| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 2711 2019-03-10 23:23:31Z tom.houdayer $
|
2 |
# $Id: alcasar.sh 2724 2019-05-05 19:05:53Z rexy $
|
| 3 |
|
3 |
|
| 4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
| 5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
| Line 82... |
Line 82... |
| 82 |
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
|
82 |
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
|
| 83 |
# ****** Paths - chemin des commandes *******
|
83 |
# ****** Paths - chemin des commandes *******
|
| 84 |
SED="/bin/sed -i"
|
84 |
SED="/bin/sed -i"
|
| 85 |
# ****************** End of global parameters *********************
|
85 |
# ****************** End of global parameters *********************
|
| 86 |
|
86 |
|
| 87 |
license ()
|
87 |
license()
|
| 88 |
{
|
88 |
{
|
| 89 |
if [ $Lang == "fr" ]
|
89 |
if [ $Lang == "fr" ]
|
| 90 |
then
|
90 |
then
|
| 91 |
cat $DIR_INSTALL/gpl-warning.fr.txt | more
|
91 |
cat $DIR_INSTALL/gpl-warning.fr.txt | more
|
| 92 |
else
|
92 |
else
|
| Line 104... |
Line 104... |
| 104 |
done
|
104 |
done
|
| 105 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
105 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
| 106 |
then
|
106 |
then
|
| 107 |
exit 1
|
107 |
exit 1
|
| 108 |
fi
|
108 |
fi
|
| 109 |
}
|
109 |
} # End of license()
|
| 110 |
|
110 |
|
| 111 |
header_install ()
|
111 |
header_install()
|
| 112 |
{
|
112 |
{
|
| 113 |
clear
|
113 |
clear
|
| 114 |
echo "-----------------------------------------------------------------------------"
|
114 |
echo "-----------------------------------------------------------------------------"
|
| 115 |
echo " ALCASAR V$VERSION Installation"
|
115 |
echo " ALCASAR V$VERSION Installation"
|
| 116 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
116 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
| 117 |
echo "-----------------------------------------------------------------------------"
|
117 |
echo "-----------------------------------------------------------------------------"
|
| 118 |
}
|
- |
|
| - |
|
118 |
} # End of header_install()
|
| 119 |
|
119 |
|
| 120 |
########################################################
|
120 |
########################################################
|
| 121 |
## Function "testing" ##
|
121 |
## Function "testing" ##
|
| 122 |
## - Test Mageia version ##
|
122 |
## - Test Mageia version ##
|
| 123 |
## - Test ALCASAR version (if already installed) ##
|
123 |
## - Test ALCASAR version (if already installed) ##
|
| 124 |
## - Test free space on /var (>10G) ##
|
124 |
## - Test free space on /var (>10G) ##
|
| 125 |
## - Test Internet access ##
|
125 |
## - Test Internet access ##
|
| 126 |
########################################################
|
126 |
########################################################
|
| 127 |
testing ()
|
127 |
testing()
|
| 128 |
{
|
128 |
{
|
| 129 |
# Test of Mageia version
|
129 |
# Test of Mageia version
|
| 130 |
# extract the current Mageia version and hardware architecture (i586 ou X64)
|
130 |
# extract the current Mageia version and hardware architecture (i586 ou X64)
|
| 131 |
fic=`cat /etc/product.id`
|
131 |
fic=`cat /etc/product.id`
|
| 132 |
unknown_os=0
|
132 |
unknown_os=0
|
| Line 253... |
Line 253... |
| 253 |
else echo "External interface (Internet) used: $EXTIF"
|
253 |
else echo "External interface (Internet) used: $EXTIF"
|
| 254 |
fi
|
254 |
fi
|
| 255 |
|
255 |
|
| 256 |
if [ -z "$INTIF" ]; then
|
256 |
if [ -z "$INTIF" ]; then
|
| 257 |
interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
|
257 |
interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
|
| 258 |
interfacesCount=$(echo "$interfacesList" | wc -l)
|
258 |
interfacesCount=$(echo "$interfacesList" | wc -w)
|
| 259 |
if [ $interfacesCount -eq 0 ]; then
|
259 |
if [ $interfacesCount -eq 0 ]; then
|
| 260 |
if [ "$Lang" == 'fr' ]
|
260 |
if [ "$Lang" == 'fr' ]
|
| 261 |
then echo "Aucune interface de disponible pour le réseau interne"
|
261 |
then echo "Aucune interface de disponible pour le réseau interne"
|
| 262 |
else echo "No interface available for the internal network"
|
262 |
else echo "No interface available for the internal network"
|
| 263 |
fi
|
263 |
fi
|
| Line 265... |
Line 265... |
| 265 |
elif [ $interfacesCount -eq 1 ]; then
|
265 |
elif [ $interfacesCount -eq 1 ]; then
|
| 266 |
INTIF="$interfacesList"
|
266 |
INTIF="$interfacesList"
|
| 267 |
else
|
267 |
else
|
| 268 |
interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
|
268 |
interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
|
| 269 |
interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
|
269 |
interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
|
| 270 |
|
- |
|
| 271 |
if [ "$Lang" == 'fr' ]
|
270 |
if [ "$Lang" == 'fr' ]
|
| 272 |
then echo 'Liste des interfaces disponible :'
|
271 |
then echo 'Liste des interfaces disponible :'
|
| 273 |
else echo 'List of available interfaces:'
|
272 |
else echo 'List of available interfaces:'
|
| 274 |
fi
|
273 |
fi
|
| 275 |
echo "$interfacesSorted"
|
274 |
echo "$interfacesSorted"
|
| Line 414... |
Line 413... |
| 414 |
echo "Verify the DNS IP addresses"
|
413 |
echo "Verify the DNS IP addresses"
|
| 415 |
fi
|
414 |
fi
|
| 416 |
exit 1
|
415 |
exit 1
|
| 417 |
fi
|
416 |
fi
|
| 418 |
echo ". : ok"
|
417 |
echo ". : ok"
|
| 419 |
} # end of testing ()
|
418 |
} # End of testing()
|
| 420 |
|
419 |
|
| 421 |
#######################################################################
|
420 |
#######################################################################
|
| 422 |
## Function "init" ##
|
421 |
## Function "init" ##
|
| 423 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
422 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
| 424 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
423 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
| 425 |
#######################################################################
|
424 |
#######################################################################
|
| 426 |
init ()
|
425 |
init()
|
| 427 |
{
|
426 |
{
|
| 428 |
if [ "$mode" != "update" ]
|
427 |
if [ "$mode" != "update" ]
|
| 429 |
then
|
428 |
then
|
| 430 |
# On affecte le nom d'organisme
|
429 |
# On affecte le nom d'organisme
|
| 431 |
header_install
|
430 |
header_install
|
| Line 492... |
Line 491... |
| 492 |
ORGANISM=$ORGANISME
|
491 |
ORGANISM=$ORGANISME
|
| 493 |
HOSTNAME=$HOSTNAME
|
492 |
HOSTNAME=$HOSTNAME
|
| 494 |
DOMAIN=$DOMAIN
|
493 |
DOMAIN=$DOMAIN
|
| 495 |
EOF
|
494 |
EOF
|
| 496 |
chmod o-rwx $CONF_FILE
|
495 |
chmod o-rwx $CONF_FILE
|
| 497 |
} # End of init ()
|
496 |
} # End of init()
|
| 498 |
|
497 |
|
| 499 |
#########################################################
|
498 |
#########################################################
|
| 500 |
## Function "network" ##
|
499 |
## Function "network" ##
|
| 501 |
## - Define the several network address ##
|
500 |
## - Define the several network address ##
|
| 502 |
## - Define the DNS naming ##
|
501 |
## - Define the DNS naming ##
|
| 503 |
## - INTIF parameters (consultation network) ##
|
502 |
## - INTIF parameters (consultation network) ##
|
| 504 |
## - Write "/etc/hosts" file ##
|
503 |
## - Write "/etc/hosts" file ##
|
| 505 |
## - write "hosts.allow" & "hosts.deny" files ##
|
504 |
## - write "hosts.allow" & "hosts.deny" files ##
|
| 506 |
#########################################################
|
505 |
#########################################################
|
| 507 |
network ()
|
506 |
network()
|
| 508 |
{
|
507 |
{
|
| 509 |
header_install
|
508 |
header_install
|
| 510 |
if [ "$mode" != "update" ]
|
509 |
if [ "$mode" != "update" ]
|
| 511 |
then
|
510 |
then
|
| 512 |
if [ $Lang == "fr" ]
|
511 |
if [ $Lang == "fr" ]
|
| Line 759... |
Line 758... |
| 759 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
|
758 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
|
| 760 |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
|
759 |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
|
| 761 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
760 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
| 762 |
#
|
761 |
#
|
| 763 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
762 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
| 764 |
} # End of network ()
|
763 |
} # End of network()
|
| 765 |
|
764 |
|
| 766 |
###################################################
|
765 |
###################################################
|
| 767 |
## Function "ACC" ##
|
766 |
## Function "ACC" ##
|
| 768 |
## - copy ALCASAR Control Center (ACC) files ##
|
767 |
## - copy ALCASAR Control Center (ACC) files ##
|
| 769 |
## - configuration of the web server (Lighttpd) ##
|
768 |
## - configuration of the web server (Lighttpd) ##
|
| 770 |
## - creation of the first ACC admin account ##
|
769 |
## - creation of the first ACC admin account ##
|
| 771 |
## - secure the ACC access ##
|
770 |
## - secure the ACC access ##
|
| 772 |
###################################################
|
771 |
###################################################
|
| 773 |
ACC ()
|
772 |
ACC()
|
| 774 |
{
|
773 |
{
|
| 775 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
774 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
| 776 |
mkdir $DIR_WEB
|
775 |
mkdir $DIR_WEB
|
| 777 |
# Copy & adapt ACC files
|
776 |
# Copy & adapt ACC files
|
| 778 |
cp -rf $DIR_INSTALL/web/* $DIR_WEB/
|
777 |
cp -rf $DIR_INSTALL/web/* $DIR_WEB/
|
| Line 874... |
Line 873... |
| 874 |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
|
873 |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
|
| 875 |
# Log file for ACC access imputability
|
874 |
# Log file for ACC access imputability
|
| 876 |
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
|
875 |
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
|
| 877 |
chown root:apache /var/Save/security/acc_access.log
|
876 |
chown root:apache /var/Save/security/acc_access.log
|
| 878 |
chmod 664 /var/Save/security/acc_access.log
|
877 |
chmod 664 /var/Save/security/acc_access.log
|
| 879 |
} # End of ACC ()
|
878 |
} # End of ACC()
|
| 880 |
|
879 |
|
| 881 |
##################################################################
|
880 |
##################################################################
|
| 882 |
## Fonction "CA" ##
|
881 |
## Fonction "CA" ##
|
| 883 |
## - Creating the CA and the server certificate (lighttpd) ##
|
882 |
## - Creating the CA and the server certificate (lighttpd) ##
|
| 884 |
##################################################################
|
883 |
##################################################################
|
| 885 |
CA ()
|
884 |
CA()
|
| 886 |
{
|
885 |
{
|
| 887 |
$DIR_DEST_BIN/alcasar-CA.sh
|
886 |
$DIR_DEST_BIN/alcasar-CA.sh
|
| 888 |
chown -R root:apache /etc/pki
|
887 |
chown -R root:apache /etc/pki
|
| 889 |
chmod -R 750 /etc/pki
|
888 |
chmod -R 750 /etc/pki
|
| 890 |
} # End of CA ()
|
889 |
} # End of CA()
|
| 891 |
|
890 |
|
| 892 |
#############################################################
|
891 |
#############################################################
|
| 893 |
## Function "time_server" ##
|
892 |
## Function "time_server" ##
|
| 894 |
## - Configuring NTP server ##
|
893 |
## - Configuring NTP server ##
|
| 895 |
#############################################################
|
894 |
#############################################################
|
| 896 |
time_server ()
|
895 |
time_server()
|
| 897 |
{
|
896 |
{
|
| 898 |
# Set the Internet time server
|
897 |
# Set the Internet time server
|
| 899 |
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
|
898 |
[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
|
| 900 |
cat <<EOF > /etc/ntp/step-tickers
|
899 |
cat <<EOF > /etc/ntp/step-tickers
|
| 901 |
0.fr.pool.ntp.org # adapt to your country
|
900 |
0.fr.pool.ntp.org # adapt to your country
|
| Line 916... |
Line 915... |
| 916 |
disable monitor
|
915 |
disable monitor
|
| 917 |
EOF
|
916 |
EOF
|
| 918 |
chown -R ntp:ntp /var/lib/ntp
|
917 |
chown -R ntp:ntp /var/lib/ntp
|
| 919 |
# Synchronize now
|
918 |
# Synchronize now
|
| 920 |
ntpd -4 -q -g &
|
919 |
ntpd -4 -q -g &
|
| 921 |
} # End of time_server ()
|
920 |
} # End of time_server()
|
| 922 |
|
921 |
|
| 923 |
#####################################################################
|
922 |
#####################################################################
|
| 924 |
## Function "init_db" ##
|
923 |
## Function "init_db" ##
|
| 925 |
## - Mysql initialization ##
|
924 |
## - Mysql initialization ##
|
| 926 |
## - Set admin (root) password ##
|
925 |
## - Set admin (root) password ##
|
| 927 |
## - Remove unused users & databases ##
|
926 |
## - Remove unused users & databases ##
|
| 928 |
## - Radius database creation ##
|
927 |
## - Radius database creation ##
|
| 929 |
## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
|
928 |
## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
|
| 930 |
#####################################################################
|
929 |
#####################################################################
|
| 931 |
init_db ()
|
930 |
init_db()
|
| 932 |
{
|
931 |
{
|
| 933 |
if [ "`systemctl is-active mysqld`" == "active" ]
|
932 |
if [ "`systemctl is-active mysqld`" == "active" ]
|
| 934 |
then
|
933 |
then
|
| 935 |
systemctl stop mysqld
|
934 |
systemctl stop mysqld
|
| 936 |
fi
|
935 |
fi
|
| Line 939... |
Line 938... |
| 939 |
$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
|
938 |
$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
|
| 940 |
$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
|
939 |
$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
|
| 941 |
$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
|
940 |
$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
|
| 942 |
$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
|
941 |
$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf # accentuated user names are allowed
|
| 943 |
[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
|
942 |
[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
|
| - |
|
943 |
[ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
|
| 944 |
/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
|
944 |
/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
|
| 945 |
/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
|
945 |
/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
|
| 946 |
/usr/bin/systemctl start mysqld
|
946 |
/usr/bin/systemctl start mysqld
|
| 947 |
nb_round=1
|
947 |
nb_round=1
|
| 948 |
while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
|
948 |
while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
|
| Line 955... |
Line 955... |
| 955 |
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
|
955 |
echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
|
| 956 |
exit
|
956 |
exit
|
| 957 |
fi
|
957 |
fi
|
| 958 |
# Secure the server
|
958 |
# Secure the server
|
| 959 |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
|
959 |
/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
|
| 960 |
|
- |
|
| 961 |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
|
960 |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
|
| 962 |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
|
961 |
$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
|
| 963 |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
|
962 |
$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
|
| 964 |
# Create 'radius' database
|
963 |
# Create 'radius' database
|
| 965 |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
964 |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
| Line 969... |
Line 968... |
| 969 |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
|
968 |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
|
| 970 |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
|
969 |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
|
| 971 |
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
|
970 |
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
|
| 972 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
971 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
| 973 |
/usr/bin/systemctl daemon-reload
|
972 |
/usr/bin/systemctl daemon-reload
|
| 974 |
} # End of init_db ()
|
973 |
} # End of init_db()
|
| 975 |
|
974 |
|
| 976 |
###################################################################
|
975 |
###################################################################
|
| 977 |
## Function "freeradius" ##
|
976 |
## Function "freeradius" ##
|
| 978 |
## - Set the configuration files ##
|
977 |
## - Set the configuration files ##
|
| 979 |
## - Set the shared secret between coova-chilli and freeradius ##
|
978 |
## - Set the shared secret between coova-chilli and freeradius ##
|
| 980 |
## - Adapt the Mysql conf file and counters ##
|
979 |
## - Adapt the Mysql conf file and counters ##
|
| 981 |
###################################################################
|
980 |
###################################################################
|
| 982 |
freeradius ()
|
981 |
freeradius()
|
| 983 |
{
|
982 |
{
|
| 984 |
cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
|
983 |
cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
|
| 985 |
chown -R radius:radius /etc/raddb
|
984 |
chown -R radius:radius /etc/raddb
|
| 986 |
[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
|
985 |
[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
|
| 987 |
# Set radius global parameters (radius.conf)
|
986 |
# Set radius global parameters (radius.conf)
|
| Line 1047... |
Line 1046... |
| 1047 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
1046 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
| 1048 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
1047 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
| 1049 |
/usr/bin/systemctl daemon-reload
|
1048 |
/usr/bin/systemctl daemon-reload
|
| 1050 |
# Allow apache to change some conf files (ie : ldap on/off)
|
1049 |
# Allow apache to change some conf files (ie : ldap on/off)
|
| 1051 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1050 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
| 1052 |
} # End freeradius ()
|
1051 |
} # End of freeradius()
|
| 1053 |
|
1052 |
|
| 1054 |
#############################################################################
|
1053 |
#############################################################################
|
| 1055 |
## Function "chilli" ##
|
1054 |
## Function "chilli" ##
|
| 1056 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1055 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
| 1057 |
## - Adapt the authentication web page (intercept.php) ##
|
1056 |
## - Adapt the authentication web page (intercept.php) ##
|
| 1058 |
#############################################################################
|
1057 |
#############################################################################
|
| 1059 |
chilli ()
|
1058 |
chilli()
|
| 1060 |
{
|
1059 |
{
|
| 1061 |
# chilli unit for systemd
|
1060 |
# chilli unit for systemd
|
| 1062 |
cat << EOF > /lib/systemd/system/chilli.service
|
1061 |
cat << EOF > /lib/systemd/system/chilli.service
|
| 1063 |
# This file is part of systemd.
|
1062 |
# This file is part of systemd.
|
| 1064 |
#
|
1063 |
#
|
| Line 1245... |
Line 1244... |
| 1245 |
then
|
1244 |
then
|
| 1246 |
userdel -r chilli 2>/dev/null
|
1245 |
userdel -r chilli 2>/dev/null
|
| 1247 |
fi
|
1246 |
fi
|
| 1248 |
groupadd -f chilli
|
1247 |
groupadd -f chilli
|
| 1249 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
1248 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
| 1250 |
} # End of chilli ()
|
1249 |
} # End of chilli()
|
| 1251 |
|
1250 |
|
| 1252 |
################################################################
|
1251 |
################################################################
|
| 1253 |
## Function "e2guardian" ##
|
1252 |
## Function "e2guardian" ##
|
| 1254 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1253 |
## - Set the parameters of this HTML proxy (as controler) ##
|
| 1255 |
################################################################
|
1254 |
################################################################
|
| 1256 |
e2guardian ()
|
1255 |
e2guardian()
|
| 1257 |
{
|
1256 |
{
|
| 1258 |
mkdir -p /var/e2guardian /var/log/e2guardian
|
1257 |
mkdir -p /var/e2guardian /var/log/e2guardian
|
| 1259 |
chown -R e2guardian /var/e2guardian /var/log/e2guardian
|
1258 |
chown -R e2guardian /var/e2guardian /var/log/e2guardian
|
| 1260 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
|
1259 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
|
| 1261 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
1260 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
| Line 1306... |
Line 1305... |
| 1306 |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
|
1305 |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
|
| 1307 |
touch $DIR_DG/lists/exceptioniplist
|
1306 |
touch $DIR_DG/lists/exceptioniplist
|
| 1308 |
# Keep a copy of URL & domain filter configuration files
|
1307 |
# Keep a copy of URL & domain filter configuration files
|
| 1309 |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
|
1308 |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
|
| 1310 |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
|
1309 |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
|
| 1311 |
} # End of e2guardian ()
|
1310 |
} # End of e2guardian()
|
| 1312 |
|
1311 |
|
| 1313 |
##################################################################
|
1312 |
##################################################################
|
| 1314 |
## Function "antivirus" ##
|
1313 |
## Function "antivirus" ##
|
| 1315 |
## - Set the parameters of havp, libclamav and freshclam ##
|
1314 |
## - Set the parameters of havp, libclamav and freshclam ##
|
| 1316 |
##################################################################
|
1315 |
##################################################################
|
| 1317 |
antivirus ()
|
1316 |
antivirus()
|
| 1318 |
{
|
1317 |
{
|
| 1319 |
# create 'havp' user
|
1318 |
# create 'havp' user
|
| 1320 |
havp_exist=`grep -c ^havp: /etc/passwd`
|
1319 |
havp_exist=`grep -c ^havp: /etc/passwd`
|
| 1321 |
if [ "$havp_exist" == "1" ]
|
1320 |
if [ "$havp_exist" == "1" ]
|
| 1322 |
then
|
1321 |
then
|
| Line 1360... |
Line 1359... |
| 1360 |
$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
|
1359 |
$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
|
| 1361 |
$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
|
1360 |
$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
|
| 1362 |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
|
1361 |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
|
| 1363 |
# update now
|
1362 |
# update now
|
| 1364 |
/usr/bin/freshclam --no-warnings
|
1363 |
/usr/bin/freshclam --no-warnings
|
| 1365 |
} # End of antivirus ()
|
1364 |
} # End of antivirus()
|
| 1366 |
|
1365 |
|
| 1367 |
################################################################################
|
1366 |
################################################################################
|
| 1368 |
## Function "tinyproxy" ##
|
1367 |
## Function "tinyproxy" ##
|
| 1369 |
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
|
1368 |
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
|
| 1370 |
################################################################################
|
1369 |
################################################################################
|
| 1371 |
tinyproxy ()
|
1370 |
tinyproxy()
|
| 1372 |
{
|
1371 |
{
|
| 1373 |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
|
1372 |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
|
| 1374 |
if [ "$tinyproxy_exist" == "1" ]
|
1373 |
if [ "$tinyproxy_exist" == "1" ]
|
| 1375 |
then
|
1374 |
then
|
| 1376 |
userdel -r tinyproxy 2>/dev/null
|
1375 |
userdel -r tinyproxy 2>/dev/null
|
| Line 1415... |
Line 1414... |
| 1415 |
|
1414 |
|
| 1416 |
[Install]
|
1415 |
[Install]
|
| 1417 |
WantedBy=multi-user.target
|
1416 |
WantedBy=multi-user.target
|
| 1418 |
EOF
|
1417 |
EOF
|
| 1419 |
|
1418 |
|
| 1420 |
} # end of tinyproxy
|
1419 |
} # end of tinyproxy()
|
| - |
|
1420 |
|
| 1421 |
##############################################################################
|
1421 |
##############################################################
|
| 1422 |
## function "ulogd" ##
|
1422 |
## function "ulogd" ##
|
| 1423 |
## - Ulog config for multi-log files ##
|
1423 |
## - Ulog config for multi-log files ##
|
| 1424 |
##############################################################################
|
1424 |
##############################################################
|
| 1425 |
ulogd ()
|
1425 |
ulogd()
|
| 1426 |
{
|
1426 |
{
|
| 1427 |
# Three instances of ulogd (three different logfiles)
|
1427 |
# Three instances of ulogd (three different logfiles)
|
| 1428 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1428 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
| 1429 |
nl=1
|
1429 |
nl=1
|
| 1430 |
for log_type in traceability ssh ext-access
|
1430 |
for log_type in traceability ssh ext-access
|
| Line 1442... |
Line 1442... |
| 1442 |
nl=`expr $nl + 1`
|
1442 |
nl=`expr $nl + 1`
|
| 1443 |
done
|
1443 |
done
|
| 1444 |
chown -R root:apache /var/log/firewall
|
1444 |
chown -R root:apache /var/log/firewall
|
| 1445 |
chmod 750 /var/log/firewall
|
1445 |
chmod 750 /var/log/firewall
|
| 1446 |
chmod 640 /var/log/firewall/*
|
1446 |
chmod 640 /var/log/firewall/*
|
| 1447 |
} # End of ulogd ()
|
1447 |
} # End of ulogd()
|
| 1448 |
|
- |
|
| 1449 |
|
1448 |
|
| 1450 |
##########################################################
|
1449 |
##########################################################
|
| 1451 |
## Function "nfsen" ##
|
1450 |
## Function "nfsen" ##
|
| 1452 |
## - install the nfsen grapher ##
|
1451 |
## - install the nfsen grapher ##
|
| 1453 |
## - install the two plugins porttracker & surfmap ##
|
1452 |
## - install the two plugins porttracker & surfmap ##
|
| Line 1510... |
Line 1509... |
| 1510 |
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
|
1509 |
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
|
| 1511 |
# cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
|
1510 |
# cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
|
| 1512 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
|
1511 |
# cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
|
| 1513 |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
|
1512 |
# tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
|
| 1514 |
# cd /tmp/
|
1513 |
# cd /tmp/
|
| 1515 |
# /usr/bin/sh SURFmap/install.sh
|
1514 |
# /usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
|
| 1516 |
# clear the installation
|
1515 |
# clear the installation
|
| 1517 |
# rm -rf /tmp/SURFmap*
|
1516 |
# rm -rf /tmp/SURFmap*
|
| 1518 |
rm -rf /tmp/nfsen-*
|
1517 |
rm -rf /tmp/nfsen-*
|
| 1519 |
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
|
1518 |
cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
|
| 1520 |
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
|
1519 |
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
|
| 1521 |
} # End of nfsen ()
|
1520 |
} # End of nfsen()
|
| 1522 |
|
1521 |
|
| 1523 |
###########################################################
|
1522 |
###########################################################
|
| 1524 |
## Function "vnstat" ##
|
1523 |
## Function "vnstat" ##
|
| 1525 |
## - Initialization of Vnstat and vnstat phpFrontEnd ##
|
1524 |
## - Initialization of Vnstat and vnstat phpFrontEnd ##
|
| 1526 |
###########################################################
|
1525 |
###########################################################
|
| 1527 |
vnstat ()
|
1526 |
vnstat()
|
| 1528 |
{
|
1527 |
{
|
| 1529 |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
|
1528 |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
|
| 1530 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
1529 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
| 1531 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1530 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
| 1532 |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
|
1531 |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
|
| 1533 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
|
1532 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
|
| 1534 |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
|
1533 |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
|
| 1535 |
/usr/bin/vnstat -i $EXTIF -u --force
|
1534 |
/usr/bin/vnstat -i $EXTIF -u --force
|
| 1536 |
} # End of vnstat
|
1535 |
} # End of vnstat()
|
| 1537 |
|
1536 |
|
| 1538 |
##################################################################
|
1537 |
###################################################################
|
| 1539 |
## Function "dnsmasq" ##
|
1538 |
## Function "dnsmasq" ##
|
| 1540 |
## - creation of the conf files of the 4 intances of dnsmasq ##
|
1539 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
| 1541 |
## - creation of the file managing domain name (local & remote) ##
|
- |
|
| 1542 |
##################################################################
|
1540 |
###################################################################
|
| 1543 |
dnsmasq ()
|
1541 |
dnsmasq()
|
| 1544 |
{
|
1542 |
{
|
| 1545 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1543 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
| 1546 |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
1544 |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
| 1547 |
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
|
1545 |
# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
|
| 1548 |
cat << EOF > /etc/dnsmasq-whitelist.conf
|
1546 |
cat << EOF > /etc/dnsmasq-whitelist.conf
|
| 1549 |
# Configuration file for "dnsmasq with whitelist"
|
1547 |
# Configuration file for "dnsmasq with whitelist"
|
| 1550 |
# ADD Toulouse university whitelist domains
|
1548 |
# ADD Toulouse university whitelist domains
|
| 1551 |
pid-file=/var/run/dnsmasq-whitelist.pid
|
1549 |
pid-file=/var/run/dnsmasq-whitelist.pid
|
| 1552 |
listen-address=127.0.0.1
|
1550 |
listen-address=127.0.0.1
|
| Line 1560... |
Line 1558... |
| 1560 |
filterwin2k
|
1558 |
filterwin2k
|
| 1561 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1559 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
| 1562 |
server=$DNS1
|
1560 |
server=$DNS1
|
| 1563 |
server=$DNS2
|
1561 |
server=$DNS2
|
| 1564 |
EOF
|
1562 |
EOF
|
| 1565 |
|
- |
|
| 1566 |
# Create dnsmasq-whitelist unit
|
1563 |
# Create dnsmasq-whitelist unit
|
| 1567 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
1564 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
| 1568 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
1565 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
| 1569 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1566 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
| 1570 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1567 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
| 1571 |
} # End dnsmasq
|
1568 |
} # End of dnsmasq()
|
| 1572 |
|
1569 |
|
| 1573 |
##################################################
|
1570 |
#########################################################
|
| 1574 |
## Function "unbound" ##
|
1571 |
## Function "unbound" ##
|
| - |
|
1572 |
## - create the conf files for 4 unbound services ##
|
| - |
|
1573 |
## - create the systemd files for 4 unbound services ##
|
| 1575 |
##################################################
|
1574 |
#########################################################
|
| 1576 |
unbound ()
|
1575 |
unbound ()
|
| 1577 |
{
|
1576 |
{
|
| 1578 |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
|
1577 |
[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
|
| 1579 |
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
|
1578 |
[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
|
| 1580 |
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
|
1579 |
[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
|
| Line 1583... |
Line 1582... |
| 1583 |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
|
1582 |
[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
|
| 1584 |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
|
1583 |
[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
|
| 1585 |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
|
1584 |
[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
|
| 1586 |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
|
1585 |
[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
|
| 1587 |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
|
1586 |
[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
|
| 1588 |
|
- |
|
| 1589 |
# Local static DNS configuration
|
1587 |
# Local static DNS configuration
|
| 1590 |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
|
1588 |
[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
|
| 1591 |
|
1589 |
|
| 1592 |
# Forward zone configuration file for all unbound dns servers
|
1590 |
# Forward zone configuration file for all unbound dns servers
|
| 1593 |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
|
1591 |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
|
| 1594 |
forward-zone:
|
1592 |
forward-zone:
|
| 1595 |
name: "."
|
1593 |
name: "."
|
| 1596 |
forward-addr: $DNS1
|
1594 |
forward-addr: $DNS1
|
| 1597 |
forward-addr: $DNS2
|
1595 |
forward-addr: $DNS2
|
| 1598 |
EOF
|
1596 |
EOF
|
| 1599 |
|
1597 |
|
| 1600 |
# Custom configuration file for manual DNS configuration
|
1598 |
# Custom configuration file for manual DNS configuration
|
| 1601 |
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
|
1599 |
cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
|
| 1602 |
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
|
1600 |
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
|
| 1603 |
## Add one block for each domain name managed by an other DNS server
|
1601 |
## Add one block for each domain name managed by an other DNS server
|
| 1604 |
##
|
1602 |
##
|
| 1605 |
## Example:
|
1603 |
## Example:
|
| Line 1611... |
Line 1609... |
| 1611 |
## forward-addr: <@IP_domain_server>
|
1609 |
## forward-addr: <@IP_domain_server>
|
| 1612 |
##
|
1610 |
##
|
| 1613 |
## INFO : local hostnames are resolved in /etc/hosts file
|
1611 |
## INFO : local hostnames are resolved in /etc/hosts file
|
| 1614 |
EOF
|
1612 |
EOF
|
| 1615 |
|
1613 |
|
| 1616 |
# Configuration file of ALCASAR main domains for $INTIF
|
1614 |
# Configuration file of ALCASAR main domains for $INTIF
|
| 1617 |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
|
1615 |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
|
| 1618 |
server:
|
1616 |
server:
|
| 1619 |
local-zone: "$HOSTNAME.$DOMAIN" static
|
1617 |
local-zone: "$HOSTNAME.$DOMAIN" static
|
| 1620 |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
|
1618 |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
|
| 1621 |
local-zone: "$HOSTNAME" static
|
1619 |
local-zone: "$HOSTNAME" static
|
| 1622 |
local-data: "$HOSTNAME A $PRIVATE_IP"
|
1620 |
local-data: "$HOSTNAME A $PRIVATE_IP"
|
| 1623 |
local-zone: "$DOMAIN." static
|
1621 |
local-zone: "$DOMAIN." static
|
| 1624 |
local-data: "$DOMAIN. A"
|
1622 |
local-data: "$DOMAIN. A"
|
| 1625 |
EOF
|
1623 |
EOF
|
| 1626 |
|
1624 |
|
| 1627 |
# Configuration file for lo of forward unbound
|
1625 |
# Configuration file for lo of forward unbound
|
| 1628 |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
|
1626 |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
|
| 1629 |
server:
|
1627 |
server:
|
| 1630 |
interface: 127.0.0.1@53
|
1628 |
interface: 127.0.0.1@53
|
| 1631 |
access-control-view: 127.0.0.1/8 lo
|
1629 |
access-control-view: 127.0.0.1/8 lo
|
| 1632 |
|
1630 |
|
| Line 1637... |
Line 1635... |
| 1637 |
local-zone: "$HOSTNAME" static
|
1635 |
local-zone: "$HOSTNAME" static
|
| 1638 |
local-data: "$HOSTNAME A 127.0.0.1"
|
1636 |
local-data: "$HOSTNAME A 127.0.0.1"
|
| 1639 |
view-first: yes
|
1637 |
view-first: yes
|
| 1640 |
EOF
|
1638 |
EOF
|
| 1641 |
|
1639 |
|
| 1642 |
# Configuration file for $INTIF of forward unbound
|
1640 |
# Configuration file for $INTIF of forward unbound
|
| 1643 |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
|
1641 |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
|
| 1644 |
server:
|
1642 |
server:
|
| 1645 |
interface: ${PRIVATE_IP}@53
|
1643 |
interface: ${PRIVATE_IP}@53
|
| 1646 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
|
1644 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
|
| 1647 |
|
1645 |
|
| Line 1652... |
Line 1650... |
| 1652 |
local-zone: "$HOSTNAME" static
|
1650 |
local-zone: "$HOSTNAME" static
|
| 1653 |
local-data: "$HOSTNAME A $PRIVATE_IP"
|
1651 |
local-data: "$HOSTNAME A $PRIVATE_IP"
|
| 1654 |
view-first: yes
|
1652 |
view-first: yes
|
| 1655 |
EOF
|
1653 |
EOF
|
| 1656 |
|
1654 |
|
| 1657 |
# Configuration file for forward unbound
|
1655 |
# Configuration file for forward unbound
|
| 1658 |
cat << EOF > /etc/unbound/unbound.conf
|
1656 |
cat << EOF > /etc/unbound/unbound.conf
|
| 1659 |
server:
|
1657 |
server:
|
| 1660 |
verbosity: 1
|
1658 |
verbosity: 1
|
| 1661 |
hide-version: yes
|
1659 |
hide-version: yes
|
| 1662 |
hide-identity: yes
|
1660 |
hide-identity: yes
|
| 1663 |
do-ip6: no
|
1661 |
do-ip6: no
|
| 1664 |
|
- |
|
| 1665 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
1662 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
| 1666 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1663 |
include: /etc/unbound/conf.d/common/local-forward/*
|
| 1667 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1664 |
include: /etc/unbound/conf.d/common/local-dns/*
|
| 1668 |
include: /etc/unbound/conf.d/forward/*
|
1665 |
include: /etc/unbound/conf.d/forward/*
|
| 1669 |
EOF
|
1666 |
EOF
|
| 1670 |
|
1667 |
|
| 1671 |
# Configuration file for $INTIF of blacklist unbound
|
1668 |
# Configuration file for $INTIF of blacklist unbound
|
| 1672 |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
|
1669 |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
|
| 1673 |
server:
|
1670 |
server:
|
| 1674 |
interface: ${PRIVATE_IP}@54
|
1671 |
interface: ${PRIVATE_IP}@54
|
| 1675 |
access-control: $PRIVATE_IP_MASK allow
|
1672 |
access-control: $PRIVATE_IP_MASK allow
|
| 1676 |
access-control-tag: $PRIVATE_IP_MASK "blacklist"
|
1673 |
access-control-tag: $PRIVATE_IP_MASK "blacklist"
|
| 1677 |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
|
1674 |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
|
| 1678 |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
|
1675 |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
|
| 1679 |
EOF
|
1676 |
EOF
|
| 1680 |
|
1677 |
|
| 1681 |
# Configuration file for blacklist unbound
|
1678 |
# Configuration file for blacklist unbound
|
| 1682 |
cat << EOF > /etc/unbound/unbound-blacklist.conf
|
1679 |
cat << EOF > /etc/unbound/unbound-blacklist.conf
|
| 1683 |
server:
|
1680 |
server:
|
| 1684 |
verbosity: 1
|
1681 |
verbosity: 1
|
| 1685 |
hide-version: yes
|
1682 |
hide-version: yes
|
| 1686 |
hide-identity: yes
|
1683 |
hide-identity: yes
|
| 1687 |
do-ip6: no
|
1684 |
do-ip6: no
|
| 1688 |
logfile: "/var/log/unbound/unbound-blacklist.log"
|
1685 |
logfile: "/var/log/unbound/unbound-blacklist.log"
|
| 1689 |
chroot: ""
|
1686 |
chroot: ""
|
| 1690 |
define-tag: "blacklist"
|
1687 |
define-tag: "blacklist"
|
| 1691 |
log-local-actions: yes
|
1688 |
log-local-actions: yes
|
| 1692 |
|
- |
|
| 1693 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
1689 |
include: /etc/unbound/conf.d/common/forward-zone.conf
|
| 1694 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1690 |
include: /etc/unbound/conf.d/common/local-forward/*
|
| 1695 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1691 |
include: /etc/unbound/conf.d/common/local-dns/*
|
| 1696 |
include: /etc/unbound/conf.d/blacklist/*
|
1692 |
include: /etc/unbound/conf.d/blacklist/*
|
| 1697 |
|
- |
|
| 1698 |
include: /usr/local/share/unbound-bl-enabled/*
|
1693 |
include: /usr/local/share/unbound-bl-enabled/*
|
| 1699 |
EOF
|
1694 |
EOF
|
| 1700 |
|
1695 |
|
| 1701 |
# Configuration file for $INTIF of whitelist unbound
|
1696 |
# Configuration file for $INTIF of whitelist unbound
|
| 1702 |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
|
1697 |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
|
| 1703 |
server:
|
1698 |
server:
|
| 1704 |
interface: ${PRIVATE_IP}@55
|
1699 |
interface: ${PRIVATE_IP}@55
|
| 1705 |
access-control: $PRIVATE_IP_MASK allow
|
1700 |
access-control: $PRIVATE_IP_MASK allow
|
| 1706 |
access-control-tag: $PRIVATE_IP_MASK "whitelist"
|
1701 |
access-control-tag: $PRIVATE_IP_MASK "whitelist"
|
| 1707 |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
|
1702 |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
|
| 1708 |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
|
1703 |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
|
| 1709 |
EOF
|
1704 |
EOF
|
| 1710 |
|
1705 |
|
| 1711 |
# Configuration file for whitelist unbound
|
1706 |
# Configuration file for whitelist unbound
|
| 1712 |
cat << EOF > /etc/unbound/unbound-whitelist.conf
|
1707 |
cat << EOF > /etc/unbound/unbound-whitelist.conf
|
| 1713 |
server:
|
1708 |
server:
|
| 1714 |
verbosity: 1
|
1709 |
verbosity: 1
|
| 1715 |
hide-version: yes
|
1710 |
hide-version: yes
|
| 1716 |
hide-identity: yes
|
1711 |
hide-identity: yes
|
| 1717 |
do-ip6: no
|
1712 |
do-ip6: no
|
| 1718 |
do-not-query-localhost: no
|
1713 |
do-not-query-localhost: no
|
| 1719 |
define-tag: "whitelist"
|
1714 |
define-tag: "whitelist"
|
| 1720 |
|
- |
|
| 1721 |
local-zone: "." transparent
|
1715 |
local-zone: "." transparent
|
| 1722 |
local-zone-tag: "." "whitelist"
|
1716 |
local-zone-tag: "." "whitelist"
|
| 1723 |
|
- |
|
| 1724 |
include: /usr/local/share/unbound-wl-enabled/*
|
1717 |
include: /usr/local/share/unbound-wl-enabled/*
|
| 1725 |
include: /etc/unbound/conf.d/whitelist/*
|
1718 |
include: /etc/unbound/conf.d/whitelist/*
|
| 1726 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1719 |
include: /etc/unbound/conf.d/common/local-dns/*
|
| 1727 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1720 |
include: /etc/unbound/conf.d/common/local-forward/*
|
| 1728 |
|
- |
|
| 1729 |
forward-zone:
|
1721 |
forward-zone:
|
| 1730 |
name: "."
|
1722 |
name: "."
|
| 1731 |
forward-addr: 127.0.0.1@55
|
1723 |
forward-addr: 127.0.0.1@55
|
| 1732 |
EOF
|
1724 |
EOF
|
| 1733 |
|
1725 |
|
| 1734 |
# Configuration file for $INTIF of blackhole unbound
|
1726 |
# Configuration file for $INTIF of blackhole unbound
|
| 1735 |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
|
1727 |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
|
| 1736 |
server:
|
1728 |
server:
|
| 1737 |
interface: ${PRIVATE_IP}@56
|
1729 |
interface: ${PRIVATE_IP}@56
|
| 1738 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
|
1730 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF
|
| 1739 |
|
1731 |
|
| Line 1741... |
Line 1733... |
| 1741 |
name: "$INTIF"
|
1733 |
name: "$INTIF"
|
| 1742 |
local-zone: "." redirect
|
1734 |
local-zone: "." redirect
|
| 1743 |
local-data: ". A $PRIVATE_IP"
|
1735 |
local-data: ". A $PRIVATE_IP"
|
| 1744 |
EOF
|
1736 |
EOF
|
| 1745 |
|
1737 |
|
| 1746 |
# Configuration file for blackhole unbound
|
1738 |
# Configuration file for blackhole unbound
|
| 1747 |
cat << EOF > /etc/unbound/unbound-blackhole.conf
|
1739 |
cat << EOF > /etc/unbound/unbound-blackhole.conf
|
| 1748 |
server:
|
1740 |
server:
|
| 1749 |
verbosity: 1
|
1741 |
verbosity: 1
|
| 1750 |
hide-version: yes
|
1742 |
hide-version: yes
|
| 1751 |
hide-identity: yes
|
1743 |
hide-identity: yes
|
| 1752 |
do-ip6: no
|
1744 |
do-ip6: no
|
| 1753 |
|
- |
|
| 1754 |
include: /etc/unbound/conf.d/blackhole/*
|
1745 |
include: /etc/unbound/conf.d/blackhole/*
|
| 1755 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1746 |
include: /etc/unbound/conf.d/common/local-dns/*
|
| 1756 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1747 |
include: /etc/unbound/conf.d/common/local-forward/*
|
| 1757 |
EOF
|
1748 |
EOF
|
| 1758 |
|
1749 |
|
| Line 1760... |
Line 1751... |
| 1760 |
then
|
1751 |
then
|
| 1761 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
|
1752 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
|
| 1762 |
fi
|
1753 |
fi
|
| 1763 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
|
1754 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
|
| 1764 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
1755 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
| 1765 |
|
- |
|
| 1766 |
for list in blacklist blackhole whitelist
|
1756 |
for list in blacklist blackhole whitelist
|
| 1767 |
do
|
1757 |
do
|
| 1768 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
1758 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
| 1769 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
1759 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
| 1770 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
1760 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
| 1771 |
done
|
1761 |
done
|
| 1772 |
|
- |
|
| 1773 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
1762 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
| 1774 |
} # End unbound
|
1763 |
} # End of unbound()
|
| 1775 |
|
1764 |
|
| 1776 |
##################################################
|
1765 |
##################################################
|
| 1777 |
## Function "dhcpd" ##
|
1766 |
## Function "dhcpd" ##
|
| 1778 |
##################################################
|
1767 |
##################################################
|
| 1779 |
dhcpd ()
|
1768 |
dhcpd()
|
| 1780 |
{
|
1769 |
{
|
| 1781 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
1770 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
| 1782 |
|
- |
|
| 1783 |
cat <<EOF > /etc/dhcpd.conf
|
1771 |
cat <<EOF > /etc/dhcpd.conf
|
| 1784 |
ddns-update-style none;
|
1772 |
ddns-update-style none;
|
| 1785 |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
|
1773 |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
|
| 1786 |
option routers $PRIVATE_IP;
|
1774 |
option routers $PRIVATE_IP;
|
| 1787 |
option subnet-mask $PRIVATE_NETMASK;
|
1775 |
option subnet-mask $PRIVATE_NETMASK;
|
| 1788 |
option domain-name-servers $PRIVATE_IP;
|
1776 |
option domain-name-servers $PRIVATE_IP;
|
| 1789 |
|
- |
|
| 1790 |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
|
1777 |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
|
| 1791 |
default-lease-time 21600;
|
1778 |
default-lease-time 21600;
|
| 1792 |
max-lease-time 43200;
|
1779 |
max-lease-time 43200;
|
| 1793 |
}
|
1780 |
}
|
| 1794 |
EOF
|
1781 |
EOF
|
| 1795 |
}
|
1782 |
} # End of dhcpd()
|
| 1796 |
|
1783 |
|
| 1797 |
##########################################################
|
1784 |
##########################################################
|
| 1798 |
## Function "BL" ##
|
1785 |
## Function "BL" ##
|
| 1799 |
## - copy Toulouse BL ##
|
1786 |
## - copy Toulouse BL ##
|
| 1800 |
## - adapt this BL to ALCASAR architecture ##
|
1787 |
## - adapt this BL to ALCASAR architecture ##
|
| 1801 |
## - domain names for unbound-bl & unbound-wl ##
|
1788 |
## - domain names for unbound-bl & unbound-wl ##
|
| 1802 |
## - URLs for E²guardian ##
|
1789 |
## - URLs for E²guardian ##
|
| 1803 |
## - IPs for NetFilter ##
|
1790 |
## - IPs for NetFilter ##
|
| 1804 |
##########################################################
|
1791 |
##########################################################
|
| 1805 |
BL ()
|
1792 |
BL()
|
| 1806 |
{
|
1793 |
{
|
| 1807 |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
|
1794 |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
|
| 1808 |
rm -rf $DIR_DG/lists/blacklists
|
1795 |
rm -rf $DIR_DG/lists/blacklists
|
| 1809 |
mkdir -p /tmp/blacklists
|
1796 |
mkdir -p /tmp/blacklists
|
| 1810 |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
|
1797 |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
|
| Line 1855... |
Line 1842... |
| 1855 |
# adapt the Toulouse BL to ALCASAR architecture
|
1842 |
# adapt the Toulouse BL to ALCASAR architecture
|
| 1856 |
$DIR_DEST_BIN/alcasar-bl.sh --adapt
|
1843 |
$DIR_DEST_BIN/alcasar-bl.sh --adapt
|
| 1857 |
# enable the default categories
|
1844 |
# enable the default categories
|
| 1858 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
1845 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
| 1859 |
rm -rf /tmp/blacklists
|
1846 |
rm -rf /tmp/blacklists
|
| 1860 |
} # End BL()
|
1847 |
} # End of BL()
|
| 1861 |
|
1848 |
|
| 1862 |
#######################################################
|
1849 |
#######################################################
|
| 1863 |
## Function "cron" ##
|
1850 |
## Function "cron" ##
|
| 1864 |
## - write all cron & anacron files ##
|
1851 |
## - write all cron & anacron files ##
|
| 1865 |
#######################################################
|
1852 |
#######################################################
|
| 1866 |
cron ()
|
1853 |
cron()
|
| 1867 |
{
|
1854 |
{
|
| 1868 |
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
|
1855 |
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
|
| 1869 |
[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
|
1856 |
[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
|
| 1870 |
cat <<EOF > /etc/crontab
|
1857 |
cat <<EOF > /etc/crontab
|
| 1871 |
SHELL=/usr/bin/bash
|
1858 |
SHELL=/usr/bin/bash
|
| Line 1937... |
Line 1924... |
| 1937 |
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
|
1924 |
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
|
| 1938 |
EOF
|
1925 |
EOF
|
| 1939 |
|
1926 |
|
| 1940 |
# removing the users crons
|
1927 |
# removing the users crons
|
| 1941 |
rm -f /var/spool/cron/*
|
1928 |
rm -f /var/spool/cron/*
|
| 1942 |
} # End cron()
|
1929 |
} # End of cron()
|
| 1943 |
|
1930 |
|
| 1944 |
######################################################################
|
1931 |
######################################################################
|
| 1945 |
## Fonction "Fail2Ban" ##
|
1932 |
## Fonction "Fail2Ban" ##
|
| 1946 |
##- Adapt conf file to ALCASAR ##
|
1933 |
##- Adapt conf file to ALCASAR ##
|
| 1947 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
|
1934 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
|
| Line 1958... |
Line 1945... |
| 1958 |
# fail2ban unit
|
1945 |
# fail2ban unit
|
| 1959 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1946 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
| 1960 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1947 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
| 1961 |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1948 |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
| 1962 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
1949 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
| 1963 |
} # End fail2ban()
|
1950 |
} # End of fail2ban()
|
| 1964 |
|
1951 |
|
| 1965 |
#########################################################
|
1952 |
#########################################################
|
| 1966 |
## Fonction "gammu_smsd" ##
|
1953 |
## Fonction "gammu_smsd" ##
|
| 1967 |
## - Creating of SMS management database ##
|
1954 |
## - Creating of SMS management database ##
|
| 1968 |
## - Write the gammu a gammu_smsd conf files ##
|
1955 |
## - Write the gammu a gammu_smsd conf files ##
|
| Line 2047... |
Line 2034... |
| 2047 |
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
|
2034 |
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
|
| 2048 |
#EOF
|
2035 |
#EOF
|
| 2049 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
2036 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
| 2050 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
2037 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
| 2051 |
|
2038 |
|
| 2052 |
} # End gammu_smsd()
|
2039 |
} # End of gammu_smsd()
|
| 2053 |
|
2040 |
|
| 2054 |
############################################################
|
2041 |
############################################################
|
| 2055 |
## Fonction "msec" ##
|
2042 |
## Fonction "msec" ##
|
| 2056 |
## - Apply the "fileserver" security level ##
|
2043 |
## - Apply the "fileserver" security level ##
|
| 2057 |
## - remove the "system request" for rebboting ##
|
2044 |
## - remove the "system request" for rebboting ##
|
| Line 2082... |
Line 2069... |
| 2082 |
EOF
|
2069 |
EOF
|
| 2083 |
# apply now hourly & daily checks
|
2070 |
# apply now hourly & daily checks
|
| 2084 |
/usr/sbin/msec
|
2071 |
/usr/sbin/msec
|
| 2085 |
/etc/cron.weekly/msec
|
2072 |
/etc/cron.weekly/msec
|
| 2086 |
|
2073 |
|
| 2087 |
} # End msec()
|
2074 |
} # End of msec()
|
| 2088 |
|
- |
|
| 2089 |
|
2075 |
|
| 2090 |
##################################################################
|
2076 |
##################################################################
|
| 2091 |
## Fonction "letsencrypt" ##
|
2077 |
## Fonction "letsencrypt" ##
|
| 2092 |
## - Install Let's Encrypt client ##
|
2078 |
## - Install Let's Encrypt client ##
|
| 2093 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
2079 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
| Line 2136... |
Line 2122... |
| 2136 |
EOF
|
2122 |
EOF
|
| 2137 |
|
2123 |
|
| 2138 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
2124 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
| 2139 |
rm -rf /tmp/acme.sh-*
|
2125 |
rm -rf /tmp/acme.sh-*
|
| 2140 |
|
2126 |
|
| 2141 |
} # END letsencrypt()
|
2127 |
} # End of letsencrypt()
|
| 2142 |
|
2128 |
|
| 2143 |
##################################################################
|
2129 |
##################################################################
|
| 2144 |
## Fonction "post_install" ##
|
2130 |
## Fonction "post_install" ##
|
| 2145 |
## - Modifying banners (locals et ssh) & prompts ##
|
2131 |
## - Modifying banners (locals et ssh) & prompts ##
|
| 2146 |
## - SSH config ##
|
2132 |
## - SSH config ##
|
| Line 2350... |
Line 2336... |
| 2350 |
then
|
2336 |
then
|
| 2351 |
read
|
2337 |
read
|
| 2352 |
fi
|
2338 |
fi
|
| 2353 |
clear
|
2339 |
clear
|
| 2354 |
reboot
|
2340 |
reboot
|
| 2355 |
} # End post_install ()
|
2341 |
} # End of post_install()
|
| 2356 |
|
2342 |
|
| 2357 |
#####################################################################################
|
2343 |
#####################################################################################
|
| 2358 |
# Main Install loop #
|
2344 |
# Main Install loop #
|
| 2359 |
#####################################################################################
|
2345 |
#####################################################################################
|
| 2360 |
dir_exec=`dirname "$0"`
|
2346 |
dir_exec=`dirname "$0"`
|
| Line 2384... |
Line 2370... |
| 2384 |
-\? | -h* | --h*)
|
2370 |
-\? | -h* | --h*)
|
| 2385 |
echo "$usage"
|
2371 |
echo "$usage"
|
| 2386 |
exit 0
|
2372 |
exit 0
|
| 2387 |
;;
|
2373 |
;;
|
| 2388 |
-i | --install)
|
2374 |
-i | --install)
|
| - |
|
2375 |
for func in license testing
|
| - |
|
2376 |
do
|
| 2389 |
header_install
|
2377 |
header_install
|
| - |
|
2378 |
$func
|
| - |
|
2379 |
if [ $DEBUG_ALCASAR == "on" ]
|
| 2390 |
license
|
2380 |
then
|
| - |
|
2381 |
echo "*** 'debug' : end of install '$func' ***"
|
| 2391 |
header_install
|
2382 |
read
|
| - |
|
2383 |
fi
|
| 2392 |
testing
|
2384 |
done
|
| 2393 |
# RPMs install
|
2385 |
# RPMs install
|
| 2394 |
$DIR_SCRIPTS/alcasar-urpmi.sh
|
2386 |
$DIR_SCRIPTS/alcasar-urpmi.sh
|
| 2395 |
if [ "$?" != "0" ]
|
2387 |
if [ "$?" != "0" ]
|
| 2396 |
then
|
2388 |
then
|
| 2397 |
exit 0
|
2389 |
exit 0
|