1312
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1313
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1313
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1314
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1314
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1315
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1315
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1316
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1316
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1317
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1317
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1318
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1318
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1319
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1319
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1320
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1320
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1321
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1321
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1322
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1322
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1323
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1323
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1324
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1324
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1325
# skip checking of youtube flow (too heavy load / risk too low)
1325
# skip checking of youtube flow (too heavy load / risk too low)
1326
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1326
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1327
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1327
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1328
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1328
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1329
# adapt init script and systemd unit
1329
# adapt init script and systemd unit
1330
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1330
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1331
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1331
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1332
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1332
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1333
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1333
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1334
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1334
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1335
# replace of the intercept page (template)
1335
# replace of the intercept page (template)
1336
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1336
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1337
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1337
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1338
# update virus database every 4 hours (24h/6)
1338
# update virus database every 4 hours (24h/6)
1339
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1339
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1340
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1340
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1341
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1341
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1342
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1342
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1343
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1343
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1344
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1344
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1345
# update now
1345
# update now
1346
	/usr/bin/freshclam --no-warnings
1346
	/usr/bin/freshclam --no-warnings
1347
} # End of antivirus ()
1347
} # End of antivirus ()
1348
 
1348
 
1349
##########################################################################
1349
##########################################################################
1350
##			Fonction "tinyproxy"				##
1350
##			Fonction "tinyproxy"				##
1351
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1351
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1352
##########################################################################
1352
##########################################################################
1353
tinyproxy ()		
1353
tinyproxy ()		
1354
{
1354
{
1355
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1355
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1356
	if [ "$tinyproxy_exist" == "1" ]
1356
	if [ "$tinyproxy_exist" == "1" ]
1357
	then
1357
	then
1358
	      userdel -r tinyproxy 2>/dev/null
1358
	      userdel -r tinyproxy 2>/dev/null
1359
	      groupdel tinyproxy 2>/dev/null
1359
	      groupdel tinyproxy 2>/dev/null
1360
	fi
1360
	fi
1361
	groupadd -f tinyproxy
1361
	groupadd -f tinyproxy
1362
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1362
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1363
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1363
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1364
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1364
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1365
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1365
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1366
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1366
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1367
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1367
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1368
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1368
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1369
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1369
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1370
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1370
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1371
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1371
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1372
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1372
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1373
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1373
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1374
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1374
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1375
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1375
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1376
# Create the systemd unit
1376
# Create the systemd unit
1377
cat << EOF > /lib/systemd/system/tinyproxy.service
1377
cat << EOF > /lib/systemd/system/tinyproxy.service
1378
#  This file is part of systemd.
1378
#  This file is part of systemd.
1379
#
1379
#
1380
#  systemd is free software; you can redistribute it and/or modify it
1380
#  systemd is free software; you can redistribute it and/or modify it
1381
#  under the terms of the GNU General Public License as published by
1381
#  under the terms of the GNU General Public License as published by
1382
#  the Free Software Foundation; either version 2 of the License, or
1382
#  the Free Software Foundation; either version 2 of the License, or
1383
#  (at your option) any later version.
1383
#  (at your option) any later version.
1384
 
1384
 
1385
# This unit launches tinyproxy (a very light proxy).
1385
# This unit launches tinyproxy (a very light proxy).
1386
# The "sleep 2" is needed because the pid file isn't ready for systemd
1386
# The "sleep 2" is needed because the pid file isn't ready for systemd
1387
[Unit]
1387
[Unit]
1388
Description=Tinyproxy Web Proxy Server
1388
Description=Tinyproxy Web Proxy Server
1389
After=network.target iptables.service
1389
After=network.target iptables.service
1390
 
1390
 
1391
[Service]
1391
[Service]
1392
Type=forking
1392
Type=forking
1393
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1393
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1394
ExecStartPre=/bin/sleep 2
1394
ExecStartPre=/bin/sleep 2
1395
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1395
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1396
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1396
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1397
 
1397
 
1398
[Install]
1398
[Install]
1399
WantedBy=multi-user.target
1399
WantedBy=multi-user.target
1400
EOF
1400
EOF
1401
 
1401
 
1402
} # end of tinyproxy
1402
} # end of tinyproxy
1403
##################################################################################
1403
##################################################################################
1404
##			function "ulogd"					##
1404
##			function "ulogd"					##
1405
## - Ulog config for multi-log files 						##
1405
## - Ulog config for multi-log files 						##
1406
##################################################################################
1406
##################################################################################
1407
ulogd ()
1407
ulogd ()
1408
{
1408
{
1409
# Three instances of ulogd (three different logfiles)
1409
# Three instances of ulogd (three different logfiles)
1410
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1410
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1411
	nl=1
1411
	nl=1
1412
	for log_type in traceability ssh ext-access
1412
	for log_type in traceability ssh ext-access
1413
	do
1413
	do
1414
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1414
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1415
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1415
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1416
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1416
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1417
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1417
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1418
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1418
		if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
1419
		cat << EOF >> /etc/ulogd-$log_type.conf
1419
		cat << EOF >> /etc/ulogd-$log_type.conf
1420
[emu1]
1420
[emu1]
1421
file="/var/log/firewall/$log_type.log"
1421
file="/var/log/firewall/$log_type.log"
1422
sync=1
1422
sync=1
1423
EOF
1423
EOF
1424
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1424
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1425
		nl=`expr $nl + 1`
1425
		nl=`expr $nl + 1`
1426
	done
1426
	done
1427
	chown -R root:apache /var/log/firewall
1427
	chown -R root:apache /var/log/firewall
1428
	chmod 750 /var/log/firewall
1428
	chmod 750 /var/log/firewall
1429
	chmod 640 /var/log/firewall/*
1429
	chmod 640 /var/log/firewall/*
1430
}  # End of ulogd ()
1430
}  # End of ulogd ()
1431
 
1431
 
1432
 
1432
 
1433
##########################################################
1433
##########################################################
1434
##              Function "nfsen"			##
1434
##              Function "nfsen"			##
1435
## - install the nfsen grapher				##
1435
## - install the nfsen grapher				##
1436
## - install the two plugins porttracker & surfmap	##
1436
## - install the two plugins porttracker & surfmap	##
1437
##########################################################
1437
##########################################################
1438
nfsen()
1438
nfsen()
1439
{
1439
{
1440
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1440
	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1441
# Add PortTracker plugin
1441
# Add PortTracker plugin
1442
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1442
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1443
	do
1443
	do
1444
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1444
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1445
	done
1445
	done
1446
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1446
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1447
# use of our conf file and init unit
1447
# use of our conf file and init unit
1448
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1448
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1449
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1449
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1450
	DirTmp=$(pwd)
1450
	DirTmp=$(pwd)
1451
	cd /tmp/nfsen-1.3.7/
1451
	cd /tmp/nfsen-1.3.7/
1452
	/usr/bin/perl install.pl etc/nfsen.conf
1452
	/usr/bin/perl install.pl etc/nfsen.conf
1453
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1453
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1454
# Create RRD DB for porttracker (only in it still doesn't exist)
1454
# Create RRD DB for porttracker (only in it still doesn't exist)
1455
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1455
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1456
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1456
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1457
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1457
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1458
	chmod -R 770 /var/log/netflow/porttracker
1458
	chmod -R 770 /var/log/netflow/porttracker
1459
# nfsen unit for systemd
1459
# nfsen unit for systemd
1460
cat << EOF > /lib/systemd/system/nfsen.service
1460
cat << EOF > /lib/systemd/system/nfsen.service
1461
#  This file is part of systemd.
1461
#  This file is part of systemd.
1462
#
1462
#
1463
#  systemd is free software; you can redistribute it and/or modify it
1463
#  systemd is free software; you can redistribute it and/or modify it
1464
#  under the terms of the GNU General Public License as published by
1464
#  under the terms of the GNU General Public License as published by
1465
#  the Free Software Foundation; either version 2 of the License, or
1465
#  the Free Software Foundation; either version 2 of the License, or
1466
#  (at your option) any later version.
1466
#  (at your option) any later version.
1467
 
1467
 
1468
# This unit launches nfsen (a Netflow grapher).
1468
# This unit launches nfsen (a Netflow grapher).
1469
[Unit]
1469
[Unit]
1470
Description= NfSen init script
1470
Description= NfSen init script
1471
After=network.target iptables.service
1471
After=network.target iptables.service
1472
 
1472
 
1473
[Service]
1473
[Service]
1474
Type=oneshot
1474
Type=oneshot
1475
RemainAfterExit=yes
1475
RemainAfterExit=yes
1476
PIDFile=/var/run/nfsen/nfsen.pid
1476
PIDFile=/var/run/nfsen/nfsen.pid
1477
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1477
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1478
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1478
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1479
ExecStart=/usr/bin/nfsen start 
1479
ExecStart=/usr/bin/nfsen start 
1480
ExecStop=/usr/bin/nfsen stop
1480
ExecStop=/usr/bin/nfsen stop
1481
ExecReload=/usr/bin/nfsen restart
1481
ExecReload=/usr/bin/nfsen restart
1482
TimeoutSec=0
1482
TimeoutSec=0
1483
 
1483
 
1484
[Install]
1484
[Install]
1485
WantedBy=multi-user.target
1485
WantedBy=multi-user.target
1486
EOF
1486
EOF
1487
# Add the listen port to collect netflow packet (nfcapd)
1487
# Add the listen port to collect netflow packet (nfcapd)
1488
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1488
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1489
# expire delay for the profile "live"
1489
# expire delay for the profile "live"
1490
	/usr/bin/systemctl start nfsen
1490
	/usr/bin/systemctl start nfsen
1491
	/bin/nfsen -m live -e 62d 2>/dev/null
1491
	/bin/nfsen -m live -e 62d 2>/dev/null
1492
# add SURFmap plugin
1492
# add SURFmap plugin
1493
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1493
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1494
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1494
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1495
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1495
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1496
	cd /tmp/
1496
	cd /tmp/
1497
	/usr/bin/sh SURFmap/install.sh
1497
	/usr/bin/sh SURFmap/install.sh
1498
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1498
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1499
# clear the installation
1499
# clear the installation
1500
	cd $DirTmp
1500
	cd $DirTmp
1501
	rm -rf /tmp/nfsen*
1501
	rm -rf /tmp/nfsen*
1502
	rm -rf /tmp/SURFmap*
1502
	rm -rf /tmp/SURFmap*
1503
} # End of nfsen ()
1503
} # End of nfsen ()
1504
 
1504
 
1505
##################################################
1505
##################################################
1506
##		Function "vnstat"		##
1506
##		Function "vnstat"		##
1507
## Initialization of Vnstat and vnstat phpFE    ##
1507
## Initialization of Vnstat and vnstat phpFE    ##
1508
##################################################
1508
##################################################
1509
vnstat ()
1509
vnstat ()
1510
{
1510
{
1511
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1511
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1512
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1512
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1513
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1513
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1514
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1514
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1515
	/usr/bin/vnstat -u -i $EXTIF
1515
	/usr/bin/vnstat -u -i $EXTIF
1516
} # End of vnstat	
1516
} # End of vnstat	
1517
##################################################
1517
##################################################
1518
##		Function "dnsmasq"		##
1518
##		Function "dnsmasq"		##
1519
##################################################
1519
##################################################
1520
dnsmasq ()
1520
dnsmasq ()
1521
{
1521
{
1522
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1522
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1523
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1523
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1524
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1524
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1525
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1525
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1526
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1526
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1527
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1527
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1528
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1528
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1529
	cat << EOF > /etc/dnsmasq.conf
1529
	cat << EOF > /etc/dnsmasq.conf
1530
# Configuration file for "dnsmasq in forward mode"
1530
# Configuration file for "dnsmasq in forward mode"
1531
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1531
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1532
listen-address=$PRIVATE_IP
1532
listen-address=$PRIVATE_IP
1533
pid-file=/var/run/dnsmasq.pid
1533
pid-file=/var/run/dnsmasq.pid
1534
listen-address=127.0.0.1
1534
listen-address=127.0.0.1
1535
no-dhcp-interface=$INTIF
1535
no-dhcp-interface=$INTIF
1536
no-dhcp-interface=tun0
1536
no-dhcp-interface=tun0
1537
no-dhcp-interface=lo
1537
no-dhcp-interface=lo
1538
bind-interfaces
1538
bind-interfaces
1539
cache-size=2048
1539
cache-size=2048
1540
domain-needed
1540
domain-needed
1541
expand-hosts
1541
expand-hosts
1542
bogus-priv
1542
bogus-priv
1543
filterwin2k
1543
filterwin2k
1544
server=$DNS1
1544
server=$DNS1
1545
server=$DNS2
1545
server=$DNS2
1546
# DHCP service is configured. It will be enabled in "bypass" mode
1546
# DHCP service is configured. It will be enabled in "bypass" mode
1547
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1547
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1548
#dhcp-option=option:router,$PRIVATE_IP
1548
#dhcp-option=option:router,$PRIVATE_IP
1549
#dhcp-option=option:ntp-server,$PRIVATE_IP
1549
#dhcp-option=option:ntp-server,$PRIVATE_IP
1550
#domain=$DOMAIN
1550
#domain=$DOMAIN
1551
 
1551
 
1552
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1552
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1553
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1553
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1554
EOF
1554
EOF
1555
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1555
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1556
	cat << EOF > /etc/dnsmasq-blacklist.conf
1556
	cat << EOF > /etc/dnsmasq-blacklist.conf
1557
# Configuration file for "dnsmasq with blacklist"
1557
# Configuration file for "dnsmasq with blacklist"
1558
# Add Toulouse University blacklist domains
1558
# Add Toulouse University blacklist domains
1559
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1559
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1560
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1560
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1561
pid-file=/var/run/dnsmasq-blacklist.pid
1561
pid-file=/var/run/dnsmasq-blacklist.pid
1562
listen-address=$PRIVATE_IP
1562
listen-address=$PRIVATE_IP
1563
port=54
1563
port=54
1564
no-dhcp-interface=$INTIF
1564
no-dhcp-interface=$INTIF
1565
no-dhcp-interface=tun0
1565
no-dhcp-interface=tun0
1566
no-dhcp-interface=lo
1566
no-dhcp-interface=lo
1567
bind-interfaces
1567
bind-interfaces
1568
cache-size=2048
1568
cache-size=2048
1569
domain-needed
1569
domain-needed
1570
expand-hosts
1570
expand-hosts
1571
bogus-priv
1571
bogus-priv
1572
filterwin2k
1572
filterwin2k
1573
log-queries
1573
log-queries
1574
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1574
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1575
server=$DNS1
1575
server=$DNS1
1576
server=$DNS2
1576
server=$DNS2
1577
EOF
1577
EOF
1578
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1578
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1579
	cat << EOF > /etc/dnsmasq-whitelist.conf
1579
	cat << EOF > /etc/dnsmasq-whitelist.conf
1580
# Configuration file for "dnsmasq with whitelist"
1580
# Configuration file for "dnsmasq with whitelist"
1581
# ADD Toulouse university whitelist domains
1581
# ADD Toulouse university whitelist domains
1582
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1582
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1583
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1583
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1584
pid-file=/var/run/dnsmasq-whitelist.pid
1584
pid-file=/var/run/dnsmasq-whitelist.pid
1585
listen-address=$PRIVATE_IP
1585
listen-address=$PRIVATE_IP
1586
port=55
1586
port=55
1587
no-dhcp-interface=$INTIF
1587
no-dhcp-interface=$INTIF
1588
no-dhcp-interface=tun0
1588
no-dhcp-interface=tun0
1589
no-dhcp-interface=lo
1589
no-dhcp-interface=lo
1590
bind-interfaces
1590
bind-interfaces
1591
cache-size=1024
1591
cache-size=1024
1592
domain-needed
1592
domain-needed
1593
expand-hosts
1593
expand-hosts
1594
bogus-priv
1594
bogus-priv
1595
filterwin2k
1595
filterwin2k
1596
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1596
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1597
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1597
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1598
EOF
1598
EOF
1599
# 4th dnsmasq listen on udp 56 ("blackhole")
1599
# 4th dnsmasq listen on udp 56 ("blackhole")
1600
	cat << EOF > /etc/dnsmasq-blackhole.conf
1600
	cat << EOF > /etc/dnsmasq-blackhole.conf
1601
# Configuration file for "dnsmasq as a blackhole"
1601
# Configuration file for "dnsmasq as a blackhole"
1602
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1602
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1603
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1603
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1604
pid-file=/var/run/dnsmasq-blackhole.pid
1604
pid-file=/var/run/dnsmasq-blackhole.pid
1605
listen-address=$PRIVATE_IP
1605
listen-address=$PRIVATE_IP
1606
port=56
1606
port=56
1607
no-dhcp-interface=$INTIF
1607
no-dhcp-interface=$INTIF
1608
no-dhcp-interface=tun0
1608
no-dhcp-interface=tun0
1609
no-dhcp-interface=lo
1609
no-dhcp-interface=lo
1610
bind-interfaces
1610
bind-interfaces
1611
cache-size=256
1611
cache-size=256
1612
domain-needed
1612
domain-needed
1613
expand-hosts
1613
expand-hosts
1614
bogus-priv
1614
bogus-priv
1615
filterwin2k
1615
filterwin2k
1616
EOF
1616
EOF
1617
 
1617
 
1618
# the main instance should start after network and chilli (which create tun0)
1618
# the main instance should start after network and chilli (which create tun0)
1619
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1619
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1620
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1620
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1621
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1621
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1622
	for list in blacklist whitelist blackhole
1622
	for list in blacklist whitelist blackhole
1623
	do
1623
	do
1624
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1624
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1625
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1625
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1626
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1626
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1627
	done
1627
	done
1628
} # End dnsmasq
1628
} # End dnsmasq
1629
 
1629
 
1630
##########################################################
1630
##########################################################
1631
##		Fonction "BL"				##
1631
##		Fonction "BL"				##
1632
##########################################################
1632
##########################################################
1633
BL ()
1633
BL ()
1634
{
1634
{
1635
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1635
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1636
	rm -rf $DIR_DG/lists/blacklists
1636
	rm -rf $DIR_DG/lists/blacklists
1637
	mkdir -p /tmp/blacklists
1637
	mkdir -p /tmp/blacklists
1638
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1638
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1639
# creation of file for the rehabilited domains and urls
1639
# creation of file for the rehabilited domains and urls
1640
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1640
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1641
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1641
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1642
	touch $DIR_DG/lists/exceptionsitelist
1642
	touch $DIR_DG/lists/exceptionsitelist
1643
	touch $DIR_DG/lists/exceptionurllist
1643
	touch $DIR_DG/lists/exceptionurllist
1644
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1644
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1645
	cat <<EOF > $DIR_DG/lists/bannedurllist
1645
	cat <<EOF > $DIR_DG/lists/bannedurllist
1646
# Dansguardian filter config for ALCASAR
1646
# Dansguardian filter config for ALCASAR
1647
EOF
1647
EOF
1648
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1648
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1649
# Dansguardian domain filter config for ALCASAR
1649
# Dansguardian domain filter config for ALCASAR
1650
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1650
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1651
#**
1651
#**
1652
# block all SSL and CONNECT tunnels
1652
# block all SSL and CONNECT tunnels
1653
**s
1653
**s
1654
# block all SSL and CONNECT tunnels specified only as an IP
1654
# block all SSL and CONNECT tunnels specified only as an IP
1655
*ips
1655
*ips
1656
# block all sites specified only by an IP
1656
# block all sites specified only by an IP
1657
*ip
1657
*ip
1658
EOF
1658
EOF
1659
# Add Bing to the safesearch url regext list (parental control)
1659
# Add Bing to the safesearch url regext list (parental control)
1660
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1660
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1661
# Bing - add 'adlt=strict'
1661
# Bing - add 'adlt=strict'
1662
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1662
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1663
EOF
1663
EOF
1664
# change the google safesearch ("safe=strict" instead of "safe=vss")
1664
# change the google safesearch ("safe=strict" instead of "safe=vss")
1665
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1665
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1666
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1666
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1667
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1667
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1668
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1668
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1669
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1669
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1670
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1670
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1671
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1671
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1672
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1672
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1673
# add custom ALCASAR BL files
1673
# add custom ALCASAR BL files
1674
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1674
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1675
	do
1675
	do
1676
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1676
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1677
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1677
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1678
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1678
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1679
	done
1679
	done
1680
	chown -R dansguardian:apache $DIR_DG
1680
	chown -R dansguardian:apache $DIR_DG
1681
	chown -R root:apache $DIR_DEST_SHARE
1681
	chown -R root:apache $DIR_DEST_SHARE
1682
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1682
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1683
# adapt the Toulouse BL to ALCASAR architecture
1683
# adapt the Toulouse BL to ALCASAR architecture
1684
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1684
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1685
# enable the default categories
1685
# enable the default categories
1686
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1686
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1687
}
1687
}
1688
 
1688
 
1689
##########################################################
1689
##########################################################
1690
##		Fonction "cron"				##
1690
##		Fonction "cron"				##
1691
## - Mise en place des différents fichiers de cron	##
1691
## - Mise en place des différents fichiers de cron	##
1692
##########################################################
1692
##########################################################
1693
cron ()
1693
cron ()
1694
{
1694
{
1695
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1695
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1696
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1696
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1697
	cat <<EOF > /etc/crontab
1697
	cat <<EOF > /etc/crontab
1698
SHELL=/usr/bin/bash
1698
SHELL=/usr/bin/bash
1699
PATH=/usr/sbin:/usr/bin
1699
PATH=/usr/sbin:/usr/bin
1700
MAILTO=root
1700
MAILTO=root
1701
HOME=/
1701
HOME=/
1702
 
1702
 
1703
# run-parts
1703
# run-parts
1704
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1704
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1705
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1705
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1706
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1706
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1707
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1707
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1708
EOF
1708
EOF
1709
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1709
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1710
	cat <<EOF >> /etc/anacrontab
1710
	cat <<EOF >> /etc/anacrontab
1711
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1711
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1712
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1712
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1713
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1713
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1714
EOF
1714
EOF
1715
 
1715
 
1716
	cat <<EOF > /etc/cron.d/alcasar-mysql
1716
	cat <<EOF > /etc/cron.d/alcasar-mysql
1717
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1717
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1718
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1718
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1719
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1719
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1720
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1720
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1721
EOF
1721
EOF
1722
	cat <<EOF > /etc/cron.d/alcasar-archive
1722
	cat <<EOF > /etc/cron.d/alcasar-archive
1723
# Archive des logs et de la base de données (tous les lundi à 5h35)
1723
# Archive des logs et de la base de données (tous les lundi à 5h35)
1724
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1724
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1725
EOF
1725
EOF
1726
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1726
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1727
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1727
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1728
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1728
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1729
EOF
1729
EOF
1730
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1730
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1731
# mise à jour automatique de la distribution tous les jours 3h30
1731
# mise à jour automatique de la distribution tous les jours 3h30
1732
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1732
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1733
EOF
1733
EOF
1734
 
1734
 
1735
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1735
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1736
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1736
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1737
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1737
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1738
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1738
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1739
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1739
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1740
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1740
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1741
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1741
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1742
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1742
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1743
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1743
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1744
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1744
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1745
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1745
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1746
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1746
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1747
EOF
1747
EOF
1748
	cat << EOF > /etc/cron.d/alcasar-watchdog
1748
	cat << EOF > /etc/cron.d/alcasar-watchdog
1749
# run the "watchdog" every 3'
1749
# run the "watchdog" every 3'
1750
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1750
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1751
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1751
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1752
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1752
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1753
EOF
1753
EOF
1754
# Enabling the watchdog every 18'
1754
# Enabling the watchdog every 18'
1755
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1755
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1756
# activate  the daemon-watchdog after boot process
1756
# activate  the daemon-watchdog after boot process
1757
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1757
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1758
# activate the daemon-watchdog every 18'
1758
# activate the daemon-watchdog every 18'
1759
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1759
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1760
EOF
1760
EOF
1761
 
1761
 
1762
# Enabling category update from rsync
1762
# Enabling category update from rsync
1763
	cat << EOF > /etc/cron.d/alcasar-rsync_bl
1763
	cat << EOF > /etc/cron.d/alcasar-rsync-bl
1764
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1764
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1765
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1765
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1766
EOF
1766
EOF
1767
 
1767
 
1768
# removing the users crons
1768
# removing the users crons
1769
	rm -f /var/spool/cron/*
1769
	rm -f /var/spool/cron/*
1770
} # End cron
1770
} # End cron
1771
 
1771
 
1772
##################################################################
1772
##################################################################
1773
## 			Fonction "Fail2Ban"			##
1773
## 			Fonction "Fail2Ban"			##
1774
##- Modification de la configuration de fail2ban		##
1774
##- Modification de la configuration de fail2ban		##
1775
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1775
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1776
##################################################################
1776
##################################################################
1777
fail2ban()
1777
fail2ban()
1778
{
1778
{
1779
	$DIR_CONF/fail2ban.sh
1779
	$DIR_CONF/fail2ban.sh
1780
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1780
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1781
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1781
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1782
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1782
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1783
	chmod 644 /var/log/fail2ban.log
1783
	chmod 644 /var/log/fail2ban.log
1784
	chmod 644 /var/Save/security/watchdog.log
1784
	chmod 644 /var/Save/security/watchdog.log
1785
	/usr/bin/touch /var/log/auth.log
1785
	/usr/bin/touch /var/log/auth.log
1786
# fail2ban unit
1786
# fail2ban unit
1787
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1787
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1788
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1788
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1789
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1789
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1790
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1790
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1791
} #Fin de fail2ban_install()
1791
} #Fin de fail2ban_install()
1792
 
1792
 
1793
##################################################################
1793
##################################################################
1794
## 			Fonction "gammu_smsd"			##
1794
## 			Fonction "gammu_smsd"			##
1795
## - Creation de la base de donnée Gammu			##
1795
## - Creation de la base de donnée Gammu			##
1796
## - Creation du fichier de config: gammu_smsd_conf		##
1796
## - Creation du fichier de config: gammu_smsd_conf		##
1797
##								##
1797
##								##
1798
##################################################################
1798
##################################################################
1799
gammu_smsd()
1799
gammu_smsd()
1800
{
1800
{
1801
# Create 'gammu' databse
1801
# Create 'gammu' databse
1802
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1802
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1803
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1803
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1804
# Add a gammu database structure
1804
# Add a gammu database structure
1805
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1805
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1806
 
1806
 
1807
# config file for the daemon
1807
# config file for the daemon
1808
cat << EOF > /etc/gammu_smsd_conf
1808
cat << EOF > /etc/gammu_smsd_conf
1809
[gammu]
1809
[gammu]
1810
port = /dev/ttyUSB0
1810
port = /dev/ttyUSB0
1811
connection = at115200
1811
connection = at115200
1812
 
1812
 
1813
;########################################################
1813
;########################################################
1814
 
1814
 
1815
[smsd]
1815
[smsd]
1816
 
1816
 
1817
PIN = 1234
1817
PIN = 1234
1818
 
1818
 
1819
logfile = /var/log/gammu-smsd/gammu-smsd.log
1819
logfile = /var/log/gammu-smsd/gammu-smsd.log
1820
logformat = textall
1820
logformat = textall
1821
debuglevel = 0
1821
debuglevel = 0
1822
 
1822
 
1823
service = sql
1823
service = sql
1824
driver = native_mysql
1824
driver = native_mysql
1825
user = $DB_USER
1825
user = $DB_USER
1826
password = $radiuspwd
1826
password = $radiuspwd
1827
pc = localhost
1827
pc = localhost
1828
database = $DB_GAMMU
1828
database = $DB_GAMMU
1829
 
1829
 
1830
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1830
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1831
 
1831
 
1832
StatusFrequency = 30
1832
StatusFrequency = 30
1833
;LoopSleep = 2
1833
;LoopSleep = 2
1834
 
1834
 
1835
;ResetFrequency = 300
1835
;ResetFrequency = 300
1836
;HardResetFrequency = 120
1836
;HardResetFrequency = 120
1837
 
1837
 
1838
CheckSecurity = 1 
1838
CheckSecurity = 1 
1839
CheckSignal = 1
1839
CheckSignal = 1
1840
CheckBattery = 0
1840
CheckBattery = 0
1841
EOF
1841
EOF
1842
 
1842
 
1843
chmod 755 /etc/gammu_smsd_conf
1843
chmod 755 /etc/gammu_smsd_conf
1844
 
1844
 
1845
#Creation dossier de log Gammu-smsd
1845
#Creation dossier de log Gammu-smsd
1846
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1846
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1847
chmod 755 /var/log/gammu-smsd
1847
chmod 755 /var/log/gammu-smsd
1848
 
1848
 
1849
#Edition du script sql gammu <-> radius
1849
#Edition du script sql gammu <-> radius
1850
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1850
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1851
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1851
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1852
 
1852
 
1853
#Création de la règle udev pour les Huawei // idVendor: 12d1
1853
#Création de la règle udev pour les Huawei // idVendor: 12d1
1854
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1854
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1855
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1855
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1856
EOF
1856
EOF
1857
 
1857
 
1858
} # END gammu_smsd()
1858
} # END gammu_smsd()
1859
 
1859
 
1860
##################################################################
1860
##################################################################
1861
##			Fonction "post_install"			##
1861
##			Fonction "post_install"			##
1862
## - Modification des bannières (locales et ssh) et des prompts ##
1862
## - Modification des bannières (locales et ssh) et des prompts ##
1863
## - Installation de la structure de chiffrement pour root	##
1863
## - Installation de la structure de chiffrement pour root	##
1864
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1864
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1865
## - Mise en place du la rotation des logs			##
1865
## - Mise en place du la rotation des logs			##
1866
## - Configuration dans le cas d'une mise à jour		##
1866
## - Configuration dans le cas d'une mise à jour		##
1867
##################################################################
1867
##################################################################
1868
post_install()
1868
post_install()
1869
{
1869
{
1870
# création de la bannière locale
1870
# création de la bannière locale
1871
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1871
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
1872
	cp -f $DIR_CONF/banner /etc/mageia-release
1872
	cp -f $DIR_CONF/banner /etc/mageia-release
1873
	echo " V$VERSION" >> /etc/mageia-release
1873
	echo " V$VERSION" >> /etc/mageia-release
1874
# création de la bannière SSH
1874
# création de la bannière SSH
1875
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1875
	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
1876
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1876
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1877
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1877
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1878
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1878
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1879
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1879
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1880
# postfix banner anonymisation
1880
# postfix banner anonymisation
1881
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1881
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1882
	chown -R postfix:postfix /var/lib/postfix
1882
	chown -R postfix:postfix /var/lib/postfix
1883
# sshd écoute côté LAN et WAN
1883
# sshd écoute côté LAN et WAN
1884
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1884
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1885
# sshd autorise les connections root par certificat
1885
# sshd autorise les connections root par certificat
1886
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1886
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1887
	# Put the default values in conf file
1887
	# Put the default values in conf file
1888
	echo "SSH=on" >> $CONF_FILE
1888
	echo "SSH=on" >> $CONF_FILE
1889
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1889
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1890
	echo "LDAP=off" >> $CONF_FILE
1890
	echo "LDAP=off" >> $CONF_FILE
1891
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1891
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1892
	echo "MULTIWAN=off" >> $CONF_FILE
1892
	echo "MULTIWAN=off" >> $CONF_FILE
1893
	echo "FAILOVER=30" >> $CONF_FILE
1893
	echo "FAILOVER=30" >> $CONF_FILE
1894
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1894
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1895
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1895
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1896
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1896
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1897
# Coloration des prompts
1897
# Coloration des prompts
1898
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1898
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1899
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1899
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1900
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1900
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1901
# Droits d'exécution pour utilisateur apache et sysadmin
1901
# Droits d'exécution pour utilisateur apache et sysadmin
1902
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1902
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1903
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1903
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1904
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1904
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1905
# Modify some logrotate files (gammu, ulogd)
1905
# Modify some logrotate files (gammu, ulogd)
1906
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1906
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1907
	chmod 644 /etc/logrotate.d/*
1907
	chmod 644 /etc/logrotate.d/*
1908
# rectification sur versions précédentes de la compression des logs
1908
# rectification sur versions précédentes de la compression des logs
1909
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1909
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1910
# actualisation des fichiers logs compressés
1910
# actualisation des fichiers logs compressés
1911
	for dir in firewall dansguardian httpd
1911
	for dir in firewall dansguardian httpd
1912
	do
1912
	do
1913
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1913
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1914
	done
1914
	done
1915
# create the alcasar-load_balancing unit
1915
# create the alcasar-load_balancing unit
1916
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1916
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1917
#  This file is part of systemd.
1917
#  This file is part of systemd.
1918
#
1918
#
1919
#  systemd is free software; you can redistribute it and/or modify it
1919
#  systemd is free software; you can redistribute it and/or modify it
1920
#  under the terms of the GNU General Public License as published by
1920
#  under the terms of the GNU General Public License as published by
1921
#  the Free Software Foundation; either version 2 of the License, or
1921
#  the Free Software Foundation; either version 2 of the License, or
1922
#  (at your option) any later version.
1922
#  (at your option) any later version.
1923
 
1923
 
1924
# This unit lauches alcasar-load-balancing.sh script.
1924
# This unit lauches alcasar-load-balancing.sh script.
1925
[Unit]
1925
[Unit]
1926
Description=alcasar-load_balancing.sh execution
1926
Description=alcasar-load_balancing.sh execution
1927
After=network.target iptables.service
1927
After=network.target iptables.service
1928
 
1928
 
1929
[Service]
1929
[Service]
1930
Type=oneshot
1930
Type=oneshot
1931
RemainAfterExit=yes
1931
RemainAfterExit=yes
1932
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1932
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1933
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1933
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1934
TimeoutSec=0
1934
TimeoutSec=0
1935
SysVStartPriority=99
1935
SysVStartPriority=99
1936
 
1936
 
1937
[Install]
1937
[Install]
1938
WantedBy=multi-user.target
1938
WantedBy=multi-user.target
1939
EOF
1939
EOF
1940
# processes launched at boot time (Systemctl)
1940
# processes launched at boot time (Systemctl)
1941
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1941
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1942
	do
1942
	do
1943
		/usr/bin/systemctl -q enable $i.service
1943
		/usr/bin/systemctl -q enable $i.service
1944
	done
1944
	done
1945
	
1945
	
1946
# disable processes at boot time (Systemctl)
1946
# disable processes at boot time (Systemctl)
1947
	for i in ulogd
1947
	for i in ulogd
1948
	do
1948
	do
1949
		/usr/bin/systemctl -q disable $i.service
1949
		/usr/bin/systemctl -q disable $i.service
1950
	done
1950
	done
1951
	
1951
	
1952
# Apply French Security Agency (ANSSI) rules
1952
# Apply French Security Agency (ANSSI) rules
1953
# ignore ICMP broadcast (smurf attack)
1953
# ignore ICMP broadcast (smurf attack)
1954
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1954
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1955
# ignore ICMP errors bogus
1955
# ignore ICMP errors bogus
1956
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1956
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
1957
# remove ICMP redirects responces
1957
# remove ICMP redirects responces
1958
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1958
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1959
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1959
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
1960
# enable SYN Cookies (Syn flood attacks)
1960
# enable SYN Cookies (Syn flood attacks)
1961
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1961
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
1962
# enable kernel antispoofing
1962
# enable kernel antispoofing
1963
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1963
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
1964
# ignore source routing
1964
# ignore source routing
1965
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1965
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
1966
# set conntrack timer to 1h (3600s) instead of 5 weeks
1966
# set conntrack timer to 1h (3600s) instead of 5 weeks
1967
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1967
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1968
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1968
# disable log_martians (ALCASAR is often installed between two private network addresses) 
1969
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1969
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1970
# disable iptables_helpers
1970
# disable iptables_helpers
1971
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1971
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
1972
# Switch to the router mode
1972
# Switch to the router mode
1973
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1973
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
1974
# Remove unused service ipv6
1974
# Remove unused service ipv6
1975
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1975
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1976
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1976
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1977
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1977
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
1978
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1978
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
1979
# remove Magic SysReq Keys
1979
# remove Magic SysReq Keys
1980
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1980
	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1981
# switch to multi-users runlevel (instead of x11)
1981
# switch to multi-users runlevel (instead of x11)
1982
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1982
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1983
#	GRUB modifications (only one time)
1983
#	GRUB modifications (only one time)
1984
# limit wait time to 3s
1984
# limit wait time to 3s
1985
# create an alcasar entry instead of linux-nonfb
1985
# create an alcasar entry instead of linux-nonfb
1986
# change display to 1024*768 (vga791)
1986
# change display to 1024*768 (vga791)
1987
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1987
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
1988
	if [ $grub_already_modified == 0 ]
1988
	if [ $grub_already_modified == 0 ]
1989
		then
1989
		then
1990
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1990
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1991
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1991
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
1992
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1992
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
1993
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1993
		$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
1994
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1994
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1995
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1995
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
1996
	fi
1996
	fi
1997
# Load and apply the previous conf file
1997
# Load and apply the previous conf file
1998
	if [ "$mode" = "update" ]
1998
	if [ "$mode" = "update" ]
1999
	then
1999
	then
2000
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2000
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2001
		$DIR_DEST_BIN/alcasar-conf.sh --load
2001
		$DIR_DEST_BIN/alcasar-conf.sh --load
2002
		PARENT_SCRIPT=`basename $0`
2002
		PARENT_SCRIPT=`basename $0`
2003
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2003
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2004
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2004
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2005
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2005
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2006
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2006
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2007
	fi
2007
	fi
2008
	rm -f /tmp/alcasar-conf*
2008
	rm -f /tmp/alcasar-conf*
2009
	chown -R root:apache $DIR_DEST_ETC/*
2009
	chown -R root:apache $DIR_DEST_ETC/*
2010
	chmod -R 660 $DIR_DEST_ETC/*
2010
	chmod -R 660 $DIR_DEST_ETC/*
2011
	chmod ug+x $DIR_DEST_ETC/digest
2011
	chmod ug+x $DIR_DEST_ETC/digest
2012
	cd $DIR_INSTALL
2012
	cd $DIR_INSTALL
2013
	echo ""
2013
	echo ""
2014
	echo "#############################################################################"
2014
	echo "#############################################################################"
2015
	if [ $Lang == "fr" ]
2015
	if [ $Lang == "fr" ]
2016
		then
2016
		then
2017
		echo "#                        Fin d'installation d'ALCASAR                       #"
2017
		echo "#                        Fin d'installation d'ALCASAR                       #"
2018
		echo "#                                                                           #"
2018
		echo "#                                                                           #"
2019
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2019
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2020
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2020
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2021
		echo "#                                                                           #"
2021
		echo "#                                                                           #"
2022
		echo "#############################################################################"
2022
		echo "#############################################################################"
2023
		echo
2023
		echo
2024
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2024
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2025
		echo
2025
		echo
2026
		echo "- Lisez attentivement la documentation d'exploitation"
2026
		echo "- Lisez attentivement la documentation d'exploitation"
2027
		echo
2027
		echo
2028
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2028
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2029
		echo
2029
		echo
2030
		echo "                   Appuyez sur 'Entrée' pour continuer"
2030
		echo "                   Appuyez sur 'Entrée' pour continuer"
2031
	else	
2031
	else	
2032
		echo "#                        Enf of ALCASAR install process                     #"
2032
		echo "#                        Enf of ALCASAR install process                     #"
2033
		echo "#                                                                           #"
2033
		echo "#                                                                           #"
2034
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2034
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2035
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2035
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2036
		echo "#                                                                           #"
2036
		echo "#                                                                           #"
2037
		echo "#############################################################################"
2037
		echo "#############################################################################"
2038
		echo
2038
		echo
2039
		echo "- The system will be rebooted in order to operate ALCASAR"
2039
		echo "- The system will be rebooted in order to operate ALCASAR"
2040
		echo
2040
		echo
2041
		echo "- Read the exploitation documentation"
2041
		echo "- Read the exploitation documentation"
2042
		echo
2042
		echo
2043
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2043
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2044
		echo
2044
		echo
2045
		echo "                   Hit 'Enter' to continue"
2045
		echo "                   Hit 'Enter' to continue"
2046
	fi
2046
	fi
2047
	sleep 2
2047
	sleep 2
2048
	if [ "$mode" != "update" ]
2048
	if [ "$mode" != "update" ]
2049
	then
2049
	then
2050
		read a
2050
		read a
2051
	fi
2051
	fi
2052
	clear
2052
	clear
2053
	reboot
2053
	reboot
2054
} # End post_install ()
2054
} # End post_install ()
2055
 
2055
 
2056
#################################
2056
#################################
2057
#  	Main Install loop  	#
2057
#  	Main Install loop  	#
2058
#################################
2058
#################################
2059
dir_exec=`dirname "$0"`
2059
dir_exec=`dirname "$0"`
2060
if [ $dir_exec != "." ]
2060
if [ $dir_exec != "." ]
2061
then
2061
then
2062
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2062
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2063
	echo "Launch this program from the ALCASAR archive directory"
2063
	echo "Launch this program from the ALCASAR archive directory"
2064
	exit 0
2064
	exit 0
2065
fi
2065
fi
2066
VERSION=`cat $DIR_INSTALL/VERSION`
2066
VERSION=`cat $DIR_INSTALL/VERSION`
2067
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2067
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2068
nb_args=$#
2068
nb_args=$#
2069
args=$1
2069
args=$1
2070
if [ $nb_args -eq 0 ]
2070
if [ $nb_args -eq 0 ]
2071
then
2071
then
2072
	nb_args=1
2072
	nb_args=1
2073
	args="-h"
2073
	args="-h"
2074
fi
2074
fi
2075
chmod -R u+x $DIR_SCRIPTS/*
2075
chmod -R u+x $DIR_SCRIPTS/*
2076
case $args in
2076
case $args in
2077
	-\? | -h* | --h*)
2077
	-\? | -h* | --h*)
2078
		echo "$usage"
2078
		echo "$usage"
2079
		exit 0
2079
		exit 0
2080
		;;
2080
		;;
2081
	-i | --install)
2081
	-i | --install)
2082
		header_install
2082
		header_install
2083
		license
2083
		license
2084
		header_install
2084
		header_install
2085
		testing
2085
		testing
2086
# RPMs install
2086
# RPMs install
2087
		$DIR_SCRIPTS/alcasar-urpmi.sh
2087
		$DIR_SCRIPTS/alcasar-urpmi.sh
2088
		if [ "$?" != "0" ]
2088
		if [ "$?" != "0" ]
2089
		then
2089
		then
2090
			exit 0
2090
			exit 0
2091
		fi
2091
		fi
2092
		if [ -e $CONF_FILE ]
2092
		if [ -e $CONF_FILE ]
2093
		then
2093
		then
2094
# Uninstall the running version
2094
# Uninstall the running version
2095
			$DIR_SCRIPTS/alcasar-uninstall.sh
2095
			$DIR_SCRIPTS/alcasar-uninstall.sh
2096
		fi
2096
		fi
2097
# Test if manual update	
2097
# Test if manual update	
2098
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2098
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2099
		then
2099
		then
2100
			header_install
2100
			header_install
2101
			if [ $Lang == "fr" ]
2101
			if [ $Lang == "fr" ]
2102
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2102
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2103
				else echo "The configuration file of an old version has been found";
2103
				else echo "The configuration file of an old version has been found";
2104
			fi
2104
			fi
2105
			response=0
2105
			response=0
2106
			PTN='^[oOnNyY]$'
2106
			PTN='^[oOnNyY]$'
2107
			until [[ $(expr $response : $PTN) -gt 0 ]]
2107
			until [[ $(expr $response : $PTN) -gt 0 ]]
2108
			do
2108
			do
2109
				if [ $Lang == "fr" ]
2109
				if [ $Lang == "fr" ]
2110
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2110
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2111
					else echo -n "Do you want to use it (Y/n)?";
2111
					else echo -n "Do you want to use it (Y/n)?";
2112
				 fi
2112
				 fi
2113
				read response
2113
				read response
2114
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2114
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2115
				then rm -f /tmp/alcasar-conf*
2115
				then rm -f /tmp/alcasar-conf*
2116
				fi
2116
				fi
2117
			done
2117
			done
2118
		fi
2118
		fi
2119
# Test if update
2119
# Test if update
2120
		if [ -e /tmp/alcasar-conf* ] 
2120
		if [ -e /tmp/alcasar-conf* ] 
2121
		then
2121
		then
2122
			if [ $Lang == "fr" ]
2122
			if [ $Lang == "fr" ]
2123
				then echo "#### Installation avec mise à jour ####";
2123
				then echo "#### Installation avec mise à jour ####";
2124
				else echo "#### Installation with update     ####";
2124
				else echo "#### Installation with update     ####";
2125
			fi
2125
			fi
2126
# Extract the central configuration file
2126
# Extract the central configuration file
2127
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2127
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2128
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2128
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2129
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2129
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2130
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2130
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2131
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2131
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2132
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2132
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2133
			mode="update"
2133
			mode="update"
2134
		fi
2134
		fi
2135
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2135
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
2136
		do
2136
		do
2137
			$func
2137
			$func
2138
# echo "*** 'debug' : end of function $func ***"; read a
2138
# echo "*** 'debug' : end of function $func ***"; read a
2139
		done
2139
		done
2140
		;;
2140
		;;
2141
	-u | --uninstall)
2141
	-u | --uninstall)
2142
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2142
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2143
		then
2143
		then
2144
			if [ $Lang == "fr" ]
2144
			if [ $Lang == "fr" ]
2145
				then echo "ALCASAR n'est pas installé!";
2145
				then echo "ALCASAR n'est pas installé!";
2146
				else echo "ALCASAR isn't installed!";
2146
				else echo "ALCASAR isn't installed!";
2147
			fi
2147
			fi
2148
			exit 0
2148
			exit 0
2149
		fi
2149
		fi
2150
		response=0
2150
		response=0
2151
		PTN='^[oOnN]$'
2151
		PTN='^[oOnN]$'
2152
		until [[ $(expr $response : $PTN) -gt 0 ]]
2152
		until [[ $(expr $response : $PTN) -gt 0 ]]
2153
		do
2153
		do
2154
			if [ $Lang == "fr" ]
2154
			if [ $Lang == "fr" ]
2155
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2155
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2156
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2156
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2157
			fi
2157
			fi
2158
			read response
2158
			read response
2159
		done
2159
		done
2160
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2160
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2161
		then
2161
		then
2162
			$DIR_SCRIPTS/alcasar-conf.sh --create
2162
			$DIR_SCRIPTS/alcasar-conf.sh --create
2163
		else	
2163
		else	
2164
			rm -f /tmp/alcasar-conf*
2164
			rm -f /tmp/alcasar-conf*
2165
		fi
2165
		fi
2166
# Uninstall the running version
2166
# Uninstall the running version
2167
		$DIR_SCRIPTS/alcasar-uninstall.sh
2167
		$DIR_SCRIPTS/alcasar-uninstall.sh
2168
		;;
2168
		;;
2169
	*)
2169
	*)
2170
		echo "Argument inconnu :$1";
2170
		echo "Argument inconnu :$1";
2171
		echo "Unknown argument :$1";
2171
		echo "Unknown argument :$1";
2172
		echo "$usage"
2172
		echo "$usage"
2173
		exit 1
2173
		exit 1
2174
		;;
2174
		;;
2175
esac
2175
esac
2176
# end of script
2176
# end of script
2177
 
2177
 
2178
 
2178