Subversion Repositories ALCASAR

Rev

Rev 2206 | Rev 2213 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2206 Rev 2211
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2206 2017-05-06 17:58:56Z richard $ 
2
#  $Id: alcasar.sh 2211 2017-05-08 16:39:43Z richard $ 
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
 
5
 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
6
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 
7
# Ce programme est un logiciel libre ; This software is free and open source
7
# Ce programme est un logiciel libre ; This software is free and open source
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
8
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
9
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
10
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
11
# Voir la Licence Publique Générale GNU pour plus de détails. 
12
 
12
 
13
#  team@alcasar.net
13
#  team@alcasar.net
14
 
14
 
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
15
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
16
# This script is distributed under the Gnu General Public License (GPL)
16
# This script is distributed under the Gnu General Public License (GPL)
17
 
17
 
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
18
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
19
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
20
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
21
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : 
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
23
 
23
 
24
# Options :
24
# Options :
25
#       -i or --install
25
#       -i or --install
26
#       -u or --uninstall
26
#       -u or --uninstall
27
 
27
 
28
# Functions :
28
# Functions :
29
#	testing			: connectivity tests, free space test and mageia version test
29
#	testing			: connectivity tests, free space test and mageia version test
30
#	init			: Installation of RPM and scripts
30
#	init			: Installation of RPM and scripts
31
#	network			: Network parameters
31
#	network			: Network parameters
32
#	ACC			: ALCASAR Control Center installation
32
#	ACC			: ALCASAR Control Center installation
33
#	CA			: Certification Authority initialization
33
#	CA			: Certification Authority initialization
34
#	time_server		: NTPd configuration
34
#	time_server		: NTPd configuration
35
#	init_db			: Initilization of radius database managed with MariaDB
35
#	init_db			: Initilization of radius database managed with MariaDB
36
#	radius			: FreeRadius initialisation
36
#	radius			: FreeRadius initialisation
37
#	chilli			: coovachilli initialisation (+authentication page)
37
#	chilli			: coovachilli initialisation (+authentication page)
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
38
#	dansguardian		: DansGuardian filtering HTTP proxy configuration
39
#	antivirus		: HAVP + libclamav configuration
39
#	antivirus		: HAVP + libclamav configuration
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	ulogd			: log system in userland (match NFLOG target of iptables)
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
42
#	nfsen		:	: Configuration of Nfsen Netflow grapher 
43
#	dnsmasq			: Name server configuration
43
#	dnsmasq			: Name server configuration
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
45
#	BL			: Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	msec			: Mandriva security package configuration
49
#	msec			: Mandriva security package configuration
50
#	post_install		: Security, log rotation, etc.
50
#	post_install		: Security, log rotation, etc.
51
 
51
 
52
DATE=`date '+%d %B %Y - %Hh%M'`
52
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
53
DATE_SHORT=`date '+%d/%m/%Y'`
54
Lang=`echo $LANG|cut -c 1-2`
54
Lang=`echo $LANG|cut -c 1-2`
55
mode="install"
55
mode="install"
56
# ******* Files parameters - paramètres fichiers *********
56
# ******* Files parameters - paramètres fichiers *********
57
DIR_INSTALL=`pwd`				# current directory 
57
DIR_INSTALL=`pwd`				# current directory 
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
58
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
59
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
60
DIR_BLACKLIST="$DIR_INSTALL/blacklist"		# install directory (with blacklist files)
61
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
61
DIR_SAVE="/var/Save"				# backup directory (traceability_log, user_db, security_log)
62
DIR_WEB="/var/www/html"				# directory of APACHE
62
DIR_WEB="/var/www/html"				# directory of APACHE
63
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
63
DIR_DG="/etc/dansguardian"			# directory of DansGuardian
64
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
64
DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
65
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
66
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
67
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
68
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
69
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
70
# ******* DBMS parameters - paramètres SGBD ********
70
# ******* DBMS parameters - paramètres SGBD ********
71
DB_RADIUS="radius"				# database name used by FreeRadius server
71
DB_RADIUS="radius"				# database name used by FreeRadius server
72
DB_USER="radius"				# user name allows to request the users database
72
DB_USER="radius"				# user name allows to request the users database
73
DB_GAMMU="gammu"				# database name used by Gammu-smsd
73
DB_GAMMU="gammu"				# database name used by Gammu-smsd
74
# ******* Network parameters - paramètres réseau *******
74
# ******* Network parameters - paramètres réseau *******
75
HOSTNAME="alcasar"				# default hostname
75
HOSTNAME="alcasar"				# default hostname
76
DOMAIN="localdomain"				# default local domain
76
DOMAIN="localdomain"				# default local domain
77
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
77
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`							# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
78
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`	# INTIF is connected to the consultation network
79
MTU="1500"
79
MTU="1500"
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
80
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
81
# ****** Paths - chemin des commandes *******
81
# ****** Paths - chemin des commandes *******
82
SED="/bin/sed -i"
82
SED="/bin/sed -i"
83
# ****************** End of global parameters *********************
83
# ****************** End of global parameters *********************
84
 
84
 
85
license ()
85
license ()
86
{
86
{
87
	if [ $Lang == "fr" ]
87
	if [ $Lang == "fr" ]
88
	then
88
	then
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
89
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
	else
90
	else
91
		cat $DIR_INSTALL/gpl-warning.txt | more
91
		cat $DIR_INSTALL/gpl-warning.txt | more
92
	fi
92
	fi
93
	response=0
93
	response=0
94
	PTN='^[oOyYnN]$'
94
	PTN='^[oOyYnN]$'
95
	until [[ $(expr $response : $PTN) -gt 0 ]]
95
	until [[ $(expr $response : $PTN) -gt 0 ]]
96
	do
96
	do
97
		if [ $Lang == "fr" ]
97
		if [ $Lang == "fr" ]
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
98
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
99
			else echo -n "Do you accept the terms of this license (Y/n)? : "
100
		fi
100
		fi
101
		read response
101
		read response
102
	done
102
	done
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
103
	if [ "$response" = "n" ] || [ "$response" = "N" ]
104
	then
104
	then
105
		exit 1
105
		exit 1
106
	fi
106
	fi
107
}
107
}
108
 
108
 
109
header_install ()
109
header_install ()
110
{
110
{
111
	clear
111
	clear
112
	echo "-----------------------------------------------------------------------------"
112
	echo "-----------------------------------------------------------------------------"
113
	echo "                     ALCASAR V$VERSION Installation"
113
	echo "                     ALCASAR V$VERSION Installation"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
114
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
	echo "-----------------------------------------------------------------------------"
115
	echo "-----------------------------------------------------------------------------"
116
}
116
}
117
 
117
 
118
##################################################################
118
##################################################################
119
##			Function "testing"			##
119
##			Function "testing"			##
120
## - Test of Mageia version					##
120
## - Test of Mageia version					##
121
## - Test of ALCASAR version (if already installed)		##
121
## - Test of ALCASAR version (if already installed)		##
122
## - Test of free space on /var  (>10G)				##
122
## - Test of free space on /var  (>10G)				##
123
## - Test of Internet access					##
123
## - Test of Internet access					##
124
##################################################################
124
##################################################################
125
testing ()
125
testing ()
126
{
126
{
127
# Test of Mageia version
127
# Test of Mageia version
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
128
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
	fic=`cat /etc/product.id`
129
	fic=`cat /etc/product.id`
130
	unknown_os=0
130
	unknown_os=0
131
	old="$IFS"
131
	old="$IFS"
132
	IFS=","
132
	IFS=","
133
	set $fic
133
	set $fic
134
	for i in $*
134
	for i in $*
135
	do
135
	do
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
136
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
			then 
137
			then 
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
138
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
			unknown_os=`expr $unknown_os + 1`
139
			unknown_os=`expr $unknown_os + 1`
140
		fi
140
		fi
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
141
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
			then 
142
			then 
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
143
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
			unknown_os=`expr $unknown_os + 1`
144
			unknown_os=`expr $unknown_os + 1`
145
		fi
145
		fi
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
146
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
			then 
147
			then 
148
			ARCH=`echo $i|cut -d"=" -f2`
148
			ARCH=`echo $i|cut -d"=" -f2`
149
			unknown_os=`expr $unknown_os + 1`
149
			unknown_os=`expr $unknown_os + 1`
150
		fi
150
		fi
151
	done
151
	done
152
	if [ "$ARCH" == "i586" ]
152
	if [ "$ARCH" == "i586" ]
153
		then
153
		then
154
		if [ $Lang == "fr" ]
154
		if [ $Lang == "fr" ]
155
			then echo -n "Votre architecture matérielle doit être en 64bits"
155
			then echo -n "Votre architecture matérielle doit être en 64bits"
156
			else echo -n "You hardware architecture must be 64bits"
156
			else echo -n "You hardware architecture must be 64bits"
157
			exit 0
157
			exit 0
158
		fi
158
		fi
159
	fi
159
	fi
160
	IFS="$old"
160
	IFS="$old"
161
# Test if ALCASAR is already installed
161
# Test if ALCASAR is already installed
162
	if [ -e $CONF_FILE ]
162
	if [ -e $CONF_FILE ]
163
	then
163
	then
164
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
164
		current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
165
		if [ $Lang == "fr" ]
165
		if [ $Lang == "fr" ]
166
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
166
			then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
167
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
167
			else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
168
		fi
168
		fi
169
		response=0
169
		response=0
170
		PTN='^[oOnNyY]$'
170
		PTN='^[oOnNyY]$'
171
		until [[ $(expr $response : $PTN) -gt 0 ]]
171
		until [[ $(expr $response : $PTN) -gt 0 ]]
172
		do
172
		do
173
			if [ $Lang == "fr" ]
173
			if [ $Lang == "fr" ]
174
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
174
				then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
175
				else echo -n "Do you want to update (Y/n)?";
175
				else echo -n "Do you want to update (Y/n)?";
176
			 fi
176
			 fi
177
			read response
177
			read response
178
		done
178
		done
179
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
179
		if [ "$response" = "n" ] || [ "$response" = "N" ] 
180
		then
180
		then
181
			rm -f /tmp/alcasar-conf*
181
			rm -f /tmp/alcasar-conf*
182
		else
182
		else
183
# Retrieve former NICname
183
# Retrieve former NICname
184
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
184
			EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2`				# EXTernal InterFace
185
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
185
			INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2`				# INTernal InterFace
186
# Create the current conf file
186
# Create the current conf file
187
			$DIR_SCRIPTS/alcasar-conf.sh --create
187
			$DIR_SCRIPTS/alcasar-conf.sh --create
188
			mode="update"
188
			mode="update"
189
		fi
189
		fi
190
	fi
190
	fi
191
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
191
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "5" ) ]]
192
		then
192
		then
193
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
193
		if [ -e /tmp/alcasar-conf.tar.gz ] # update
194
			then
194
			then
195
			echo
195
			echo
196
			if [ $Lang == "fr" ]
196
			if [ $Lang == "fr" ]
197
				then	
197
				then	
198
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
198
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
199
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
199
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
200
				echo "2 - Installez Linux-Mageia 5.1-64bits et ALCASAR (cf. doc d'installation)"
200
				echo "2 - Installez Linux-Mageia 5.1-64bits et ALCASAR (cf. doc d'installation)"
201
				echo "3 - Importez votre base des usagers"
201
				echo "3 - Importez votre base des usagers"
202
			else
202
			else
203
				echo "The automatic update of ALCASAR can't be performed."
203
				echo "The automatic update of ALCASAR can't be performed."
204
				echo "1 - Save your traceability files and the user database"
204
				echo "1 - Save your traceability files and the user database"
205
				echo "2 - Install Linux-Mageia 5.1-64bits & ALCASAR (cf. installation doc)"
205
				echo "2 - Install Linux-Mageia 5.1-64bits & ALCASAR (cf. installation doc)"
206
				echo "3 - Import your users database"
206
				echo "3 - Import your users database"
207
			fi
207
			fi
208
		else
208
		else
209
			if [ $Lang == "fr" ]
209
			if [ $Lang == "fr" ]
210
				then	
210
				then	
211
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
211
				echo "L'installation d'ALCASAR ne peut pas être réalisée."
212
			else
212
			else
213
				echo "The installation of ALCASAR can't be performed."
213
				echo "The installation of ALCASAR can't be performed."
214
			fi
214
			fi
215
		fi
215
		fi
216
		echo
216
		echo
217
		if [ $Lang == "fr" ]
217
		if [ $Lang == "fr" ]
218
			then	
218
			then	
219
			echo "Le système d'exploitation doit être remplacé (Mageia5.1-64bits)"
219
			echo "Le système d'exploitation doit être remplacé (Mageia5.1-64bits)"
220
		else
220
		else
221
			echo "The OS must be replaced (Mageia5.1-64bits)"
221
			echo "The OS must be replaced (Mageia5.1-64bits)"
222
		fi
222
		fi
223
		exit 0
223
		exit 0
224
	fi
224
	fi
225
	if [ ! -d /var/log/netflow/porttracker ]
225
	if [ ! -d /var/log/netflow/porttracker ]
226
		then
226
		then
227
# Test of free space on /var
227
# Test of free space on /var
228
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
228
		free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
229
		if [ $free_space -lt 10 ]
229
		if [ $free_space -lt 10 ]
230
			then
230
			then
231
			if [ $Lang == "fr" ]
231
			if [ $Lang == "fr" ]
232
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
232
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
233
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
			fi
234
			fi
235
		exit 0
235
		exit 0
236
		fi
236
		fi
237
	fi
237
	fi
238
	if [ $Lang == "fr" ]
238
	if [ $Lang == "fr" ]
239
		then echo -n "Tests des paramètres réseau : "
239
		then echo -n "Tests des paramètres réseau : "
240
		else echo -n "Network parameters tests : "
240
		else echo -n "Network parameters tests : "
241
	fi
241
	fi
242
# Test of Ethernet links state
242
# Test of Ethernet links state
243
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
243
	DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "`
244
	for i in $DOWN_IF
244
	for i in $DOWN_IF
245
	do
245
	do
246
		if [ $Lang == "fr" ]
246
		if [ $Lang == "fr" ]
247
		then 
247
		then 
248
			echo "Échec"
248
			echo "Échec"
249
			echo "Le lien réseau de la carte $i n'est pas actif."
249
			echo "Le lien réseau de la carte $i n'est pas actif."
250
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
250
			echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
251
		else
251
		else
252
			echo "Failed"
252
			echo "Failed"
253
			echo "The link state of $i interface is down."
253
			echo "The link state of $i interface is down."
254
			echo "Make sure that this network card is connected to a switch or an A.P."
254
			echo "Make sure that this network card is connected to a switch or an A.P."
255
		fi
255
		fi
256
		exit 0
256
		exit 0
257
	done
257
	done
258
	echo -n "."
258
	echo -n "."
259
 
259
 
260
# Test EXTIF config files
260
# Test EXTIF config files
261
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
261
	PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
262
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
262
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
263
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
263
	PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
264
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
264
	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
265
	then
265
	then
266
		if [ $Lang == "fr" ]
266
		if [ $Lang == "fr" ]
267
		then 
267
		then 
268
			echo "Échec"
268
			echo "Échec"
269
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
269
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
270
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
270
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
271
			echo "Appliquez les changements : 'systemctl restart network'"
271
			echo "Appliquez les changements : 'systemctl restart network'"
272
		else
272
		else
273
			echo "Failed"
273
			echo "Failed"
274
			echo "The Internet connected network card ($EXTIF) isn't well configured."
274
			echo "The Internet connected network card ($EXTIF) isn't well configured."
275
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
275
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
276
			echo "Apply the new configuration 'systemctl restart network'"
276
			echo "Apply the new configuration 'systemctl restart network'"
277
		fi
277
		fi
278
		echo "DEVICE=$EXTIF"
278
		echo "DEVICE=$EXTIF"
279
		echo "IPADDR="
279
		echo "IPADDR="
280
		echo "NETMASK="
280
		echo "NETMASK="
281
		echo "GATEWAY="
281
		echo "GATEWAY="
282
		echo "DNS1="
282
		echo "DNS1="
283
		echo "DNS2="
283
		echo "DNS2="
284
		echo "ONBOOT=yes"
284
		echo "ONBOOT=yes"
285
		exit 0
285
		exit 0
286
	fi
286
	fi
287
	echo -n "."
287
	echo -n "."
288
 
288
 
289
# Test if router is alive (Box FAI)
289
# Test if router is alive (Box FAI)
290
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
290
	if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
291
		if [ $Lang == "fr" ]
291
		if [ $Lang == "fr" ]
292
		then 
292
		then 
293
			echo "Échec"
293
			echo "Échec"
294
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
294
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
295
			echo "Réglez ce problème puis relancez ce script."
295
			echo "Réglez ce problème puis relancez ce script."
296
		else
296
		else
297
			echo "Failed"
297
			echo "Failed"
298
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
298
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
299
			echo "Resolv this problem, then restart this script."
299
			echo "Resolv this problem, then restart this script."
300
		fi
300
		fi
301
		exit 0
301
		exit 0
302
	fi
302
	fi
303
	echo -n "."
303
	echo -n "."
304
# On teste le lien vers le routeur par defaut
304
# On teste le lien vers le routeur par defaut
305
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
305
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
306
	if [ $(expr $arp_reply) -eq 0 ]
306
	if [ $(expr $arp_reply) -eq 0 ]
307
	       	then
307
	       	then
308
		if [ $Lang == "fr" ]
308
		if [ $Lang == "fr" ]
309
		then 
309
		then 
310
			echo "Échec"
310
			echo "Échec"
311
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
311
			echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
312
			echo "Réglez ce problème puis relancez ce script."
312
			echo "Réglez ce problème puis relancez ce script."
313
		else
313
		else
314
			echo "Failed"
314
			echo "Failed"
315
			echo "The Internet gateway doesn't answered"
315
			echo "The Internet gateway doesn't answered"
316
			echo "Resolv this problem, then restart this script."
316
			echo "Resolv this problem, then restart this script."
317
		fi
317
		fi
318
		exit 0
318
		exit 0
319
	fi
319
	fi
320
	echo -n "."
320
	echo -n "."
321
# On teste la connectivité Internet
321
# On teste la connectivité Internet
322
	rm -rf /tmp/con_ok.html
322
	rm -rf /tmp/con_ok.html
323
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
323
	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
324
	if [ ! -e /tmp/con_ok.html ]
324
	if [ ! -e /tmp/con_ok.html ]
325
	then
325
	then
326
		if [ $Lang == "fr" ]
326
		if [ $Lang == "fr" ]
327
		then 
327
		then 
328
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
328
			echo "La tentative de connexion vers Internet a échoué (google.fr)."
329
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
329
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
330
			echo "Vérifiez la validité des adresses IP des DNS."
330
			echo "Vérifiez la validité des adresses IP des DNS."
331
		else
331
		else
332
			echo "The Internet connection try failed (google.fr)."
332
			echo "The Internet connection try failed (google.fr)."
333
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
333
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
334
			echo "Verify the DNS IP addresses"
334
			echo "Verify the DNS IP addresses"
335
		fi
335
		fi
336
		exit 0
336
		exit 0
337
	fi
337
	fi
338
	rm -rf /tmp/con_ok.html
338
	rm -rf /tmp/con_ok.html
339
	echo ". : ok"
339
	echo ". : ok"
340
} # end of testing ()
340
} # end of testing ()
341
 
341
 
342
##################################################################
342
##################################################################
343
##			Function "init"				##
343
##			Function "init"				##
344
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
344
## - Création du fichier "/root/ALCASAR_parametres.txt"		##
345
## - Installation et modification des scripts du portail	##
345
## - Installation et modification des scripts du portail	##
346
##################################################################
346
##################################################################
347
init ()
347
init ()
348
{
348
{
349
	if [ "$mode" != "update" ]
349
	if [ "$mode" != "update" ]
350
	then
350
	then
351
# On affecte le nom d'organisme
351
# On affecte le nom d'organisme
352
		header_install
352
		header_install
353
		ORGANISME=!
353
		ORGANISME=!
354
		PTN='^[a-zA-Z0-9-]*$'
354
		PTN='^[a-zA-Z0-9-]*$'
355
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
355
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
356
                do
356
                do
357
			if [ $Lang == "fr" ]
357
			if [ $Lang == "fr" ]
358
			       	then echo -n "Entrez le nom de votre organisme : "
358
			       	then echo -n "Entrez le nom de votre organisme : "
359
				else echo -n "Enter the name of your organism : "
359
				else echo -n "Enter the name of your organism : "
360
			fi
360
			fi
361
			read ORGANISME
361
			read ORGANISME
362
			if [ "$ORGANISME" == "" ]
362
			if [ "$ORGANISME" == "" ]
363
				then
363
				then
364
				ORGANISME=!
364
				ORGANISME=!
365
			fi
365
			fi
366
		done
366
		done
367
	fi
367
	fi
368
# On crée aléatoirement les mots de passe et les secrets partagés
368
# On crée aléatoirement les mots de passe et les secrets partagés
369
	rm -f $PASSWD_FILE
369
	rm -f $PASSWD_FILE
370
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
370
	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
371
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
371
	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
372
	echo "$grubpwd" >> $PASSWD_FILE
372
	echo "$grubpwd" >> $PASSWD_FILE
373
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
373
	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
374
	$SED "/^password.*/d" /boot/grub/menu.lst
374
	$SED "/^password.*/d" /boot/grub/menu.lst
375
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
375
	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
376
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
376
	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
377
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
377
	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
378
	echo "root / $mysqlpwd" >> $PASSWD_FILE
378
	echo "root / $mysqlpwd" >> $PASSWD_FILE
379
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
379
	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
380
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
380
	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
381
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
381
	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
382
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
382
	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
383
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
383
	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
384
	echo "$secretuam" >> $PASSWD_FILE
384
	echo "$secretuam" >> $PASSWD_FILE
385
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
385
	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
386
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
386
	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
387
	echo "$secretradius" >> $PASSWD_FILE
387
	echo "$secretradius" >> $PASSWD_FILE
388
	chmod 640 $PASSWD_FILE
388
	chmod 640 $PASSWD_FILE
389
#  copy scripts in in /usr/local/bin
389
#  copy scripts in in /usr/local/bin
390
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
390
	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
391
#  copy conf files in /usr/local/etc
391
#  copy conf files in /usr/local/etc
392
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
392
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
393
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
393
	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_BIN/alcasar-logout.sh
394
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
394
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
395
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
395
	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
396
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
396
	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_BIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
397
# generate central conf file
397
# generate central conf file
398
	cat <<EOF > $CONF_FILE
398
	cat <<EOF > $CONF_FILE
399
##########################################
399
##########################################
400
##                                      ##
400
##                                      ##
401
##          ALCASAR Parameters          ##
401
##          ALCASAR Parameters          ##
402
##                                      ##
402
##                                      ##
403
##########################################
403
##########################################
404
 
404
 
405
INSTALL_DATE=$DATE
405
INSTALL_DATE=$DATE
406
VERSION=$VERSION
406
VERSION=$VERSION
407
ORGANISM=$ORGANISME
407
ORGANISM=$ORGANISME
408
HOSTNAME=$HOSTNAME
408
HOSTNAME=$HOSTNAME
409
DOMAIN=$DOMAIN
409
DOMAIN=$DOMAIN
410
EOF
410
EOF
411
	chmod o-rwx $CONF_FILE
411
	chmod o-rwx $CONF_FILE
412
} # End of init ()
412
} # End of init ()
413
 
413
 
414
##################################################################
414
##################################################################
415
##			Function "network"			##
415
##			Function "network"			##
416
## - Définition du plan d'adressage du réseau de consultation	##
416
## - Définition du plan d'adressage du réseau de consultation	##
417
## - Nommage DNS du système 					##
417
## - Nommage DNS du système 					##
418
## - Configuration de l'interface INTIF (réseau de consultation)##
418
## - Configuration de l'interface INTIF (réseau de consultation)##
419
## - Modification du fichier /etc/hosts				##
419
## - Modification du fichier /etc/hosts				##
420
## - Renseignement des fichiers hosts.allow et hosts.deny	##
420
## - Renseignement des fichiers hosts.allow et hosts.deny	##
421
##################################################################
421
##################################################################
422
network ()
422
network ()
423
{
423
{
424
	header_install
424
	header_install
425
	if [ "$mode" != "update" ]
425
	if [ "$mode" != "update" ]
426
		then
426
		then
427
		if [ $Lang == "fr" ]
427
		if [ $Lang == "fr" ]
428
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
428
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
429
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
429
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
430
		fi
430
		fi
431
		response=0
431
		response=0
432
		PTN='^[oOyYnN]$'
432
		PTN='^[oOyYnN]$'
433
		until [[ $(expr $response : $PTN) -gt 0 ]]
433
		until [[ $(expr $response : $PTN) -gt 0 ]]
434
		do
434
		do
435
			if [ $Lang == "fr" ]
435
			if [ $Lang == "fr" ]
436
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
436
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
437
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
437
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
438
			fi
438
			fi
439
			read response
439
			read response
440
		done
440
		done
441
		if [ "$response" = "n" ] || [ "$response" = "N" ]
441
		if [ "$response" = "n" ] || [ "$response" = "N" ]
442
		then
442
		then
443
			PRIVATE_IP_MASK="0"
443
			PRIVATE_IP_MASK="0"
444
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
444
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
445
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
445
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
446
			do
446
			do
447
				if [ $Lang == "fr" ]
447
				if [ $Lang == "fr" ]
448
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
448
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
449
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
449
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
450
				fi
450
				fi
451
				read PRIVATE_IP_MASK
451
				read PRIVATE_IP_MASK
452
			done
452
			done
453
		else
453
		else
454
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
454
       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
455
		fi
455
		fi
456
	else
456
	else
457
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
457
		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 
458
		rm -rf conf/etc/alcasar.conf
458
		rm -rf conf/etc/alcasar.conf
459
	fi
459
	fi
460
# Define LAN side global parameters
460
# Define LAN side global parameters
461
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
461
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
462
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
462
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
463
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
463
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
464
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
464
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
465
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
465
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
466
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
466
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
467
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
467
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
468
		then
468
		then
469
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
469
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	
470
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
470
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
471
	fi	
471
	fi	
472
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
472
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
473
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
473
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
474
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
474
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
475
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
475
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
476
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
476
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
477
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
477
	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)
478
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
478
	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`				# last octet of LAN broadcast
479
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
479
	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`	# First network address (ex.: 192.168.182.1)
480
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
480
	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)
481
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
481
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
482
# Define Internet parameters
482
# Define Internet parameters
483
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
483
	DNS1=`grep ^nameserver /etc/resolv.conf|awk -F" " '{print $2}'|head -n 1`				# 1st DNS server
484
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
484
	nb_dns=`grep ^nameserver /etc/resolv.conf|wc -l`
485
	if [ $nb_dns == 2 ]
485
	if [ $nb_dns == 2 ]
486
		then
486
		then
487
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
487
		DNS2=`grep ^nameserver /etc/resolv.conf|cut -d" " -f2|tail -n 1`			# 2nd DNS server (if exist)
488
	fi
488
	fi
489
	DNS1=${DNS1:=208.67.220.220}
489
	DNS1=${DNS1:=208.67.220.220}
490
	DNS2=${DNS2:=208.67.222.222}
490
	DNS2=${DNS2:=208.67.222.222}
491
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
491
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
492
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
492
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
493
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
493
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
494
# Wrtie the conf file
494
# Wrtie the conf file
495
	echo "EXTIF=$EXTIF" >> $CONF_FILE
495
	echo "EXTIF=$EXTIF" >> $CONF_FILE
496
	echo "INTIF=$INTIF" >> $CONF_FILE
496
	echo "INTIF=$INTIF" >> $CONF_FILE
497
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
497
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`		# IP setting (static or dynamic)
498
	if [ $IP_SETTING == "dhcp" ]
498
	if [ $IP_SETTING == "dhcp" ]
499
		then
499
		then
500
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
500
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
501
		echo "GW=dhcp" >> $CONF_FILE
501
		echo "GW=dhcp" >> $CONF_FILE
502
	else
502
	else
503
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
503
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
504
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
504
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
505
	fi
505
	fi
506
	echo "DNS1=$DNS1" >> $CONF_FILE
506
	echo "DNS1=$DNS1" >> $CONF_FILE
507
	echo "DNS2=$DNS2" >> $CONF_FILE
507
	echo "DNS2=$DNS2" >> $CONF_FILE
508
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
508
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
509
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
509
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
510
	echo "DHCP=on" >> $CONF_FILE
510
	echo "DHCP=on" >> $CONF_FILE
511
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
511
	echo "EXT_DHCP_IP=none" >> $CONF_FILE
512
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
512
	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
513
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
513
	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
514
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
514
	echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
515
	echo "INT_DNS_IP=none" >> $CONF_FILE
515
	echo "INT_DNS_IP=none" >> $CONF_FILE
516
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
516
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
517
# network default
517
# network default
518
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
518
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
519
	cat <<EOF > /etc/sysconfig/network
519
	cat <<EOF > /etc/sysconfig/network
520
NETWORKING=yes
520
NETWORKING=yes
521
FORWARD_IPV4=true
521
FORWARD_IPV4=true
522
EOF
522
EOF
523
# /etc/hosts config
523
# /etc/hosts config
524
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
524
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
525
	cat <<EOF > /etc/hosts
525
	cat <<EOF > /etc/hosts
526
127.0.0.1	localhost
526
127.0.0.1	localhost
527
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
527
$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME
528
EOF
528
EOF
529
# EXTIF (Internet) config
529
# EXTIF (Internet) config
530
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
530
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
531
	if [ $IP_SETTING == "dhcp" ]
531
	if [ $IP_SETTING == "dhcp" ]
532
		then
532
		then
533
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
533
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
534
DEVICE=$EXTIF
534
DEVICE=$EXTIF
535
BOOTPROTO=dhcp
535
BOOTPROTO=dhcp
536
DNS1=127.0.0.1
536
DNS1=127.0.0.1
537
PEERDNS=no
537
PEERDNS=no
538
RESOLV_MODS=yes
538
RESOLV_MODS=yes
539
ONBOOT=yes
539
ONBOOT=yes
540
NOZEROCONF=yes
540
NOZEROCONF=yes
541
METRIC=10
541
METRIC=10
542
MII_NOT_SUPPORTED=yes
542
MII_NOT_SUPPORTED=yes
543
IPV6INIT=no
543
IPV6INIT=no
544
IPV6TO4INIT=no
544
IPV6TO4INIT=no
545
ACCOUNTING=no
545
ACCOUNTING=no
546
USERCTL=no
546
USERCTL=no
547
MTU=$MTU
547
MTU=$MTU
548
EOF
548
EOF
549
		else	
549
		else	
550
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
550
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
551
DEVICE=$EXTIF
551
DEVICE=$EXTIF
552
BOOTPROTO=static
552
BOOTPROTO=static
553
IPADDR=$PUBLIC_IP
553
IPADDR=$PUBLIC_IP
554
NETMASK=$PUBLIC_NETMASK
554
NETMASK=$PUBLIC_NETMASK
555
GATEWAY=$PUBLIC_GATEWAY
555
GATEWAY=$PUBLIC_GATEWAY
556
DNS1=127.0.0.1
556
DNS1=127.0.0.1
557
RESOLV_MODS=yes
557
RESOLV_MODS=yes
558
ONBOOT=yes
558
ONBOOT=yes
559
METRIC=10
559
METRIC=10
560
NOZEROCONF=yes
560
NOZEROCONF=yes
561
MII_NOT_SUPPORTED=yes
561
MII_NOT_SUPPORTED=yes
562
IPV6INIT=no
562
IPV6INIT=no
563
IPV6TO4INIT=no
563
IPV6TO4INIT=no
564
ACCOUNTING=no
564
ACCOUNTING=no
565
USERCTL=no
565
USERCTL=no
566
MTU=$MTU
566
MTU=$MTU
567
EOF
567
EOF
568
	fi
568
	fi
569
# Config INTIF (consultation LAN) in normal mode
569
# Config INTIF (consultation LAN) in normal mode
570
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
570
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
571
DEVICE=$INTIF
571
DEVICE=$INTIF
572
BOOTPROTO=static
572
BOOTPROTO=static
573
ONBOOT=yes
573
ONBOOT=yes
574
NOZEROCONF=yes
574
NOZEROCONF=yes
575
MII_NOT_SUPPORTED=yes
575
MII_NOT_SUPPORTED=yes
576
IPV6INIT=no
576
IPV6INIT=no
577
IPV6TO4INIT=no
577
IPV6TO4INIT=no
578
ACCOUNTING=no
578
ACCOUNTING=no
579
USERCTL=no
579
USERCTL=no
580
EOF
580
EOF
581
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
581
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
582
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
582
# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
583
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
583
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
584
DEVICE=$INTIF
584
DEVICE=$INTIF
585
BOOTPROTO=static
585
BOOTPROTO=static
586
IPADDR=$PRIVATE_IP
586
IPADDR=$PRIVATE_IP
587
NETMASK=$PRIVATE_NETMASK
587
NETMASK=$PRIVATE_NETMASK
588
ONBOOT=yes
588
ONBOOT=yes
589
METRIC=10
589
METRIC=10
590
NOZEROCONF=yes
590
NOZEROCONF=yes
591
MII_NOT_SUPPORTED=yes
591
MII_NOT_SUPPORTED=yes
592
IPV6INIT=no
592
IPV6INIT=no
593
IPV6TO4INIT=no
593
IPV6TO4INIT=no
594
ACCOUNTING=no
594
ACCOUNTING=no
595
USERCTL=no
595
USERCTL=no
596
EOF
596
EOF
597
# Renseignement des fichiers hosts.allow et hosts.deny
597
# Renseignement des fichiers hosts.allow et hosts.deny
598
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
598
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
599
	cat <<EOF > /etc/hosts.allow
599
	cat <<EOF > /etc/hosts.allow
600
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
600
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
601
sshd: ALL
601
sshd: ALL
602
ntpd: $PRIVATE_NETWORK_SHORT
602
ntpd: $PRIVATE_NETWORK_SHORT
603
EOF
603
EOF
604
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
604
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
605
	cat <<EOF > /etc/hosts.deny
605
	cat <<EOF > /etc/hosts.deny
606
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
606
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
607
EOF
607
EOF
608
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
608
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
609
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
609
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
610
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
610
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
611
# load conntrack ftp module
611
# load conntrack ftp module
612
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
612
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
613
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
613
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
614
# load ipt_NETFLOW module
614
# load ipt_NETFLOW module
615
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
615
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
616
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
616
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
617
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
617
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
618
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
618
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
619
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
619
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
620
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
620
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
621
# 
621
# 
622
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
622
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
623
} # End of network ()
623
} # End of network ()
624
 
624
 
625
##################################################################
625
##################################################################
626
##			Function "ACC"				##
626
##			Function "ACC"				##
627
## - installation of then ALCASAR Control Center (ACC)	)	##
627
## - installation of then ALCASAR Control Center (ACC)	)	##
628
## - configuration of the web server (Apache)			##
628
## - configuration of the web server (Apache)			##
629
## - creation of the first ACC admin account 			##
629
## - creation of the first ACC admin account 			##
630
## - secure the access						##
630
## - secure the access						##
631
##################################################################
631
##################################################################
632
ACC ()
632
ACC ()
633
{
633
{
634
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
634
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
635
	mkdir $DIR_WEB
635
	mkdir $DIR_WEB
636
# Copy & adapt ACC files
636
# Copy & adapt ACC files
637
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
637
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
638
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
638
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
639
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
639
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
640
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
640
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
641
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
641
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
642
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
642
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
643
	chown -R apache:apache $DIR_WEB/*
643
	chown -R apache:apache $DIR_WEB/*
644
# copy & adapt "freeradius-web" files
644
# copy & adapt "freeradius-web" files
645
	cp -rf $DIR_CONF/freeradius-web/ /etc/
645
	cp -rf $DIR_CONF/freeradius-web/ /etc/
646
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
646
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
647
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
647
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
648
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
648
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
649
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
649
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
650
	cat <<EOF > /etc/freeradius-web/naslist.conf
650
	cat <<EOF > /etc/freeradius-web/naslist.conf
651
nas1_name: alcasar-$ORGANISME
651
nas1_name: alcasar-$ORGANISME
652
nas1_model: Network Access Controler
652
nas1_model: Network Access Controler
653
nas1_ip: $PRIVATE_IP
653
nas1_ip: $PRIVATE_IP
654
nas1_port_num: 0
654
nas1_port_num: 0
655
nas1_community: public
655
nas1_community: public
656
EOF
656
EOF
657
	chown -R apache:apache /etc/freeradius-web/
657
	chown -R apache:apache /etc/freeradius-web/
658
# create the log & backup structure :
658
# create the log & backup structure :
659
# - base = users database
659
# - base = users database
660
# - archive = tarball of "base + http firewall + netflow"
660
# - archive = tarball of "base + http firewall + netflow"
661
# - security = watchdog log
661
# - security = watchdog log
662
	for i in base archive security activity_report;
662
	for i in base archive security activity_report;
663
	do
663
	do
664
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
664
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
665
	done
665
	done
666
	chown -R root:apache $DIR_SAVE
666
	chown -R root:apache $DIR_SAVE
667
# Configuring & securing php
667
# Configuring & securing php
668
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
668
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
669
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
669
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
670
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
670
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
671
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
671
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
672
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
672
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
673
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
673
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
674
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
674
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
675
# Configuring & sécuring Apache
675
# Configuring & sécuring Apache
676
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
676
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
677
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
677
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
678
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
678
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
679
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
679
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
680
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
680
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
681
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
681
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
682
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
682
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
683
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
683
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
684
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
684
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
685
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
685
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
686
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
686
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
687
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
687
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
688
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
688
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
689
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
689
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
690
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
690
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
691
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
691
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
692
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
692
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
693
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
693
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
694
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
694
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
695
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
695
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
696
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
696
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
697
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
697
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
698
# Error page management
698
# Error page management
699
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
699
[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
700
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
700
cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
701
Alias /error/ "/var/www/html/"
701
Alias /error/ "/var/www/html/"
702
<Directory "/usr/share/httpd/error">
702
<Directory "/usr/share/httpd/error">
703
    AllowOverride None
703
    AllowOverride None
704
    Options IncludesNoExec
704
    Options IncludesNoExec
705
    AddOutputFilter Includes html
705
    AddOutputFilter Includes html
706
    AddHandler type-map var
706
    AddHandler type-map var
707
    Require all granted
707
    Require all granted
708
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
708
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
709
    ForceLanguagePriority Prefer Fallback
709
    ForceLanguagePriority Prefer Fallback
710
</Directory>
710
</Directory>
711
ErrorDocument 400 /error/error.php?error=400
711
ErrorDocument 400 /error/error.php?error=400
712
ErrorDocument 401 /error/error.php?error=401
712
ErrorDocument 401 /error/error.php?error=401
713
ErrorDocument 403 /error/error.php?error=403
713
ErrorDocument 403 /error/error.php?error=403
714
ErrorDocument 404 /error/index.php
714
ErrorDocument 404 /error/index.php
715
ErrorDocument 405 /error/error.php?error=405
715
ErrorDocument 405 /error/error.php?error=405
716
ErrorDocument 408 /error/error.php?error=408
716
ErrorDocument 408 /error/error.php?error=408
717
ErrorDocument 410 /error/error.php?error=410
717
ErrorDocument 410 /error/error.php?error=410
718
ErrorDocument 411 /error/error.php?error=411
718
ErrorDocument 411 /error/error.php?error=411
719
ErrorDocument 412 /error/error.php?error=412
719
ErrorDocument 412 /error/error.php?error=412
720
ErrorDocument 413 /error/error.php?error=413
720
ErrorDocument 413 /error/error.php?error=413
721
ErrorDocument 414 /error/error.php?error=414
721
ErrorDocument 414 /error/error.php?error=414
722
ErrorDocument 415 /error/error.php?error=415
722
ErrorDocument 415 /error/error.php?error=415
723
ErrorDocument 500 /error/error.php?error=500
723
ErrorDocument 500 /error/error.php?error=500
724
ErrorDocument 501 /error/error.php?error=501
724
ErrorDocument 501 /error/error.php?error=501
725
ErrorDocument 502 /error/error.php?error=502
725
ErrorDocument 502 /error/error.php?error=502
726
ErrorDocument 503 /error/error.php?error=503
726
ErrorDocument 503 /error/error.php?error=503
727
ErrorDocument 506 /error/error.php?error=506
727
ErrorDocument 506 /error/error.php?error=506
728
EOF
728
EOF
729
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
729
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
730
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
730
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
731
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
731
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
732
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
732
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
733
</body>
733
</body>
734
</html>
734
</html>
735
EOF
735
EOF
736
# Définition du premier compte lié au profil 'admin'
736
# Définition du premier compte lié au profil 'admin'
737
if [ "$mode" = "install" ]
737
if [ "$mode" = "install" ]
738
	then
738
	then
739
		header_install
739
		header_install
740
		admin_portal=!
740
		admin_portal=!
741
		PTN='^[a-zA-Z0-9-]*$'
741
		PTN='^[a-zA-Z0-9-]*$'
742
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
742
		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
743
                	do
743
                	do
744
			header_install
744
			header_install
745
			if [ $Lang == "fr" ]
745
			if [ $Lang == "fr" ]
746
			then 
746
			then 
747
				echo ""
747
				echo ""
748
				echo "Définissez un premier compte d'administration du portail :"
748
				echo "Définissez un premier compte d'administration du portail :"
749
				echo
749
				echo
750
				echo -n "Nom : "
750
				echo -n "Nom : "
751
			else
751
			else
752
				echo ""
752
				echo ""
753
				echo "Define the first account allow to administrate the portal :"
753
				echo "Define the first account allow to administrate the portal :"
754
				echo
754
				echo
755
				echo -n "Account : "
755
				echo -n "Account : "
756
			fi
756
			fi
757
			read admin_portal
757
			read admin_portal
758
			if [ "$admin_portal" == "" ]
758
			if [ "$admin_portal" == "" ]
759
				then
759
				then
760
				admin_portal=!
760
				admin_portal=!
761
			fi
761
			fi
762
			done
762
			done
763
# Creation of keys file for the admin account ("admin")
763
# Creation of keys file for the admin account ("admin")
764
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
764
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
765
		mkdir -p $DIR_DEST_ETC/digest
765
		mkdir -p $DIR_DEST_ETC/digest
766
		chmod 755 $DIR_DEST_ETC/digest
766
		chmod 755 $DIR_DEST_ETC/digest
767
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
767
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
768
			do
768
			do
769
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
769
				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin "ALCASAR Control Center (ACC)" $admin_portal
770
			done
770
			done
771
		$DIR_DEST_BIN/alcasar-profil.sh --list
771
		$DIR_DEST_BIN/alcasar-profil.sh --list
772
fi
772
fi
773
# ACC partitioning
773
# ACC partitioning
774
	rm -f /etc/httpd/conf/webapps.d/alcasar*
774
	rm -f /etc/httpd/conf/webapps.d/alcasar*
775
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
775
	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
776
<Directory $DIR_ACC>
776
<Directory $DIR_ACC>
777
	SSLRequireSSL
777
	SSLRequireSSL
778
	AllowOverride None
778
	AllowOverride None
779
	Order deny,allow
779
	Order deny,allow
780
	Deny from all
780
	Deny from all
781
	Allow from 127.0.0.1
781
	Allow from 127.0.0.1
782
	Allow from $PRIVATE_NETWORK_MASK
782
	Allow from $PRIVATE_NETWORK_MASK
783
	require valid-user
783
	require valid-user
784
	AuthType digest
784
	AuthType digest
785
	AuthName "ALCASAR Control Center (ACC)" 
785
	AuthName "ALCASAR Control Center (ACC)" 
786
	AuthDigestDomain $HOSTNAME.$DOMAIN
786
	AuthDigestDomain $HOSTNAME.$DOMAIN
787
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
787
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
788
	AuthUserFile $DIR_DEST_ETC/digest/key_all
788
	AuthUserFile $DIR_DEST_ETC/digest/key_all
789
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
789
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
790
</Directory>
790
</Directory>
791
<Directory $DIR_ACC/admin>
791
<Directory $DIR_ACC/admin>
792
	SSLRequireSSL
792
	SSLRequireSSL
793
	AllowOverride None
793
	AllowOverride None
794
	Order deny,allow
794
	Order deny,allow
795
	Deny from all
795
	Deny from all
796
	Allow from 127.0.0.1
796
	Allow from 127.0.0.1
797
	Allow from $PRIVATE_NETWORK_MASK
797
	Allow from $PRIVATE_NETWORK_MASK
798
	require valid-user
798
	require valid-user
799
	AuthType digest
799
	AuthType digest
800
	AuthName "ALCASAR Control Center (ACC)" 
800
	AuthName "ALCASAR Control Center (ACC)" 
801
	AuthDigestDomain $HOSTNAME.$DOMAIN
801
	AuthDigestDomain $HOSTNAME.$DOMAIN
802
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
802
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
803
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
803
	AuthUserFile $DIR_DEST_ETC/digest/key_admin
804
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
804
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
805
</Directory>
805
</Directory>
806
<Directory $DIR_ACC/manager>
806
<Directory $DIR_ACC/manager>
807
	SSLRequireSSL
807
	SSLRequireSSL
808
	AllowOverride None
808
	AllowOverride None
809
	Order deny,allow
809
	Order deny,allow
810
	Deny from all
810
	Deny from all
811
	Allow from 127.0.0.1
811
	Allow from 127.0.0.1
812
	Allow from $PRIVATE_NETWORK_MASK
812
	Allow from $PRIVATE_NETWORK_MASK
813
	require valid-user
813
	require valid-user
814
	AuthType digest
814
	AuthType digest
815
	AuthName "ALCASAR Control Center (ACC)" 
815
	AuthName "ALCASAR Control Center (ACC)" 
816
	AuthDigestDomain $HOSTNAME.$DOMAIN
816
	AuthDigestDomain $HOSTNAME.$DOMAIN
817
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
817
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
818
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
818
	AuthUserFile $DIR_DEST_ETC/digest/key_manager
819
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
819
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
820
</Directory>
820
</Directory>
821
<Directory $DIR_ACC/backup>
821
<Directory $DIR_ACC/backup>
822
	SSLRequireSSL
822
	SSLRequireSSL
823
	AllowOverride None
823
	AllowOverride None
824
	Order deny,allow
824
	Order deny,allow
825
	Deny from all
825
	Deny from all
826
	Allow from 127.0.0.1
826
	Allow from 127.0.0.1
827
	Allow from $PRIVATE_NETWORK_MASK
827
	Allow from $PRIVATE_NETWORK_MASK
828
	require valid-user
828
	require valid-user
829
	AuthType digest
829
	AuthType digest
830
	AuthName "ALCASAR Control Center (ACC)" 
830
	AuthName "ALCASAR Control Center (ACC)" 
831
	AuthDigestDomain $HOSTNAME.$DOMAIN
831
	AuthDigestDomain $HOSTNAME.$DOMAIN
832
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
832
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
833
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
833
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
834
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
834
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
835
</Directory>
835
</Directory>
836
Alias /save/ "$DIR_SAVE/"
836
Alias /save/ "$DIR_SAVE/"
837
<Directory $DIR_SAVE>
837
<Directory $DIR_SAVE>
838
	SSLRequireSSL
838
	SSLRequireSSL
839
	Options Indexes
839
	Options Indexes
840
	Order deny,allow
840
	Order deny,allow
841
	Deny from all
841
	Deny from all
842
	Allow from 127.0.0.1
842
	Allow from 127.0.0.1
843
	Allow from $PRIVATE_NETWORK_MASK
843
	Allow from $PRIVATE_NETWORK_MASK
844
	require valid-user
844
	require valid-user
845
	AuthType digest
845
	AuthType digest
846
	AuthName "ALCASAR Control Center (ACC)" 
846
	AuthName "ALCASAR Control Center (ACC)" 
847
	AuthDigestDomain $HOSTNAME.$DOMAIN
847
	AuthDigestDomain $HOSTNAME.$DOMAIN
848
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
848
	AuthUserFile $DIR_DEST_ETC/digest/key_backup
849
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
849
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
850
</Directory>
850
</Directory>
851
<Directory $DIR_WEB/pass>
851
<Directory $DIR_WEB/pass>
852
	SSLRequireSSL
852
	SSLRequireSSL
853
	AllowOverride None
853
	AllowOverride None
854
	Order deny,allow
854
	Order deny,allow
855
	Deny from all
855
	Deny from all
856
	Allow from 127.0.0.1
856
	Allow from 127.0.0.1
857
	Allow from $PRIVATE_NETWORK_MASK
857
	Allow from $PRIVATE_NETWORK_MASK
858
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
858
	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
859
</Directory>
859
</Directory>
860
EOF
860
EOF
861
# Replacement of the extension .cer by .der in MIME type
861
# Replacement of the extension .cer by .der in MIME type
862
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
862
$SED "s?^application/pkix-cert.*?application/pkix-cert		der?g" /etc/mime.types
863
# Launch after coova (in order to wait tun0 to be up)
863
# Launch after coova (in order to wait tun0 to be up)
864
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
864
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
865
} # End of ACC ()
865
} # End of ACC ()
866
 
866
 
867
##########################################################################
867
##########################################################################
868
##				Fonction "CA"				##
868
##				Fonction "CA"				##
869
## - Creating the CA and the server certificate (apache)	 	##
869
## - Creating the CA and the server certificate (apache)	 	##
870
##########################################################################
870
##########################################################################
871
CA ()
871
CA ()
872
{
872
{
873
	$DIR_DEST_BIN/alcasar-CA.sh
873
	$DIR_DEST_BIN/alcasar-CA.sh
874
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
874
	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
875
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
875
	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
876
	cat <<EOF > $FIC_VIRTUAL_SSL
876
	cat <<EOF > $FIC_VIRTUAL_SSL
877
# default SSL virtual host, used for all HTTPS requests that do not
877
# default SSL virtual host, used for all HTTPS requests that do not
878
# match a ServerName or ServerAlias in any <VirtualHost> block.
878
# match a ServerName or ServerAlias in any <VirtualHost> block.
879
 
879
 
880
<VirtualHost _default_:443>
880
<VirtualHost _default_:443>
881
# general configuration
881
# general configuration
882
    ServerAdmin root@localhost
882
    ServerAdmin root@localhost
883
    ServerName $HOSTNAME.$DOMAIN
883
    ServerName $HOSTNAME.$DOMAIN
884
 
884
 
885
# SSL configuration
885
# SSL configuration
886
    SSLEngine on
886
    SSLEngine on
887
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
887
    SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
888
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
888
    SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
889
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
889
    SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
890
    CustomLog logs/ssl_request_log \
890
    CustomLog logs/ssl_request_log \
891
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
891
	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
892
    ErrorLog logs/ssl_error_log
892
    ErrorLog logs/ssl_error_log
893
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
893
    ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
894
</VirtualHost>
894
</VirtualHost>
895
EOF
895
EOF
896
	chown -R root:apache /etc/pki
896
	chown -R root:apache /etc/pki
897
	chmod -R 750 /etc/pki
897
	chmod -R 750 /etc/pki
898
} # End of CA ()
898
} # End of CA ()
899
 
899
 
900
##################################################################
900
##################################################################
901
##			Function "time_server"			##
901
##			Function "time_server"			##
902
## - Configuring NTP server					##
902
## - Configuring NTP server					##
903
##################################################################
903
##################################################################
904
time_server ()
904
time_server ()
905
{
905
{
906
# Set the Internet time server
906
# Set the Internet time server
907
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
907
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
908
	cat <<EOF > /etc/ntp/step-tickers
908
	cat <<EOF > /etc/ntp/step-tickers
909
0.fr.pool.ntp.org	# adapt to your country
909
0.fr.pool.ntp.org	# adapt to your country
910
1.fr.pool.ntp.org
910
1.fr.pool.ntp.org
911
2.fr.pool.ntp.org
911
2.fr.pool.ntp.org
912
EOF
912
EOF
913
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
913
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
914
	cat <<EOF > /etc/ntp.conf
914
	cat <<EOF > /etc/ntp.conf
915
server 0.fr.pool.ntp.org	# adapt to your country
915
server 0.fr.pool.ntp.org	# adapt to your country
916
server 1.fr.pool.ntp.org
916
server 1.fr.pool.ntp.org
917
server 2.fr.pool.ntp.org
917
server 2.fr.pool.ntp.org
918
server 127.127.1.0   		# local clock si NTP internet indisponible ...
918
server 127.127.1.0   		# local clock si NTP internet indisponible ...
919
fudge 127.127.1.0 stratum 10
919
fudge 127.127.1.0 stratum 10
920
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
920
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
921
restrict 127.0.0.1
921
restrict 127.0.0.1
922
driftfile /var/lib/ntp/drift
922
driftfile /var/lib/ntp/drift
923
logfile /var/log/ntp.log
923
logfile /var/log/ntp.log
924
disable monitor
924
disable monitor
925
EOF
925
EOF
926
	chown -R ntp:ntp /var/lib/ntp
926
	chown -R ntp:ntp /var/lib/ntp
927
# Synchronize now
927
# Synchronize now
928
	ntpd -q -g &
928
	ntpd -q -g &
929
} # End of time_server ()
929
} # End of time_server ()
930
 
930
 
931
##########################################################################################
931
##########################################################################################
932
##			Fonction "init_db"						##
932
##			Fonction "init_db"						##
933
## - Initialisation de la base Mysql							##
933
## - Initialisation de la base Mysql							##
934
## - Affectation du mot de passe de l'administrateur (root)				##
934
## - Affectation du mot de passe de l'administrateur (root)				##
935
## - Suppression des bases et des utilisateurs superflus				##
935
## - Suppression des bases et des utilisateurs superflus				##
936
## - Création de la base 'radius'							##
936
## - Création de la base 'radius'							##
937
## - Installation du schéma de cette base						##
937
## - Installation du schéma de cette base						##
938
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
938
## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##
939
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
939
##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##
940
##########################################################################################
940
##########################################################################################
941
init_db ()
941
init_db ()
942
{
942
{
943
	if [ `systemctl is-active mysqld` == "active" ]
943
	if [ `systemctl is-active mysqld` == "active" ]
944
	then
944
	then
945
		systemctl stop mysqld
945
		systemctl stop mysqld
946
	fi
946
	fi
947
	rm -rf /var/lib/mysql # to be sure that there is no former installation
947
	rm -rf /var/lib/mysql # to be sure that there is no former installation
948
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
948
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
949
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
949
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
950
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
950
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
951
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
951
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
952
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
952
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
953
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
953
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
954
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
954
	$SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
955
	/usr/bin/systemctl start mysqld.service
955
	/usr/bin/systemctl start mysqld.service
956
	nb_round=1
956
	nb_round=1
957
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
957
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
958
	do
958
	do
959
		nb_round=`expr $nb_round + 1`
959
		nb_round=`expr $nb_round + 1`
960
		sleep 2
960
		sleep 2
961
	done
961
	done
962
	if [ ! -S /var/lib/mysql/mysql.sock ]
962
	if [ ! -S /var/lib/mysql/mysql.sock ]
963
	then
963
	then
964
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
964
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
965
		exit
965
		exit
966
	fi
966
	fi
967
	mysqladmin -u root password $mysqlpwd
967
	mysqladmin -u root password $mysqlpwd
968
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
968
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
969
# Secure the server
969
# Secure the server
970
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
970
	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
971
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
971
	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 
972
# Create 'radius' database
972
# Create 'radius' database
973
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
973
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
974
# Add an empty radius database structure
974
# Add an empty radius database structure
975
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
975
	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
976
# modify the start script in order to close accounting connexion when the system is comming down or up
976
# modify the start script in order to close accounting connexion when the system is comming down or up
977
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
977
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
978
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
978
	$SED "/ExecStartPost=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
979
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
979
	$SED "/ExecStartPost=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
980
	/usr/bin/systemctl daemon-reload
980
	/usr/bin/systemctl daemon-reload
981
} # End of init_db ()
981
} # End of init_db ()
982
 
982
 
983
##########################################################################
983
##########################################################################
984
##			Fonction "radius"				##
984
##			Fonction "radius"				##
985
## - Paramètrage des fichiers de configuration FreeRadius		##
985
## - Paramètrage des fichiers de configuration FreeRadius		##
986
## - Affectation du secret partagé entre coova-chilli et freeradius	##
986
## - Affectation du secret partagé entre coova-chilli et freeradius	##
987
## - Modification de fichier de conf pour l'accès à Mysql		##
987
## - Modification de fichier de conf pour l'accès à Mysql		##
988
##########################################################################
988
##########################################################################
989
radius ()
989
radius ()
990
{
990
{
991
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
991
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
992
	chown -R radius:radius /etc/raddb
992
	chown -R radius:radius /etc/raddb
993
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
993
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
994
# Set radius.conf parameters
994
# Set radius.conf parameters
995
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
995
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
996
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
996
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
997
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
997
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
998
# remove the proxy function
998
# remove the proxy function
999
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
999
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf
1000
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1000
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1001
# remove EAP module
1001
# remove EAP module
1002
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1002
	$SED "s?^[\t ]*\$INCLUDE eap.conf.*?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1003
# listen on loopback (should be modified later if EAP enabled)
1003
# listen on loopback (should be modified later if EAP enabled)
1004
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1004
	$SED "s?^[\t ]*ipaddr =.*?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1005
# enable the  SQL module (and SQL counter)
1005
# enable the  SQL module (and SQL counter)
1006
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
1006
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
1007
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1007
	$SED "s?^[\t ]*#[\t ]*\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
1008
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1008
	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1009
# only include modules for ALCASAR needs
1009
# only include modules for ALCASAR needs
1010
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1010
	$SED "s?^[\t ]*\$INCLUDE \${confdir}/modules/.*?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
1011
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1011
	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
1012
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1012
	$SED "s?^[\t ]*expr.*?\#\texpr?g" /etc/raddb/radiusd.conf
1013
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1013
	$SED "s?^[\t ]*\#	daily.*?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
1014
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1014
	$SED "s?^[\t ]*logintime.*?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
1015
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1015
	$SED "s?^[\t ]*\$INCLUDE sites-enabled/.*?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1016
# remvove virtual server and copy our conf file
1016
# remvove virtual server and copy our conf file
1017
	rm -f /etc/raddb/sites-enabled/*
1017
	rm -f /etc/raddb/sites-enabled/*
1018
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1018
       	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1019
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1019
	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
1020
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1020
	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
1021
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1021
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
1022
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1022
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1023
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1023
# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1024
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1024
	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1025
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1025
# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1026
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1026
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1027
	cat << EOF > /etc/raddb/clients.conf
1027
	cat << EOF > /etc/raddb/clients.conf
1028
client 127.0.0.1 {
1028
client 127.0.0.1 {
1029
	secret = $secretradius
1029
	secret = $secretradius
1030
	shortname = localhost
1030
	shortname = localhost
1031
}
1031
}
1032
EOF
1032
EOF
1033
# sql.conf modification
1033
# sql.conf modification
1034
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1034
	[ -e /etc/raddb/sql.conf.default ] || cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
1035
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1035
	$SED "s?^[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
1036
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1036
	$SED "s?^[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
1037
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1037
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
1038
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1038
	$SED "s?^[\t ]*sqltrace =.*?sqltrace = no?g" /etc/raddb/sql.conf
1039
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1039
# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.) 
1040
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1040
	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] || cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1041
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1041
	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1042
# counter.conf modification (change the Max-All-Session-Time counter)
1042
# counter.conf modification (change the Max-All-Session-Time counter)
1043
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1043
	[ -e /etc/raddb/sql/mysql/counter.conf.default ] || cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
1044
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1044
	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
1045
	chown -R radius:radius /etc/raddb/sql/mysql/*
1045
	chown -R radius:radius /etc/raddb/sql/mysql/*
1046
# make certain that mysql is up before radius start
1046
# make certain that mysql is up before radius start
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1049
	/usr/bin/systemctl daemon-reload
1049
	/usr/bin/systemctl daemon-reload
1050
} # End radius ()
1050
} # End radius ()
1051
 
1051
 
1052
##################################################################################
1052
##################################################################################
1053
##			Fonction "chilli"					##
1053
##			Fonction "chilli"					##
1054
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1054
## - Création du fichier d'initialisation et de configuration de coova-chilli	##
1055
## - Paramètrage de la page d'authentification (intercept.php)			##
1055
## - Paramètrage de la page d'authentification (intercept.php)			##
1056
##################################################################################
1056
##################################################################################
1057
chilli ()
1057
chilli ()
1058
{
1058
{
1059
# chilli unit for systemd
1059
# chilli unit for systemd
1060
cat << EOF > /lib/systemd/system/chilli.service
1060
cat << EOF > /lib/systemd/system/chilli.service
1061
#  This file is part of systemd.
1061
#  This file is part of systemd.
1062
#
1062
#
1063
#  systemd is free software; you can redistribute it and/or modify it
1063
#  systemd is free software; you can redistribute it and/or modify it
1064
#  under the terms of the GNU General Public License as published by
1064
#  under the terms of the GNU General Public License as published by
1065
#  the Free Software Foundation; either version 2 of the License, or
1065
#  the Free Software Foundation; either version 2 of the License, or
1066
#  (at your option) any later version.
1066
#  (at your option) any later version.
1067
[Unit]
1067
[Unit]
1068
Description=chilli is a captive portal daemon
1068
Description=chilli is a captive portal daemon
1069
After=network.target
1069
After=network.target
1070
 
1070
 
1071
[Service]
1071
[Service]
1072
Type=forking
1072
Type=forking
1073
ExecStart=/usr/libexec/chilli start
1073
ExecStart=/usr/libexec/chilli start
1074
ExecStop=/usr/libexec/chilli stop
1074
ExecStop=/usr/libexec/chilli stop
1075
ExecReload=/usr/libexec/chilli reload
1075
ExecReload=/usr/libexec/chilli reload
1076
PIDFile=/var/run/chilli.pid
1076
PIDFile=/var/run/chilli.pid
1077
 
1077
 
1078
[Install]
1078
[Install]
1079
WantedBy=multi-user.target
1079
WantedBy=multi-user.target
1080
EOF
1080
EOF
1081
# init file creation
1081
# init file creation
1082
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1082
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1083
	cat <<EOF > /etc/init.d/chilli
1083
	cat <<EOF > /etc/init.d/chilli
1084
#!/bin/sh
1084
#!/bin/sh
1085
#
1085
#
1086
# chilli CoovaChilli init
1086
# chilli CoovaChilli init
1087
#
1087
#
1088
# chkconfig: 2345 65 35
1088
# chkconfig: 2345 65 35
1089
# description: CoovaChilli
1089
# description: CoovaChilli
1090
### BEGIN INIT INFO
1090
### BEGIN INIT INFO
1091
# Provides:       chilli
1091
# Provides:       chilli
1092
# Required-Start: network 
1092
# Required-Start: network 
1093
# Should-Start: 
1093
# Should-Start: 
1094
# Required-Stop:  network
1094
# Required-Stop:  network
1095
# Should-Stop: 
1095
# Should-Stop: 
1096
# Default-Start:  2 3 5
1096
# Default-Start:  2 3 5
1097
# Default-Stop:
1097
# Default-Stop:
1098
# Description:    CoovaChilli access controller
1098
# Description:    CoovaChilli access controller
1099
### END INIT INFO
1099
### END INIT INFO
1100
 
1100
 
1101
[ -f /usr/sbin/chilli ] || exit 0
1101
[ -f /usr/sbin/chilli ] || exit 0
1102
. /etc/init.d/functions
1102
. /etc/init.d/functions
1103
CONFIG=/etc/chilli.conf
1103
CONFIG=/etc/chilli.conf
1104
pidfile=/var/run/chilli.pid
1104
pidfile=/var/run/chilli.pid
1105
[ -f \$CONFIG ] || {
1105
[ -f \$CONFIG ] || {
1106
    echo "\$CONFIG Not found"
1106
    echo "\$CONFIG Not found"
1107
    exit 0
1107
    exit 0
1108
}
1108
}
1109
RETVAL=0
1109
RETVAL=0
1110
prog="chilli"
1110
prog="chilli"
1111
case \$1 in
1111
case \$1 in
1112
    start)
1112
    start)
1113
	if [ -f \$pidfile ] ; then 
1113
	if [ -f \$pidfile ] ; then 
1114
		gprintf "chilli is already running"
1114
		gprintf "chilli is already running"
1115
	else
1115
	else
1116
        	gprintf "Starting \$prog: "
1116
        	gprintf "Starting \$prog: "
1117
		rm -f /var/run/chilli* # cleaning
1117
		rm -f /var/run/chilli* # cleaning
1118
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1118
        	/usr/sbin/modprobe tun >/dev/null 2>&1
1119
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1119
        	echo 1 > /proc/sys/net/ipv4/ip_forward
1120
		[ -e /dev/net/tun ] || {
1120
		[ -e /dev/net/tun ] || {
1121
	    	(cd /dev; 
1121
	    	(cd /dev; 
1122
			mkdir net; 
1122
			mkdir net; 
1123
			cd net; 
1123
			cd net; 
1124
			mknod tun c 10 200)
1124
			mknod tun c 10 200)
1125
		}
1125
		}
1126
		ifconfig $INTIF 0.0.0.0
1126
		ifconfig $INTIF 0.0.0.0
1127
		/usr/sbin/ethtool -K $INTIF gro off
1127
		/usr/sbin/ethtool -K $INTIF gro off
1128
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1128
		daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1129
        	RETVAL=$?
1129
        	RETVAL=$?
1130
	fi
1130
	fi
1131
	;;
1131
	;;
1132
 
1132
 
1133
    reload)
1133
    reload)
1134
	killall -HUP chilli
1134
	killall -HUP chilli
1135
	;;
1135
	;;
1136
 
1136
 
1137
    restart)
1137
    restart)
1138
	\$0 stop
1138
	\$0 stop
1139
        sleep 2
1139
        sleep 2
1140
	\$0 start
1140
	\$0 start
1141
	;;
1141
	;;
1142
    
1142
    
1143
    status)
1143
    status)
1144
        status chilli
1144
        status chilli
1145
        RETVAL=0
1145
        RETVAL=0
1146
        ;;
1146
        ;;
1147
 
1147
 
1148
    stop)
1148
    stop)
1149
	if [ -f \$pidfile ] ; then  
1149
	if [ -f \$pidfile ] ; then  
1150
        	gprintf "Shutting down \$prog: "
1150
        	gprintf "Shutting down \$prog: "
1151
		killproc /usr/sbin/chilli
1151
		killproc /usr/sbin/chilli
1152
		RETVAL=\$?
1152
		RETVAL=\$?
1153
		[ \$RETVAL = 0 ] && rm -f $pidfile
1153
		[ \$RETVAL = 0 ] && rm -f $pidfile
1154
	else	
1154
	else	
1155
        	gprintf "chilli is not running"
1155
        	gprintf "chilli is not running"
1156
	fi
1156
	fi
1157
	;;
1157
	;;
1158
    
1158
    
1159
    *)
1159
    *)
1160
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1160
        echo "Usage: \$0 {start|stop|restart|reload|status}"
1161
        exit 1
1161
        exit 1
1162
esac
1162
esac
1163
echo
1163
echo
1164
EOF
1164
EOF
1165
chmod a+x /etc/init.d/chilli
1165
chmod a+x /etc/init.d/chilli
1166
ln -s /etc/init.d/chilli /usr/libexec/chilli
1166
ln -s /etc/init.d/chilli /usr/libexec/chilli
1167
# conf file creation
1167
# conf file creation
1168
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1168
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1169
	#NTP Option configuration for DHCP
1169
	#NTP Option configuration for DHCP
1170
	#DHCP Options : rfc2132
1170
	#DHCP Options : rfc2132
1171
		#dhcp option value will be convert in hexa.
1171
		#dhcp option value will be convert in hexa.
1172
		#NTP option (or 'option 42') is like :
1172
		#NTP option (or 'option 42') is like :
1173
		#			
1173
		#			
1174
		#    Code   Len         Address 1               Address 2
1174
		#    Code   Len         Address 1               Address 2
1175
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1175
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1176
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1176
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1177
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1177
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1178
		#
1178
		#
1179
		#Code : 42 => 2a
1179
		#Code : 42 => 2a
1180
		#Len : 4 => 04
1180
		#Len : 4 => 04
1181
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1181
	PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1182
	cat <<EOF > /etc/chilli.conf
1182
	cat <<EOF > /etc/chilli.conf
1183
# coova config for ALCASAR
1183
# coova config for ALCASAR
1184
cmdsocket	/var/run/chilli.sock
1184
cmdsocket	/var/run/chilli.sock
1185
unixipc		chilli.$INTIF.ipc
1185
unixipc		chilli.$INTIF.ipc
1186
pidfile		/var/run/chilli.pid
1186
pidfile		/var/run/chilli.pid
1187
net		$PRIVATE_NETWORK_MASK
1187
net		$PRIVATE_NETWORK_MASK
1188
dhcpif		$INTIF
1188
dhcpif		$INTIF
1189
ethers		$DIR_DEST_ETC/alcasar-ethers
1189
ethers		$DIR_DEST_ETC/alcasar-ethers
1190
#nodynip
1190
#nodynip
1191
#statip
1191
#statip
1192
dynip		$PRIVATE_NETWORK_MASK
1192
dynip		$PRIVATE_NETWORK_MASK
1193
domain		$DOMAIN
1193
domain		$DOMAIN
1194
dns1		$PRIVATE_IP
1194
dns1		$PRIVATE_IP
1195
dns2		$PRIVATE_IP
1195
dns2		$PRIVATE_IP
1196
uamlisten	$PRIVATE_IP
1196
uamlisten	$PRIVATE_IP
1197
uamport		3990
1197
uamport		3990
1198
macauth
1198
macauth
1199
macpasswd	password
1199
macpasswd	password
1200
strictmacauth
1200
strictmacauth
1201
locationname	$HOSTNAME.$DOMAIN
1201
locationname	$HOSTNAME.$DOMAIN
1202
radiusserver1	127.0.0.1
1202
radiusserver1	127.0.0.1
1203
radiusserver2	127.0.0.1
1203
radiusserver2	127.0.0.1
1204
radiussecret	$secretradius
1204
radiussecret	$secretradius
1205
radiusauthport	1812
1205
radiusauthport	1812
1206
radiusacctport	1813
1206
radiusacctport	1813
1207
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1207
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1208
radiusnasid	$HOSTNAME.$DOMAIN
1208
radiusnasid	$HOSTNAME.$DOMAIN
1209
uamsecret	$secretuam
1209
uamsecret	$secretuam
1210
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1210
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1211
coaport		3799
1211
coaport		3799
1212
conup		$DIR_DEST_BIN/alcasar-conup.sh
1212
conup		$DIR_DEST_BIN/alcasar-conup.sh
1213
condown		$DIR_DEST_BIN/alcasar-condown.sh
1213
condown		$DIR_DEST_BIN/alcasar-condown.sh
1214
include		$DIR_DEST_ETC/alcasar-uamallowed
1214
include		$DIR_DEST_ETC/alcasar-uamallowed
1215
include		$DIR_DEST_ETC/alcasar-uamdomain
1215
include		$DIR_DEST_ETC/alcasar-uamdomain
1216
dhcpopt		2a04$PRIVATE_IP_HEXA
1216
dhcpopt		2a04$PRIVATE_IP_HEXA
1217
macup		$DIR_DEST_BIN/alcasar-macup.sh
1217
macup		$DIR_DEST_BIN/alcasar-macup.sh
1218
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1218
macdown		$DIR_DEST_BIN/alcasar-macdown.sh
1219
#dhcpgateway		none
1219
#dhcpgateway		none
1220
#dhcprelayagent		none
1220
#dhcprelayagent		none
1221
#dhcpgatewayport	none
1221
#dhcpgatewayport	none
1222
EOF
1222
EOF
1223
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1223
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
1224
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1224
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1225
# create files for trusted domains and urls
1225
# create files for trusted domains and urls
1226
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1226
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1227
	chown root:apache $DIR_DEST_ETC/alcasar-*
1227
	chown root:apache $DIR_DEST_ETC/alcasar-*
1228
	chmod 660 $DIR_DEST_ETC/alcasar-*
1228
	chmod 660 $DIR_DEST_ETC/alcasar-*
1229
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1229
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1230
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1230
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1231
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1231
	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
1232
# user 'chilli' creation (in order to run conup/off and up/down scripts
1232
# user 'chilli' creation (in order to run conup/off and up/down scripts
1233
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1233
	chilli_exist=`grep chilli /etc/passwd|wc -l`
1234
	if [ "$chilli_exist" == "1" ]
1234
	if [ "$chilli_exist" == "1" ]
1235
	then
1235
	then
1236
	      userdel -r chilli 2>/dev/null
1236
	      userdel -r chilli 2>/dev/null
1237
	fi
1237
	fi
1238
	groupadd -f chilli
1238
	groupadd -f chilli
1239
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1239
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1240
}  # End of chilli ()
1240
}  # End of chilli ()
1241
 
1241
 
1242
##################################################################
1242
##################################################################
1243
##		Fonction "dansguardian"				##
1243
##		Fonction "dansguardian"				##
1244
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1244
## - Paramètrage du gestionnaire de contenu Dansguardian	##
1245
##################################################################
1245
##################################################################
1246
dansguardian ()
1246
dansguardian ()
1247
{
1247
{
1248
	mkdir -p /var/dansguardian /var/log/dansguardian
1248
	mkdir -p /var/dansguardian /var/log/dansguardian
1249
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1249
	chown -R dansguardian /var/dansguardian /var/log/dansguardian
1250
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1250
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1251
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1251
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
1252
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1252
	[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1253
# By default the filter is off 
1253
# By default the filter is off 
1254
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1254
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1255
# French deny HTML page
1255
# French deny HTML page
1256
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1256
	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1257
# Listen only on LAN side
1257
# Listen only on LAN side
1258
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1258
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1259
# DG send its flow to HAVP
1259
# DG send its flow to HAVP
1260
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1260
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1261
# replace the default deny HTML page
1261
# replace the default deny HTML page
1262
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1262
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
1263
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1263
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1264
# Don't log
1264
# Don't log
1265
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1265
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
1266
# on désactive par défaut le controle de contenu des pages html
1266
# on désactive par défaut le controle de contenu des pages html
1267
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1267
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
1268
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1268
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1269
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1269
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1270
# on désactive par défaut le contrôle d'URL par expressions régulières
1270
# on désactive par défaut le contrôle d'URL par expressions régulières
1271
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1271
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1272
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1272
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1273
 
1273
 
1274
# Configure Dansguardian for large site
1274
# Configure Dansguardian for large site
1275
# Minimum number of processus to handle connections
1275
# Minimum number of processus to handle connections
1276
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1276
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
1277
# Maximum number of processus to handle connections
1277
# Maximum number of processus to handle connections
1278
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1278
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
1279
# Run at least 8 daemons
1279
# Run at least 8 daemons
1280
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1280
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
1281
# minimum number of processes to spawn
1281
# minimum number of processes to spawn
1282
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1282
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
1283
# maximum age of a child process before it croaks it
1283
# maximum age of a child process before it croaks it
1284
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1284
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
1285
	
1285
	
1286
# on désactive par défaut le contrôle de téléchargement de fichiers
1286
# on désactive par défaut le contrôle de téléchargement de fichiers
1287
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1287
	[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
1288
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1288
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
1289
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1289
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1290
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1290
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1291
	touch $DIR_DG/lists/bannedextensionlist
1291
	touch $DIR_DG/lists/bannedextensionlist
1292
	touch $DIR_DG/lists/bannedmimetypelist
1292
	touch $DIR_DG/lists/bannedmimetypelist
1293
# 'Safesearch' regex actualisation
1293
# 'Safesearch' regex actualisation
1294
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1294
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1295
# empty LAN IP list that won't be WEB filtered
1295
# empty LAN IP list that won't be WEB filtered
1296
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1296
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1297
	touch $DIR_DG/lists/exceptioniplist
1297
	touch $DIR_DG/lists/exceptioniplist
1298
# Keep a copy of URL & domain filter configuration files
1298
# Keep a copy of URL & domain filter configuration files
1299
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1299
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1300
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1300
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1301
} # End of dansguardian ()
1301
} # End of dansguardian ()
1302
 
1302
 
1303
##################################################################
1303
##################################################################
1304
##			Fonction "antivirus"			##
1304
##			Fonction "antivirus"			##
1305
## - configuration of havp, libclamav and freshclam		##
1305
## - configuration of havp, libclamav and freshclam		##
1306
##################################################################
1306
##################################################################
1307
antivirus ()		
1307
antivirus ()		
1308
{
1308
{
1309
# create 'havp' user
1309
# create 'havp' user
1310
	havp_exist=`grep havp /etc/passwd|wc -l`
1310
	havp_exist=`grep havp /etc/passwd|wc -l`
1311
	if [ "$havp_exist" == "1" ]
1311
	if [ "$havp_exist" == "1" ]
1312
	then
1312
	then
1313
	      userdel -r havp 2>/dev/null
1313
	      userdel -r havp 2>/dev/null
1314
	      groupdel havp 2>/dev/null
1314
	      groupdel havp 2>/dev/null
1315
	fi
1315
	fi
1316
	groupadd -f havp
1316
	groupadd -f havp
1317
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1317
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1318
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1318
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1319
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1319
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1320
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1320
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1321
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1321
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1322
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1322
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1323
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1323
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1324
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1324
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1325
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1325
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1326
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1326
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1327
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1327
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1328
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1328
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1329
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1329
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1330
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1330
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1331
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1331
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1332
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1332
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1333
# skip checking of youtube flow (too heavy load / risk too low)
1333
# skip checking of youtube flow (too heavy load / risk too low)
1334
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1334
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1335
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1335
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1336
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1336
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1337
# adapt init script and systemd unit
1337
# adapt init script and systemd unit
1338
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1338
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1339
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1339
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1340
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1340
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1341
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1341
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1342
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1342
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1343
# replace of the intercept page (template)
1343
# replace of the intercept page (template)
1344
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1344
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1345
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1345
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1346
# update virus database every 4 hours (24h/6)
1346
# update virus database every 4 hours (24h/6)
1347
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1347
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1348
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1348
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1349
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1349
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1350
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1350
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1351
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1351
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1352
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1352
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1353
# update now
1353
# update now
1354
	/usr/bin/freshclam --no-warnings
1354
	/usr/bin/freshclam --no-warnings
1355
} # End of antivirus ()
1355
} # End of antivirus ()
1356
 
1356
 
1357
##########################################################################
1357
##########################################################################
1358
##			Fonction "tinyproxy"				##
1358
##			Fonction "tinyproxy"				##
1359
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1359
## - configuration of tinyproxy (proxy between filterde users and havp)	##
1360
##########################################################################
1360
##########################################################################
1361
tinyproxy ()		
1361
tinyproxy ()		
1362
{
1362
{
1363
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1363
	tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
1364
	if [ "$tinyproxy_exist" == "1" ]
1364
	if [ "$tinyproxy_exist" == "1" ]
1365
	then
1365
	then
1366
	      userdel -r tinyproxy 2>/dev/null
1366
	      userdel -r tinyproxy 2>/dev/null
1367
	      groupdel tinyproxy 2>/dev/null
1367
	      groupdel tinyproxy 2>/dev/null
1368
	fi
1368
	fi
1369
	groupadd -f tinyproxy
1369
	groupadd -f tinyproxy
1370
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1370
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1371
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1371
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1372
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1372
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1373
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1373
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1374
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1374
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1375
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1375
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1376
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1376
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1377
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1377
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1378
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1378
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1379
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1379
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1380
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1380
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1381
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1381
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1382
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1382
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1383
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1383
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1384
# Create the systemd unit
1384
# Create the systemd unit
1385
cat << EOF > /lib/systemd/system/tinyproxy.service
1385
cat << EOF > /lib/systemd/system/tinyproxy.service
1386
#  This file is part of systemd.
1386
#  This file is part of systemd.
1387
#
1387
#
1388
#  systemd is free software; you can redistribute it and/or modify it
1388
#  systemd is free software; you can redistribute it and/or modify it
1389
#  under the terms of the GNU General Public License as published by
1389
#  under the terms of the GNU General Public License as published by
1390
#  the Free Software Foundation; either version 2 of the License, or
1390
#  the Free Software Foundation; either version 2 of the License, or
1391
#  (at your option) any later version.
1391
#  (at your option) any later version.
1392
 
1392
 
1393
# This unit launches tinyproxy (a very light proxy).
1393
# This unit launches tinyproxy (a very light proxy).
1394
# The "sleep 2" is needed because the pid file isn't ready for systemd
1394
# The "sleep 2" is needed because the pid file isn't ready for systemd
1395
[Unit]
1395
[Unit]
1396
Description=Tinyproxy Web Proxy Server
1396
Description=Tinyproxy Web Proxy Server
1397
After=network.target iptables.service
1397
After=network.target iptables.service
1398
 
1398
 
1399
[Service]
1399
[Service]
1400
Type=forking
1400
Type=forking
1401
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1401
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1402
ExecStartPre=/bin/sleep 2
1402
ExecStartPre=/bin/sleep 2
1403
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1403
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1404
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1404
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1405
 
1405
 
1406
[Install]
1406
[Install]
1407
WantedBy=multi-user.target
1407
WantedBy=multi-user.target
1408
EOF
1408
EOF
1409
 
1409
 
1410
} # end of tinyproxy
1410
} # end of tinyproxy
1411
##################################################################################
1411
##################################################################################
1412
##			function "ulogd"					##
1412
##			function "ulogd"					##
1413
## - Ulog config for multi-log files 						##
1413
## - Ulog config for multi-log files 						##
1414
##################################################################################
1414
##################################################################################
1415
ulogd ()
1415
ulogd ()
1416
{
1416
{
1417
# Three instances of ulogd (three different logfiles)
1417
# Three instances of ulogd (three different logfiles)
1418
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1418
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1419
	nl=1
1419
	nl=1
1420
	for log_type in traceability ssh ext-access
1420
	for log_type in traceability ssh ext-access
1421
	do
1421
	do
1422
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1422
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1423
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1423
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1424
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1424
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1425
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1425
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1426
		cat << EOF >> /etc/ulogd-$log_type.conf
1426
		cat << EOF >> /etc/ulogd-$log_type.conf
1427
[emu1]
1427
[emu1]
1428
file="/var/log/firewall/$log_type.log"
1428
file="/var/log/firewall/$log_type.log"
1429
sync=1
1429
sync=1
1430
EOF
1430
EOF
1431
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1431
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1432
		nl=`expr $nl + 1`
1432
		nl=`expr $nl + 1`
1433
	done
1433
	done
1434
	chown -R root:apache /var/log/firewall
1434
	chown -R root:apache /var/log/firewall
1435
	chmod 750 /var/log/firewall
1435
	chmod 750 /var/log/firewall
1436
	chmod 640 /var/log/firewall/*
1436
	chmod 640 /var/log/firewall/*
1437
}  # End of ulogd ()
1437
}  # End of ulogd ()
1438
 
1438
 
1439
 
1439
 
1440
##########################################################
1440
##########################################################
1441
##              Function "nfsen"			##
1441
##              Function "nfsen"			##
1442
## - install the nfsen grapher				##
1442
## - install the nfsen grapher				##
1443
## - install the two plugins porttracker & surfmap	##
1443
## - install the two plugins porttracker & surfmap	##
1444
##########################################################
1444
##########################################################
1445
nfsen()
1445
nfsen()
1446
{
1446
{
1447
	tar xzf ./conf/nfsen/nfsen-1.3.8.tar.gz -C /tmp/
1447
	tar xzf ./conf/nfsen/nfsen-1.3.8.tar.gz -C /tmp/
1448
# Add PortTracker plugin
1448
# Add PortTracker plugin
1449
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1449
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1450
	do
1450
	do
1451
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1451
	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1452
	done
1452
	done
1453
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.8/contrib/PortTracker/PortTracker.pm
1453
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.8/contrib/PortTracker/PortTracker.pm
1454
# use of our conf file and init unit
1454
# use of our conf file and init unit
1455
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.8/etc/
1455
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.8/etc/
1456
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1456
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1457
	DirTmp=$(pwd)
1457
	DirTmp=$(pwd)
1458
	cd /tmp/nfsen-1.3.8/
1458
	cd /tmp/nfsen-1.3.8/
1459
	/usr/bin/perl install.pl etc/nfsen.conf
1459
	/usr/bin/perl install.pl etc/nfsen.conf
1460
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1460
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1461
# Create RRD DB for porttracker (only in it still doesn't exist)
1461
# Create RRD DB for porttracker (only in it still doesn't exist)
1462
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1462
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1463
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1463
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1464
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1464
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1465
	chmod -R 770 /var/log/netflow/porttracker
1465
	chmod -R 770 /var/log/netflow/porttracker
1466
# nfsen unit for systemd
1466
# nfsen unit for systemd
1467
cat << EOF > /lib/systemd/system/nfsen.service
1467
cat << EOF > /lib/systemd/system/nfsen.service
1468
#  This file is part of systemd.
1468
#  This file is part of systemd.
1469
#
1469
#
1470
#  systemd is free software; you can redistribute it and/or modify it
1470
#  systemd is free software; you can redistribute it and/or modify it
1471
#  under the terms of the GNU General Public License as published by
1471
#  under the terms of the GNU General Public License as published by
1472
#  the Free Software Foundation; either version 2 of the License, or
1472
#  the Free Software Foundation; either version 2 of the License, or
1473
#  (at your option) any later version.
1473
#  (at your option) any later version.
1474
 
1474
 
1475
# This unit launches nfsen (a Netflow grapher).
1475
# This unit launches nfsen (a Netflow grapher).
1476
[Unit]
1476
[Unit]
1477
Description= NfSen init script
1477
Description= NfSen init script
1478
After=network.target iptables.service
1478
After=network.target iptables.service
1479
 
1479
 
1480
[Service]
1480
[Service]
1481
Type=oneshot
1481
Type=oneshot
1482
RemainAfterExit=yes
1482
RemainAfterExit=yes
1483
PIDFile=/var/run/nfsen/nfsen.pid
1483
PIDFile=/var/run/nfsen/nfsen.pid
1484
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1484
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1485
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1485
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1486
ExecStart=/usr/bin/nfsen start 
1486
ExecStart=/usr/bin/nfsen start 
1487
ExecStop=/usr/bin/nfsen stop
1487
ExecStop=/usr/bin/nfsen stop
1488
ExecReload=/usr/bin/nfsen restart
1488
ExecReload=/usr/bin/nfsen restart
1489
TimeoutSec=0
1489
TimeoutSec=0
1490
 
1490
 
1491
[Install]
1491
[Install]
1492
WantedBy=multi-user.target
1492
WantedBy=multi-user.target
1493
EOF
1493
EOF
1494
# Add the listen port to collect netflow packet (nfcapd)
1494
# Add the listen port to collect netflow packet (nfcapd)
1495
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1495
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm 
1496
# expire delay for the profile "live"
1496
# expire delay for the profile "live"
1497
	/usr/bin/systemctl start nfsen
1497
	/usr/bin/systemctl start nfsen
1498
	/bin/nfsen -m live -e 62d 2>/dev/null
1498
	/bin/nfsen -m live -e 62d 2>/dev/null
1499
# add SURFmap plugin
1499
# add SURFmap plugin
1500
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1500
	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1501
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1501
	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1502
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1502
	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1503
	cd /tmp/
1503
	cd /tmp/
1504
	/usr/bin/sh SURFmap/install.sh
1504
	/usr/bin/sh SURFmap/install.sh
1505
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1505
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1506
# clear the installation
1506
# clear the installation
1507
	cd $DirTmp
1507
	cd $DirTmp
1508
	rm -rf /tmp/nfsen*
1508
	rm -rf /tmp/nfsen*
1509
	rm -rf /tmp/SURFmap*
1509
	rm -rf /tmp/SURFmap*
1510
} # End of nfsen ()
1510
} # End of nfsen ()
1511
 
1511
 
1512
##################################################
1512
##################################################
1513
##		Function "vnstat"		##
1513
##		Function "vnstat"		##
1514
## Initialization of Vnstat and vnstat phpFE    ##
1514
## Initialization of Vnstat and vnstat phpFE    ##
1515
##################################################
1515
##################################################
1516
vnstat ()
1516
vnstat ()
1517
{
1517
{
1518
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1518
	 [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1519
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1519
	 $SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1520
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1520
	 [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1521
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1521
	 $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
1522
	/usr/bin/vnstat -u -i $EXTIF
1522
	/usr/bin/vnstat -u -i $EXTIF
1523
} # End of vnstat	
1523
} # End of vnstat	
1524
##################################################
1524
##################################################
1525
##		Function "dnsmasq"		##
1525
##		Function "dnsmasq"		##
1526
##################################################
1526
##################################################
1527
dnsmasq ()
1527
dnsmasq ()
1528
{
1528
{
1529
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1529
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1530
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1530
	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1531
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1531
#	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
1532
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1532
	$SED "s?^.*OPTIONS=.*?#OPTIONS=\"--log-async=250 --log-queries --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq # General Options for dnslog or debugging
1533
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1533
	$SED "s?^local=.*?local=/$DOMAIN/?g" $DIR_DEST_ETC/alcasar-dns-name # default domain name for all dnsmasq daemons
1534
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1534
	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1535
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1535
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
1536
	cat << EOF > /etc/dnsmasq.conf
1536
	cat << EOF > /etc/dnsmasq.conf
1537
# Configuration file for "dnsmasq in forward mode"
1537
# Configuration file for "dnsmasq in forward mode"
1538
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1538
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1539
listen-address=$PRIVATE_IP
1539
listen-address=$PRIVATE_IP
1540
pid-file=/var/run/dnsmasq.pid
1540
pid-file=/var/run/dnsmasq.pid
1541
listen-address=127.0.0.1
1541
listen-address=127.0.0.1
1542
no-dhcp-interface=$INTIF
1542
no-dhcp-interface=$INTIF
1543
no-dhcp-interface=tun0
1543
no-dhcp-interface=tun0
1544
no-dhcp-interface=lo
1544
no-dhcp-interface=lo
1545
bind-interfaces
1545
bind-interfaces
1546
cache-size=2048
1546
cache-size=2048
1547
domain-needed
1547
domain-needed
1548
expand-hosts
1548
expand-hosts
1549
bogus-priv
1549
bogus-priv
1550
filterwin2k
1550
filterwin2k
1551
server=$DNS1
1551
server=$DNS1
1552
server=$DNS2
1552
server=$DNS2
1553
# DHCP service is configured. It will be enabled in "bypass" mode
1553
# DHCP service is configured. It will be enabled in "bypass" mode
1554
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1554
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
1555
#dhcp-option=option:router,$PRIVATE_IP
1555
#dhcp-option=option:router,$PRIVATE_IP
1556
#dhcp-option=option:ntp-server,$PRIVATE_IP
1556
#dhcp-option=option:ntp-server,$PRIVATE_IP
1557
#domain=$DOMAIN
1557
#domain=$DOMAIN
1558
 
1558
 
1559
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1559
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
1560
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1560
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
1561
EOF
1561
EOF
1562
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1562
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
1563
	cat << EOF > /etc/dnsmasq-blacklist.conf
1563
	cat << EOF > /etc/dnsmasq-blacklist.conf
1564
# Configuration file for "dnsmasq with blacklist"
1564
# Configuration file for "dnsmasq with blacklist"
1565
# Add Toulouse University blacklist domains
1565
# Add Toulouse University blacklist domains
1566
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1566
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1567
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1567
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1568
pid-file=/var/run/dnsmasq-blacklist.pid
1568
pid-file=/var/run/dnsmasq-blacklist.pid
1569
listen-address=$PRIVATE_IP
1569
listen-address=$PRIVATE_IP
1570
port=54
1570
port=54
1571
no-dhcp-interface=$INTIF
1571
no-dhcp-interface=$INTIF
1572
no-dhcp-interface=tun0
1572
no-dhcp-interface=tun0
1573
no-dhcp-interface=lo
1573
no-dhcp-interface=lo
1574
bind-interfaces
1574
bind-interfaces
1575
cache-size=2048
1575
cache-size=2048
1576
domain-needed
1576
domain-needed
1577
expand-hosts
1577
expand-hosts
1578
bogus-priv
1578
bogus-priv
1579
filterwin2k
1579
filterwin2k
1580
log-queries
1580
log-queries
1581
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1581
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
1582
server=$DNS1
1582
server=$DNS1
1583
server=$DNS2
1583
server=$DNS2
1584
EOF
1584
EOF
1585
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1585
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1586
	cat << EOF > /etc/dnsmasq-whitelist.conf
1586
	cat << EOF > /etc/dnsmasq-whitelist.conf
1587
# Configuration file for "dnsmasq with whitelist"
1587
# Configuration file for "dnsmasq with whitelist"
1588
# ADD Toulouse university whitelist domains
1588
# ADD Toulouse university whitelist domains
1589
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1589
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1590
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1590
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1591
pid-file=/var/run/dnsmasq-whitelist.pid
1591
pid-file=/var/run/dnsmasq-whitelist.pid
1592
listen-address=$PRIVATE_IP
1592
listen-address=$PRIVATE_IP
1593
port=55
1593
port=55
1594
no-dhcp-interface=$INTIF
1594
no-dhcp-interface=$INTIF
1595
no-dhcp-interface=tun0
1595
no-dhcp-interface=tun0
1596
no-dhcp-interface=lo
1596
no-dhcp-interface=lo
1597
bind-interfaces
1597
bind-interfaces
1598
cache-size=1024
1598
cache-size=1024
1599
domain-needed
1599
domain-needed
1600
expand-hosts
1600
expand-hosts
1601
bogus-priv
1601
bogus-priv
1602
filterwin2k
1602
filterwin2k
1603
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1603
ipset=/#/wl_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
1604
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1604
address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)  
1605
EOF
1605
EOF
1606
# 4th dnsmasq listen on udp 56 ("blackhole")
1606
# 4th dnsmasq listen on udp 56 ("blackhole")
1607
	cat << EOF > /etc/dnsmasq-blackhole.conf
1607
	cat << EOF > /etc/dnsmasq-blackhole.conf
1608
# Configuration file for "dnsmasq as a blackhole"
1608
# Configuration file for "dnsmasq as a blackhole"
1609
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1609
conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
1610
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1610
address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
1611
pid-file=/var/run/dnsmasq-blackhole.pid
1611
pid-file=/var/run/dnsmasq-blackhole.pid
1612
listen-address=$PRIVATE_IP
1612
listen-address=$PRIVATE_IP
1613
port=56
1613
port=56
1614
no-dhcp-interface=$INTIF
1614
no-dhcp-interface=$INTIF
1615
no-dhcp-interface=tun0
1615
no-dhcp-interface=tun0
1616
no-dhcp-interface=lo
1616
no-dhcp-interface=lo
1617
bind-interfaces
1617
bind-interfaces
1618
cache-size=256
1618
cache-size=256
1619
domain-needed
1619
domain-needed
1620
expand-hosts
1620
expand-hosts
1621
bogus-priv
1621
bogus-priv
1622
filterwin2k
1622
filterwin2k
1623
EOF
1623
EOF
1624
 
1624
 
1625
# the main instance should start after network and chilli (which create tun0)
1625
# the main instance should start after network and chilli (which create tun0)
1626
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1626
	[ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1627
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1627
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1628
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1628
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1629
	for list in blacklist whitelist blackhole
1629
	for list in blacklist whitelist blackhole
1630
	do
1630
	do
1631
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1631
		cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1632
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1632
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1633
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1633
		$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1634
	done
1634
	done
1635
} # End dnsmasq
1635
} # End dnsmasq
1636
 
1636
 
1637
##########################################################
1637
##########################################################
1638
##		Fonction "BL"				##
1638
##		Fonction "BL"				##
1639
##########################################################
1639
##########################################################
1640
BL ()
1640
BL ()
1641
{
1641
{
1642
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1642
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1643
	rm -rf $DIR_DG/lists/blacklists
1643
	rm -rf $DIR_DG/lists/blacklists
1644
	mkdir -p /tmp/blacklists
1644
	mkdir -p /tmp/blacklists
1645
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1645
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1646
# creation of file for the rehabilited domains and urls
1646
# creation of file for the rehabilited domains and urls
1647
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1647
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1648
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1648
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1649
	touch $DIR_DG/lists/exceptionsitelist
1649
	touch $DIR_DG/lists/exceptionsitelist
1650
	touch $DIR_DG/lists/exceptionurllist
1650
	touch $DIR_DG/lists/exceptionurllist
1651
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1651
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
1652
	cat <<EOF > $DIR_DG/lists/bannedurllist
1652
	cat <<EOF > $DIR_DG/lists/bannedurllist
1653
# Dansguardian filter config for ALCASAR
1653
# Dansguardian filter config for ALCASAR
1654
EOF
1654
EOF
1655
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1655
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1656
# Dansguardian domain filter config for ALCASAR
1656
# Dansguardian domain filter config for ALCASAR
1657
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1657
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1658
#**
1658
#**
1659
# block all SSL and CONNECT tunnels
1659
# block all SSL and CONNECT tunnels
1660
**s
1660
**s
1661
# block all SSL and CONNECT tunnels specified only as an IP
1661
# block all SSL and CONNECT tunnels specified only as an IP
1662
*ips
1662
*ips
1663
# block all sites specified only by an IP
1663
# block all sites specified only by an IP
1664
*ip
1664
*ip
1665
EOF
1665
EOF
1666
# Add Bing to the safesearch url regext list (parental control)
1666
# Add Bing to the safesearch url regext list (parental control)
1667
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1667
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1668
# Bing - add 'adlt=strict'
1668
# Bing - add 'adlt=strict'
1669
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1669
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1670
EOF
1670
EOF
1671
# change the google safesearch ("safe=strict" instead of "safe=vss")
1671
# change the google safesearch ("safe=strict" instead of "safe=vss")
1672
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1672
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1673
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1673
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1674
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1674
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1675
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1675
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1676
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1676
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1677
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1677
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1678
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1678
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1679
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1679
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1680
# add custom ALCASAR BL files
1680
# add custom ALCASAR BL files
1681
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1681
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1682
	do
1682
	do
1683
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1683
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1684
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1684
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1685
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1685
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1686
	done
1686
	done
1687
	chown -R dansguardian:apache $DIR_DG
1687
	chown -R dansguardian:apache $DIR_DG
1688
	chown -R root:apache $DIR_DEST_SHARE
1688
	chown -R root:apache $DIR_DEST_SHARE
1689
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1689
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1690
# adapt the Toulouse BL to ALCASAR architecture
1690
# adapt the Toulouse BL to ALCASAR architecture
1691
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1691
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1692
# enable the default categories
1692
# enable the default categories
1693
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1693
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1694
}
1694
}
1695
 
1695
 
1696
##########################################################
1696
##########################################################
1697
##		Fonction "cron"				##
1697
##		Fonction "cron"				##
1698
## - Mise en place des différents fichiers de cron	##
1698
## - Mise en place des différents fichiers de cron	##
1699
##########################################################
1699
##########################################################
1700
cron ()
1700
cron ()
1701
{
1701
{
1702
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1702
# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
1703
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1703
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1704
	cat <<EOF > /etc/crontab
1704
	cat <<EOF > /etc/crontab
1705
SHELL=/usr/bin/bash
1705
SHELL=/usr/bin/bash
1706
PATH=/usr/sbin:/usr/bin
1706
PATH=/usr/sbin:/usr/bin
1707
MAILTO=root
1707
MAILTO=root
1708
HOME=/
1708
HOME=/
1709
 
1709
 
1710
# run-parts
1710
# run-parts
1711
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1711
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1712
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1712
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1713
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1713
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1714
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1714
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1715
EOF
1715
EOF
1716
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1716
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1717
	cat <<EOF >> /etc/anacrontab
1717
	cat <<EOF >> /etc/anacrontab
1718
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1718
7       8       cron.MysqlDump          nice /etc/cron.d/alcasar-mysql
1719
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1719
7       10      cron.logExport          nice /etc/cron.d/alcasar-archive
1720
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1720
7	20	cron.importClean	nice /etc/cron.d/alcasar-clean_import
1721
EOF
1721
EOF
1722
 
1722
 
1723
	cat <<EOF > /etc/cron.d/alcasar-mysql
1723
	cat <<EOF > /etc/cron.d/alcasar-mysql
1724
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1724
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
1725
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1725
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1726
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1726
# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
1727
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1727
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1728
EOF
1728
EOF
1729
	cat <<EOF > /etc/cron.d/alcasar-archive
1729
	cat <<EOF > /etc/cron.d/alcasar-archive
1730
# Archive des logs et de la base de données (tous les lundi à 5h35)
1730
# Archive des logs et de la base de données (tous les lundi à 5h35)
1731
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1731
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1732
EOF
1732
EOF
1733
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1733
	cat << EOF > /etc/cron.d/alcasar-ticket-clean
1734
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1734
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
1735
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1735
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1736
EOF
1736
EOF
1737
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1737
	cat << EOF > /etc/cron.d/alcasar-distrib-updates
1738
# mise à jour automatique de la distribution tous les jours 3h30
1738
# mise à jour automatique de la distribution tous les jours 3h30
1739
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1739
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1740
EOF
1740
EOF
1741
 
1741
 
1742
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1742
	cat << EOF > /etc/cron.d/alcasar-connections-stats
1743
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1743
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1744
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1744
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
1745
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1745
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
1746
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1746
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
1747
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1747
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
1748
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1748
# 'alcasar-activity_report.sh' (every sunday at 5h35 pm) : generate an activity report in PDF
1749
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1749
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1750
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1750
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1751
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1751
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1752
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1752
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1753
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1753
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1754
EOF
1754
EOF
1755
	cat << EOF > /etc/cron.d/alcasar-watchdog
1755
	cat << EOF > /etc/cron.d/alcasar-watchdog
1756
# run the "watchdog" every 3'
1756
# run the "watchdog" every 3'
1757
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1757
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
1758
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1758
*/3 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1759
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1759
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1760
EOF
1760
EOF
1761
# Enabling the watchdog every 18'
1761
# Enabling the watchdog every 18'
1762
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1762
	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
1763
# activate  the daemon-watchdog after boot process
1763
# activate  the daemon-watchdog after boot process
1764
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1764
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1765
# activate the daemon-watchdog every 18'
1765
# activate the daemon-watchdog every 18'
1766
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1766
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1767
EOF
1767
EOF
1768
 
1768
 
1769
# Enabling category update from rsync
1769
# Enabling category update from rsync
1770
	cat << EOF > /etc/cron.d/alcasar-rsync-bl
1770
	cat << EOF > /etc/cron.d/alcasar-rsync-bl
1771
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1771
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty). 
1772
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1772
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1773
EOF
1773
EOF
1774
 
1774
 
1775
# removing the users crons
1775
# removing the users crons
1776
	rm -f /var/spool/cron/*
1776
	rm -f /var/spool/cron/*
1777
} # End cron
1777
} # End cron
1778
 
1778
 
1779
##################################################################
1779
##################################################################
1780
## 			Fonction "Fail2Ban"			##
1780
## 			Fonction "Fail2Ban"			##
1781
##- Modification de la configuration de fail2ban		##
1781
##- Modification de la configuration de fail2ban		##
1782
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1782
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ...	##
1783
##################################################################
1783
##################################################################
1784
fail2ban()
1784
fail2ban()
1785
{
1785
{
1786
	$DIR_CONF/fail2ban.sh
1786
	$DIR_CONF/fail2ban.sh
1787
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1787
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1788
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1788
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1789
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1789
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1790
	chmod 644 /var/log/fail2ban.log
1790
	chmod 644 /var/log/fail2ban.log
1791
	chmod 644 /var/Save/security/watchdog.log
1791
	chmod 644 /var/Save/security/watchdog.log
1792
	/usr/bin/touch /var/log/auth.log
1792
	/usr/bin/touch /var/log/auth.log
1793
# fail2ban unit
1793
# fail2ban unit
1794
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1794
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1795
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1795
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1796
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1796
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1797
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1797
$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1798
} #Fin de fail2ban_install()
1798
} #Fin de fail2ban_install()
1799
 
1799
 
1800
##################################################################
1800
##################################################################
1801
## 			Fonction "gammu_smsd"			##
1801
## 			Fonction "gammu_smsd"			##
1802
## - Creation de la base de donnée Gammu			##
1802
## - Creation de la base de donnée Gammu			##
1803
## - Creation du fichier de config: gammu_smsd_conf		##
1803
## - Creation du fichier de config: gammu_smsd_conf		##
1804
##################################################################
1804
##################################################################
1805
gammu_smsd()
1805
gammu_smsd()
1806
{
1806
{
1807
# Create 'gammu' databse
1807
# Create 'gammu' databse
1808
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1808
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1809
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1809
	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
1810
# Add a gammu database structure
1810
# Add a gammu database structure
1811
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1811
	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1812
 
1812
 
1813
# config file for the daemon
1813
# config file for the daemon
1814
cat << EOF > /etc/gammu_smsd_conf
1814
cat << EOF > /etc/gammu_smsd_conf
1815
[gammu]
1815
[gammu]
1816
port = /dev/ttyUSB0
1816
port = /dev/ttyUSB0
1817
connection = at115200
1817
connection = at115200
1818
 
1818
 
1819
;########################################################
1819
;########################################################
1820
 
1820
 
1821
[smsd]
1821
[smsd]
1822
 
1822
 
1823
PIN = 1234
1823
PIN = 1234
1824
 
1824
 
1825
logfile = /var/log/gammu-smsd/gammu-smsd.log
1825
logfile = /var/log/gammu-smsd/gammu-smsd.log
1826
logformat = textall
1826
logformat = textall
1827
debuglevel = 0
1827
debuglevel = 0
1828
 
1828
 
1829
service = sql
1829
service = sql
1830
driver = native_mysql
1830
driver = native_mysql
1831
user = $DB_USER
1831
user = $DB_USER
1832
password = $radiuspwd
1832
password = $radiuspwd
1833
pc = localhost
1833
pc = localhost
1834
database = $DB_GAMMU
1834
database = $DB_GAMMU
1835
 
1835
 
1836
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1836
RunOnReceive = $DIR_DEST_BIN/alcasar-sms.sh --new_sms
1837
 
1837
 
1838
StatusFrequency = 30
1838
StatusFrequency = 30
1839
;LoopSleep = 2
1839
;LoopSleep = 2
1840
 
1840
 
1841
;ResetFrequency = 300
1841
;ResetFrequency = 300
1842
;HardResetFrequency = 120
1842
;HardResetFrequency = 120
1843
 
1843
 
1844
CheckSecurity = 1 
1844
CheckSecurity = 1 
1845
CheckSignal = 1
1845
CheckSignal = 1
1846
CheckBattery = 0
1846
CheckBattery = 0
1847
EOF
1847
EOF
1848
 
1848
 
1849
chmod 755 /etc/gammu_smsd_conf
1849
chmod 755 /etc/gammu_smsd_conf
1850
 
1850
 
1851
#Creation dossier de log Gammu-smsd
1851
#Creation dossier de log Gammu-smsd
1852
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1852
[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
1853
chmod 755 /var/log/gammu-smsd
1853
chmod 755 /var/log/gammu-smsd
1854
 
1854
 
1855
#Edition du script sql gammu <-> radius
1855
#Edition du script sql gammu <-> radius
1856
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1856
$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1857
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1857
$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1858
 
1858
 
1859
#Création de la règle udev pour les Huawei // idVendor: 12d1
1859
#Création de la règle udev pour les Huawei // idVendor: 12d1
1860
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1860
cat << EOF > /etc/udev/rules.d/66-huawei.rules
1861
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1861
KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
1862
EOF
1862
EOF
1863
 
1863
 
1864
} # END gammu_smsd()
1864
} # END gammu_smsd()
1865
 
1865
 
1866
 
1866
 
1867
##################################################################
1867
##################################################################
1868
##			Fonction "msec"				##
1868
##			Fonction "msec"				##
1869
## - Apply the "fileserver" security level			##
1869
## - Apply the "fileserver" security level			##
1870
## - remove the "system request" for rebboting			##
1870
## - remove the "system request" for rebboting			##
1871
## - Fix several file permissions				##
1871
## - Fix several file permissions				##
1872
##################################################################
1872
##################################################################
1873
msec()
1873
msec()
1874
{
1874
{
1875
 
1875
 
1876
# Apply fileserver security level
1876
# Apply fileserver security level
1877
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
1877
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
1878
# Disable Magic SysReq Keys
-
 
1879
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1878
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
1880
 
1879
 
1881
# Set permissions monitoring and enforcement
1880
# Set permissions monitoring and enforcement
1882
cat <<EOF > /etc/security/msec/perm.local
1881
cat <<EOF > /etc/security/msec/perm.local
1883
/var/log/firefwall/                     root.apache     750
1882
/var/log/firefwall/                     root.apache     750
1884
/var/log/firewall/*                     root.apache     640
1883
/var/log/firewall/*                     root.apache     640
1885
/etc/security/msec/perm.local           root.root       640
1884
/etc/security/msec/perm.local           root.root       640
1886
/etc/security/msec/level.local          root.root       640
1885
/etc/security/msec/level.local          root.root       640
1887
/etc/freeradius-web                     root.apache     750
1886
/etc/freeradius-web                     root.apache     750
1888
/etc/freeradius-web/admin.conf          root.apache     640
1887
/etc/freeradius-web/admin.conf          root.apache     640
1889
/etc/raddb/dictionnary                  root.apache     640
1888
/etc/raddb/dictionnary                  root.apache     640
1890
/etc/raddb/ldap.attrmap                 root.radius     640
1889
/etc/raddb/ldap.attrmap                 root.radius     640
1891
/etc/raddb/hints                        root.radius     640
1890
/etc/raddb/hints                        root.radius     640
1892
/etc/raddb/huntgroups                   root.radius     640
1891
/etc/raddb/huntgroups                   root.radius     640
1893
/etc/raddb/attrs.access_reject          root.radius     640
1892
/etc/raddb/attrs.access_reject          root.radius     640
1894
/etc/raddb/attrs.accounting_response    root.radius     640
1893
/etc/raddb/attrs.accounting_response    root.radius     640
1895
/etc/raddb/acct_users                   root.raidus     640
1894
/etc/raddb/acct_users                   root.radius     640
1896
/etc/raddb/preproxy_users               root.radius     640
1895
/etc/raddb/preproxy_users               root.radius     640
1897
/etc/raddb/modules/ldap                 radius.apache   660
1896
/etc/raddb/modules/ldap                 radius.apache   660
1898
/etc/raddb/sites-available/alcasar      radius.apache   660
1897
/etc/raddb/sites-available/alcasar      radius.apache   660
1899
/etc/pki/*                              root.apache     750
1898
/etc/pki/*                              root.apache     750
1900
/var/log/netflow/porttracker            apache.apache   770
1899
/var/log/netflow/porttracker            root.apache     770
1901
/var/log/netflow/porttracker/*          apache.apache   770
1900
/var/log/netflow/porttracker/*          root.apache     660
1902
EOF
1901
EOF
1903
# apply now
1902
# apply now hourly & daily checks 
1904
/usr/sbin/msec
1903
/usr/sbin/msec
-
 
1904
/etc/cron.weekly/msec
1905
 
1905
 
1906
} # END msec()
1906
} # END msec()
1907
 
1907
 
1908
##################################################################
1908
##################################################################
1909
##		Fonction "post_install"			##
1909
##		Fonction "post_install"			##
1910
## - Modifying banners (locals et ssh) & prompts	##
1910
## - Modifying banners (locals et ssh) & prompts	##
1911
## - SSH config						##
1911
## - SSH config						##
1912
## - sudoers config & files security			##
1912
## - sudoers config & files security			##
1913
## - log rotate & ANSSI security parameters		##
1913
## - log rotate & ANSSI security parameters		##
1914
## - Apply former conf in case of an update		##
1914
## - Apply former conf in case of an update		##
1915
##########################################################
1915
##########################################################
1916
post_install()
1916
post_install()
1917
{
1917
{
1918
# change the SSH banner
1918
# change the SSH banner
1919
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1919
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
1920
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1920
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
1921
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1921
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1922
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1922
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
1923
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1923
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1924
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1924
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
1925
# postfix banner anonymisation
1925
# postfix banner anonymisation
1926
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1926
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
1927
	chown -R postfix:postfix /var/lib/postfix
1927
	chown -R postfix:postfix /var/lib/postfix
1928
# sshd liste on EXTIF & INTIF
1928
# sshd liste on EXTIF & INTIF
1929
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1929
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
1930
# sshd authorized certificate for root login
1930
# sshd authorized certificate for root login
1931
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1931
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
1932
# ALCASAR conf file
1932
# ALCASAR conf file
1933
	echo "SSH=on" >> $CONF_FILE
1933
	echo "SSH=on" >> $CONF_FILE
1934
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1934
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
1935
	echo "LDAP=off" >> $CONF_FILE
1935
	echo "LDAP=off" >> $CONF_FILE
1936
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1936
	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1937
	echo "MULTIWAN=off" >> $CONF_FILE
1937
	echo "MULTIWAN=off" >> $CONF_FILE
1938
	echo "FAILOVER=30" >> $CONF_FILE
1938
	echo "FAILOVER=30" >> $CONF_FILE
1939
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1939
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1940
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1940
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
1941
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1941
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1942
# Prompt customisation (colors)
1942
# Prompt customisation (colors)
1943
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1943
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
1944
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1944
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
1945
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1945
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1946
# sudoers configuration for "apache" & "sysadmin"
1946
# sudoers configuration for "apache" & "sysadmin"
1947
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1947
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
1948
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1948
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
1949
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1949
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
1950
# Modify some logrotate files (gammu, ulogd)
1950
# Modify some logrotate files (gammu, ulogd)
1951
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1951
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
1952
	chmod 644 /etc/logrotate.d/*
1952
	chmod 644 /etc/logrotate.d/*
1953
# Log compression
1953
# Log compression
1954
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1954
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
1955
# actualisation des fichiers logs compressés
1955
# actualisation des fichiers logs compressés
1956
	for dir in firewall dansguardian httpd
1956
	for dir in firewall dansguardian httpd
1957
	do
1957
	do
1958
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1958
	      find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
1959
	done
1959
	done
1960
# create the alcasar-load_balancing unit
1960
# create the alcasar-load_balancing unit
1961
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1961
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1962
#  This file is part of systemd.
1962
#  This file is part of systemd.
1963
#
1963
#
1964
#  systemd is free software; you can redistribute it and/or modify it
1964
#  systemd is free software; you can redistribute it and/or modify it
1965
#  under the terms of the GNU General Public License as published by
1965
#  under the terms of the GNU General Public License as published by
1966
#  the Free Software Foundation; either version 2 of the License, or
1966
#  the Free Software Foundation; either version 2 of the License, or
1967
#  (at your option) any later version.
1967
#  (at your option) any later version.
1968
 
1968
 
1969
# This unit lauches alcasar-load-balancing.sh script.
1969
# This unit lauches alcasar-load-balancing.sh script.
1970
[Unit]
1970
[Unit]
1971
Description=alcasar-load_balancing.sh execution
1971
Description=alcasar-load_balancing.sh execution
1972
After=network.target iptables.service
1972
After=network.target iptables.service
1973
 
1973
 
1974
[Service]
1974
[Service]
1975
Type=oneshot
1975
Type=oneshot
1976
RemainAfterExit=yes
1976
RemainAfterExit=yes
1977
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1977
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
1978
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1978
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
1979
TimeoutSec=0
1979
TimeoutSec=0
1980
SysVStartPriority=99
1980
SysVStartPriority=99
1981
 
1981
 
1982
[Install]
1982
[Install]
1983
WantedBy=multi-user.target
1983
WantedBy=multi-user.target
1984
EOF
1984
EOF
1985
# processes launched at boot time (Systemctl)
1985
# processes launched at boot time (Systemctl)
1986
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1986
	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
1987
	do
1987
	do
1988
		/usr/bin/systemctl -q enable $i.service
1988
		/usr/bin/systemctl -q enable $i.service
1989
	done
1989
	done
1990
	
1990
	
1991
# disable processes at boot time (Systemctl)
1991
# disable processes at boot time (Systemctl)
1992
	for i in ulogd
1992
	for i in ulogd
1993
	do
1993
	do
1994
		/usr/bin/systemctl -q disable $i.service
1994
		/usr/bin/systemctl -q disable $i.service
1995
	done
1995
	done
1996
	
1996
	
1997
# Apply French Security Agency (ANSSI) rules
1997
# Apply French Security Agency (ANSSI) rules
1998
# ignore ICMP broadcast (smurf attack)
1998
# ignore ICMP broadcast (smurf attack)
1999
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
1999
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2000
# ignore ICMP errors bogus
2000
# ignore ICMP errors bogus
2001
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2001
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2002
# remove ICMP redirects responces
2002
# remove ICMP redirects responces
2003
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2003
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2004
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2004
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2005
# enable SYN Cookies (Syn flood attacks)
2005
# enable SYN Cookies (Syn flood attacks)
2006
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2006
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2007
# enable kernel antispoofing
2007
# enable kernel antispoofing
2008
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2008
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2009
# ignore source routing
2009
# ignore source routing
2010
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2010
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2011
# set conntrack timer to 1h (3600s) instead of 5 weeks
2011
# set conntrack timer to 1h (3600s) instead of 5 weeks
2012
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2012
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2013
# disable log_martians (ALCASAR is often installed between two private network addresses) 
2013
# disable log_martians (ALCASAR is often installed between two private network addresses) 
2014
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2014
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2015
# disable iptables_helpers
2015
# disable iptables_helpers
2016
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2016
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2017
# Switch to the router mode
2017
# Switch to the router mode
2018
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2018
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2019
# Remove unused service ipv6
2019
# Remove unused service ipv6
2020
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2020
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2021
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2021
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2022
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2022
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2023
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2023
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2024
# switch to multi-users runlevel (instead of x11)
2024
# switch to multi-users runlevel (instead of x11)
2025
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2025
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2026
#	GRUB modifications (only one time)
2026
#	GRUB modifications (only one time)
2027
# Limit wait time to 3s - Create an alcasar entry instead of linux-nonfb - Change the default banner
2027
# Limit wait time to 3s - Create an alcasar entry instead of linux-nonfb - Change the default banner
2028
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
2028
	grub_already_modified=`grep ALCASAR /boot/grub/menu.lst|wc -l`
2029
	if [ $grub_already_modified == 0 ]
2029
	if [ $grub_already_modified == 0 ]
2030
		then
2030
		then
2031
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
2031
		$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
2032
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
2032
		$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
2033
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
2033
		$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
2034
# change display to 1024*768 (vga791) only if not on VM
2034
# change display to 1024*768 (vga791) only if not on VM
2035
		[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2035
		[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2036
		vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l`
2036
		vm_vga=`lsmod | egrep "virtio|vmwgfx" | wc -l`
2037
		if [ $vm_vga == 0 ] # is not a virtual machine (proxmox, vmware)
2037
		if [ $vm_vga == 0 ] # is not a virtual machine (proxmox, vmware)
2038
		then
2038
		then
2039
			$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
2039
			$SED "/^kernel/s/$/ vga=791/" /boot/grub/menu.lst
2040
			cp -f $DIR_CONF/banner /etc/mageia-release
2040
			cp -f $DIR_CONF/banner /etc/mageia-release
2041
			echo " V$VERSION" >> /etc/mageia-release
2041
			echo " V$VERSION" >> /etc/mageia-release
2042
		else
2042
		else
2043
			echo "ALCASAR V$VERSION" > /etc/mageia-release
2043
			echo "ALCASAR V$VERSION" > /etc/mageia-release
2044
		fi
2044
		fi
2045
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
2045
		$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
2046
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
2046
		$SED "/^gfxmenu/d" /boot/grub/menu.lst
2047
	fi
2047
	fi
2048
# Load and apply the previous conf file
2048
# Load and apply the previous conf file
2049
	if [ "$mode" = "update" ]
2049
	if [ "$mode" = "update" ]
2050
	then
2050
	then
2051
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2051
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2052
		$DIR_DEST_BIN/alcasar-conf.sh --load
2052
		$DIR_DEST_BIN/alcasar-conf.sh --load
2053
		PARENT_SCRIPT=`basename $0`
2053
		PARENT_SCRIPT=`basename $0`
2054
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2054
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2055
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2055
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2056
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf 
2056
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf 
2057
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2057
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2058
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2058
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2059
	fi
2059
	fi
2060
	rm -f /tmp/alcasar-conf*
2060
	rm -f /tmp/alcasar-conf*
2061
	chown -R root:apache $DIR_DEST_ETC/*
2061
	chown -R root:apache $DIR_DEST_ETC/*
2062
	chmod -R 660 $DIR_DEST_ETC/*
2062
	chmod -R 660 $DIR_DEST_ETC/*
2063
	chmod ug+x $DIR_DEST_ETC/digest
2063
	chmod ug+x $DIR_DEST_ETC/digest
2064
	cd $DIR_INSTALL
2064
	cd $DIR_INSTALL
2065
	echo ""
2065
	echo ""
2066
	echo "#############################################################################"
2066
	echo "#############################################################################"
2067
	if [ $Lang == "fr" ]
2067
	if [ $Lang == "fr" ]
2068
		then
2068
		then
2069
		echo "#                        Fin d'installation d'ALCASAR                       #"
2069
		echo "#                        Fin d'installation d'ALCASAR                       #"
2070
		echo "#                                                                           #"
2070
		echo "#                                                                           #"
2071
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2071
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2072
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2072
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2073
		echo "#                                                                           #"
2073
		echo "#                                                                           #"
2074
		echo "#############################################################################"
2074
		echo "#############################################################################"
2075
		echo
2075
		echo
2076
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2076
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2077
		echo
2077
		echo
2078
		echo "- Lisez attentivement la documentation d'exploitation"
2078
		echo "- Lisez attentivement la documentation d'exploitation"
2079
		echo
2079
		echo
2080
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2080
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
2081
		echo
2081
		echo
2082
		echo "                   Appuyez sur 'Entrée' pour continuer"
2082
		echo "                   Appuyez sur 'Entrée' pour continuer"
2083
	else	
2083
	else	
2084
		echo "#                        Enf of ALCASAR install process                     #"
2084
		echo "#                        Enf of ALCASAR install process                     #"
2085
		echo "#                                                                           #"
2085
		echo "#                                                                           #"
2086
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2086
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2087
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2087
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2088
		echo "#                                                                           #"
2088
		echo "#                                                                           #"
2089
		echo "#############################################################################"
2089
		echo "#############################################################################"
2090
		echo
2090
		echo
2091
		echo "- The system will be rebooted in order to operate ALCASAR"
2091
		echo "- The system will be rebooted in order to operate ALCASAR"
2092
		echo
2092
		echo
2093
		echo "- Read the exploitation documentation"
2093
		echo "- Read the exploitation documentation"
2094
		echo
2094
		echo
2095
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2095
		echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
2096
		echo
2096
		echo
2097
		echo "                   Hit 'Enter' to continue"
2097
		echo "                   Hit 'Enter' to continue"
2098
	fi
2098
	fi
2099
	sleep 2
2099
	sleep 2
2100
	if [ "$mode" != "update" ]
2100
	if [ "$mode" != "update" ]
2101
	then
2101
	then
2102
		read a
2102
		read a
2103
	fi
2103
	fi
2104
	clear
2104
	clear
2105
	reboot
2105
	reboot
2106
} # End post_install ()
2106
} # End post_install ()
2107
 
2107
 
2108
#################################
2108
#################################
2109
#  	Main Install loop  	#
2109
#  	Main Install loop  	#
2110
#################################
2110
#################################
2111
dir_exec=`dirname "$0"`
2111
dir_exec=`dirname "$0"`
2112
if [ $dir_exec != "." ]
2112
if [ $dir_exec != "." ]
2113
then
2113
then
2114
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2114
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2115
	echo "Launch this program from the ALCASAR archive directory"
2115
	echo "Launch this program from the ALCASAR archive directory"
2116
	exit 0
2116
	exit 0
2117
fi
2117
fi
2118
VERSION=`cat $DIR_INSTALL/VERSION`
2118
VERSION=`cat $DIR_INSTALL/VERSION`
2119
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2119
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2120
nb_args=$#
2120
nb_args=$#
2121
args=$1
2121
args=$1
2122
if [ $nb_args -eq 0 ]
2122
if [ $nb_args -eq 0 ]
2123
then
2123
then
2124
	nb_args=1
2124
	nb_args=1
2125
	args="-h"
2125
	args="-h"
2126
fi
2126
fi
2127
chmod -R u+x $DIR_SCRIPTS/*
2127
chmod -R u+x $DIR_SCRIPTS/*
2128
case $args in
2128
case $args in
2129
	-\? | -h* | --h*)
2129
	-\? | -h* | --h*)
2130
		echo "$usage"
2130
		echo "$usage"
2131
		exit 0
2131
		exit 0
2132
		;;
2132
		;;
2133
	-i | --install)
2133
	-i | --install)
2134
		header_install
2134
		header_install
2135
		license
2135
		license
2136
		header_install
2136
		header_install
2137
		testing
2137
		testing
2138
# RPMs install
2138
# RPMs install
2139
		$DIR_SCRIPTS/alcasar-urpmi.sh
2139
		$DIR_SCRIPTS/alcasar-urpmi.sh
2140
		if [ "$?" != "0" ]
2140
		if [ "$?" != "0" ]
2141
		then
2141
		then
2142
			exit 0
2142
			exit 0
2143
		fi
2143
		fi
2144
		if [ -e $CONF_FILE ]
2144
		if [ -e $CONF_FILE ]
2145
		then
2145
		then
2146
# Uninstall the running version
2146
# Uninstall the running version
2147
			$DIR_SCRIPTS/alcasar-uninstall.sh -update
2147
			$DIR_SCRIPTS/alcasar-uninstall.sh -update
2148
		fi
2148
		fi
2149
# Test if manual update	
2149
# Test if manual update	
2150
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2150
		if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2151
		then
2151
		then
2152
			header_install
2152
			header_install
2153
			if [ $Lang == "fr" ]
2153
			if [ $Lang == "fr" ]
2154
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2154
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2155
				else echo "The configuration file of an old version has been found";
2155
				else echo "The configuration file of an old version has been found";
2156
			fi
2156
			fi
2157
			response=0
2157
			response=0
2158
			PTN='^[oOnNyY]$'
2158
			PTN='^[oOnNyY]$'
2159
			until [[ $(expr $response : $PTN) -gt 0 ]]
2159
			until [[ $(expr $response : $PTN) -gt 0 ]]
2160
			do
2160
			do
2161
				if [ $Lang == "fr" ]
2161
				if [ $Lang == "fr" ]
2162
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2162
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2163
					else echo -n "Do you want to use it (Y/n)?";
2163
					else echo -n "Do you want to use it (Y/n)?";
2164
				 fi
2164
				 fi
2165
				read response
2165
				read response
2166
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2166
				if [ "$response" = "n" ] || [ "$response" = "N" ] 
2167
				then rm -f /tmp/alcasar-conf*
2167
				then rm -f /tmp/alcasar-conf*
2168
				fi
2168
				fi
2169
			done
2169
			done
2170
		fi
2170
		fi
2171
# Test if update
2171
# Test if update
2172
		if [ -e /tmp/alcasar-conf* ] 
2172
		if [ -e /tmp/alcasar-conf* ] 
2173
		then
2173
		then
2174
			if [ $Lang == "fr" ]
2174
			if [ $Lang == "fr" ]
2175
				then echo "#### Installation avec mise à jour ####";
2175
				then echo "#### Installation avec mise à jour ####";
2176
				else echo "#### Installation with update     ####";
2176
				else echo "#### Installation with update     ####";
2177
			fi
2177
			fi
2178
# Extract the central configuration file
2178
# Extract the central configuration file
2179
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2179
			tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf 
2180
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2180
			ORGANISME=`grep ORGANISM conf/etc/alcasar.conf|cut -d"=" -f2`
2181
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2181
			PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf|cut -d"=" -f2`
2182
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2182
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2183
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2183
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
2184
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2184
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
2185
			mode="update"
2185
			mode="update"
2186
		fi
2186
		fi
2187
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec post_install
2187
		for func in init network ACC CA time_server init_db radius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec post_install
2188
		do
2188
		do
2189
			$func
2189
			$func
2190
# echo "*** 'debug' : end of function $func ***"; read a
2190
# echo "*** 'debug' : end of function $func ***"; read a
2191
		done
2191
		done
2192
		;;
2192
		;;
2193
	-u | --uninstall)
2193
	-u | --uninstall)
2194
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2194
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2195
		then
2195
		then
2196
			if [ $Lang == "fr" ]
2196
			if [ $Lang == "fr" ]
2197
				then echo "ALCASAR n'est pas installé!";
2197
				then echo "ALCASAR n'est pas installé!";
2198
				else echo "ALCASAR isn't installed!";
2198
				else echo "ALCASAR isn't installed!";
2199
			fi
2199
			fi
2200
			exit 0
2200
			exit 0
2201
		fi
2201
		fi
2202
		response=0
2202
		response=0
2203
		PTN='^[oOnN]$'
2203
		PTN='^[oOnN]$'
2204
		until [[ $(expr $response : $PTN) -gt 0 ]]
2204
		until [[ $(expr $response : $PTN) -gt 0 ]]
2205
		do
2205
		do
2206
			if [ $Lang == "fr" ]
2206
			if [ $Lang == "fr" ]
2207
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2207
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2208
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2208
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2209
			fi
2209
			fi
2210
			read response
2210
			read response
2211
		done
2211
		done
2212
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2212
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2213
		then
2213
		then
2214
			$DIR_SCRIPTS/alcasar-conf.sh --create
2214
			$DIR_SCRIPTS/alcasar-conf.sh --create
2215
		else	
2215
		else	
2216
			rm -f /tmp/alcasar-conf*
2216
			rm -f /tmp/alcasar-conf*
2217
		fi
2217
		fi
2218
# Uninstall the running version
2218
# Uninstall the running version
2219
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2219
		$DIR_SCRIPTS/alcasar-uninstall.sh -full
2220
		;;
2220
		;;
2221
	*)
2221
	*)
2222
		echo "Argument inconnu :$1";
2222
		echo "Argument inconnu :$1";
2223
		echo "Unknown argument :$1";
2223
		echo "Unknown argument :$1";
2224
		echo "$usage"
2224
		echo "$usage"
2225
		exit 1
2225
		exit 1
2226
		;;
2226
		;;
2227
esac
2227
esac
2228
# end of script
2228
# end of script
2229
 
2229
 
2230
 
2230