| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 2981 2021-07-23 14:37:14Z rexy $
|
2 |
# $Id: alcasar.sh 2990 2022-02-21 23:20:55Z rexy $
|
| 3 |
|
3 |
|
| 4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
| 5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
| 6 |
# contact : info@alcasar.net
|
6 |
# contact : info@alcasar.net
|
| 7 |
|
7 |
|
| Line 10... |
Line 10... |
| 10 |
|
10 |
|
| 11 |
# Options :
|
11 |
# Options :
|
| 12 |
# -i or --install
|
12 |
# -i or --install
|
| 13 |
# -u or --uninstall
|
13 |
# -u or --uninstall
|
| 14 |
# Functions :
|
14 |
# Functions :
|
| 15 |
# testing : connectivity tests, free space test and mageia version test
|
15 |
# system_testing : Free space test and mageia version test
|
| - |
|
16 |
# network_testing : Internet connectivity tests
|
| 16 |
# init : Installation of RPM and scripts
|
17 |
# init : Installation of RPM and scripts
|
| 17 |
# network : Network parameters
|
18 |
# network : Network parameters
|
| 18 |
# ACC : ALCASAR Control Center installation
|
19 |
# ACC : ALCASAR Control Center installation
|
| 19 |
# CA : Certification Authority initialization
|
20 |
# CA : Certification Authority initialization
|
| 20 |
# time_server : NTPd configuration
|
21 |
# time_server : NTPd configuration
|
| 21 |
# init_db : Initilization of radius database managed with MariaDB
|
22 |
# init_db : Initilization of radius database managed with MariaDB
|
| 22 |
# freeradius : FreeRadius initialisation
|
23 |
# freeradius : FreeRadius initialisation
|
| 23 |
# chilli : coovachilli initialisation (+authentication page)
|
24 |
# chilli : Coovachilli initialisation (+authentication page)
|
| 24 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
25 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
| 25 |
# antivirus : clamav & freshclam configuration
|
26 |
# antivirus : Clamav & freshclam configuration
|
| 26 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
27 |
# ulogd : Log system in userland (match NFLOG target of iptables)
|
| 27 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
28 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
| 28 |
# unbound : Name server configuration
|
29 |
# unbound : Name server configuration
|
| 29 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
30 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
| 30 |
# vnstat : little network stat daemon
|
31 |
# vnstat : Little network stat daemon
|
| 31 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
32 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
| 32 |
# cron : Logs export + watchdog + connexion statistics
|
33 |
# cron : Logs export + watchdog + connexion statistics
|
| 33 |
# fail2ban : Fail2ban IDS installation and configuration
|
34 |
# fail2ban : Fail2ban IDS installation and configuration
|
| 34 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
|
35 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
|
| 35 |
# msec : Mageia security package configuration
|
36 |
# msec : Mageia security package configuration
|
| 36 |
# letsencrypt : Let's Encrypt client
|
37 |
# letsencrypt : Let's Encrypt client
|
| - |
|
38 |
# mail_service : Mail service for email authentification method
|
| 37 |
# post_install : Security, log rotation, etc.
|
39 |
# post_install : Security, log rotation, etc.
|
| 38 |
|
40 |
|
| 39 |
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
|
41 |
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
|
| 40 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
42 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
| 41 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
43 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
| Line 102... |
Line 104... |
| 102 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
104 |
echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
|
| 103 |
echo "-----------------------------------------------------------------------------"
|
105 |
echo "-----------------------------------------------------------------------------"
|
| 104 |
} # End of header_install()
|
106 |
} # End of header_install()
|
| 105 |
|
107 |
|
| 106 |
########################################################
|
108 |
########################################################
|
| 107 |
## Function "testing_system" ##
|
109 |
## "system_testing" ##
|
| 108 |
## - Test Mageia version ##
|
110 |
## - Test Mageia version ##
|
| 109 |
## - Test ALCASAR version (if already installed) ##
|
111 |
## - Test ALCASAR version (if already installed) ##
|
| 110 |
## - Test free space on /var (>10G) ##
|
112 |
## - Test free space on /var (>10G) ##
|
| 111 |
## - Test Internet access ##
|
113 |
## - Test Internet access ##
|
| 112 |
########################################################
|
114 |
########################################################
|
| 113 |
testing_system()
|
115 |
system_testing()
|
| 114 |
{
|
116 |
{
|
| 115 |
# Test of Mageia version
|
117 |
# Test of Mageia version
|
| 116 |
# extract the current Mageia version and hardware architecture (i586 ou X64)
|
118 |
# extract the current Mageia version and hardware architecture (i586 ou X64)
|
| 117 |
fic=`cat /etc/product.id`
|
119 |
fic=`cat /etc/product.id`
|
| 118 |
unknown_os=0
|
120 |
unknown_os=0
|
| Line 220... |
Line 222... |
| 220 |
then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
|
222 |
then echo "Espace disponible insuffisant sur /var ($free_space Go au lieu de 10 Go au minimum)"
|
| 221 |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
|
223 |
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
|
| 222 |
fi
|
224 |
fi
|
| 223 |
exit 0
|
225 |
exit 0
|
| 224 |
fi
|
226 |
fi
|
| 225 |
} # End of testing_system
|
227 |
} # End of system_testing
|
| 226 |
|
228 |
|
| 227 |
########################################################
|
229 |
########################################################
|
| 228 |
## Function "testing_network" ##
|
230 |
## "network_testing" ##
|
| 229 |
## - Test Internet access ##
|
231 |
## - Internet access test ##
|
| 230 |
########################################################
|
232 |
########################################################
|
| 231 |
testing_network()
|
233 |
network_testing()
|
| 232 |
{
|
234 |
{
|
| 233 |
# Detect external/internal interfaces
|
235 |
# Detect external/internal interfaces
|
| 234 |
if [ -z "$EXTIF" ]; then
|
236 |
if [ -z "$EXTIF" ]; then
|
| 235 |
EXTIF=$(/usr/sbin/ip route list | awk '/ via / {print $5}' | uniq)
|
237 |
EXTIF=$(/usr/sbin/ip route list | awk '/ via / {print $5}' | uniq)
|
| 236 |
if [ -z "$EXTIF" ]; then
|
238 |
if [ -z "$EXTIF" ]; then
|
| Line 391... |
Line 393... |
| 391 |
echo "Verify the DNS IP addresses"
|
393 |
echo "Verify the DNS IP addresses"
|
| 392 |
fi
|
394 |
fi
|
| 393 |
exit 1
|
395 |
exit 1
|
| 394 |
fi
|
396 |
fi
|
| 395 |
echo ". : ok"
|
397 |
echo ". : ok"
|
| 396 |
} # End of testing_network()
|
398 |
} # End of network_testing()
|
| 397 |
|
399 |
|
| 398 |
#######################################################################
|
400 |
#######################################################################
|
| 399 |
## Function "init" ##
|
401 |
## "init" ##
|
| 400 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
402 |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
|
| 401 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
403 |
## - Creation of random password for GRUB, mariadb (admin and user) ##
|
| 402 |
#######################################################################
|
404 |
#######################################################################
|
| 403 |
init()
|
405 |
init()
|
| 404 |
{
|
406 |
{
|
| Line 470... |
Line 472... |
| 470 |
EOF
|
472 |
EOF
|
| 471 |
chmod o-rwx $CONF_FILE
|
473 |
chmod o-rwx $CONF_FILE
|
| 472 |
} # End of init()
|
474 |
} # End of init()
|
| 473 |
|
475 |
|
| 474 |
#########################################################
|
476 |
#########################################################
|
| 475 |
## Function "network" ##
|
477 |
## "network" ##
|
| 476 |
## - Define the several network address ##
|
478 |
## - Define the several network address ##
|
| 477 |
## - Define the DNS naming ##
|
479 |
## - Define the DNS naming ##
|
| 478 |
## - INTIF parameters (consultation network) ##
|
480 |
## - INTIF parameters (consultation network) ##
|
| 479 |
## - Write "/etc/hosts" file ##
|
481 |
## - Write "/etc/hosts" file ##
|
| 480 |
## - write "hosts.allow" & "hosts.deny" files ##
|
482 |
## - write "hosts.allow" & "hosts.deny" files ##
|
| Line 751... |
Line 753... |
| 751 |
|
753 |
|
| 752 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
|
754 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
|
| 753 |
} # End of network()
|
755 |
} # End of network()
|
| 754 |
|
756 |
|
| 755 |
##################################################################
|
757 |
##################################################################
|
| 756 |
## Fonction "CA" ##
|
758 |
## "CA" ##
|
| 757 |
## - Creating the CA and the server certificate (lighttpd) ##
|
759 |
## - Creating the CA and the server certificate (lighttpd) ##
|
| 758 |
##################################################################
|
760 |
##################################################################
|
| 759 |
CA()
|
761 |
CA()
|
| 760 |
{
|
762 |
{
|
| 761 |
$DIR_DEST_BIN/alcasar-CA.sh
|
763 |
$DIR_DEST_BIN/alcasar-CA.sh
|
| Line 767... |
Line 769... |
| 767 |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
|
769 |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private
|
| 768 |
chmod 640 /etc/pki/tls/private/*
|
770 |
chmod 640 /etc/pki/tls/private/*
|
| 769 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
|
771 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
|
| 770 |
} # End of CA()
|
772 |
} # End of CA()
|
| 771 |
|
773 |
|
| 772 |
###################################################
|
774 |
######################################################
|
| 773 |
## Function "ACC" ##
|
775 |
## "ACC" ##
|
| 774 |
## - copy ALCASAR Control Center (ACC) files ##
|
776 |
## - copy ALCASAR Control Center (ACC) files ##
|
| 775 |
## - configuration of the web server (Lighttpd) ##
|
777 |
## - configuration of the web server (Lighttpd) ##
|
| 776 |
## - creation of the first ACC admin account ##
|
778 |
## - creation of the first ACC admin account ##
|
| 777 |
## - secure the ACC access ##
|
779 |
## - secure the ACC access ##
|
| 778 |
###################################################
|
780 |
######################################################
|
| 779 |
ACC()
|
781 |
ACC()
|
| 780 |
{
|
782 |
{
|
| 781 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
783 |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
|
| 782 |
mkdir $DIR_WEB
|
784 |
mkdir $DIR_WEB
|
| 783 |
# Copy & adapt ACC files
|
785 |
# Copy & adapt ACC files
|
| Line 889... |
Line 891... |
| 889 |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
|
891 |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
|
| 890 |
cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
|
892 |
cp $DIR_CONF/nmap-mac-prefixes /usr/local/share/
|
| 891 |
} # End of ACC()
|
893 |
} # End of ACC()
|
| 892 |
|
894 |
|
| 893 |
#############################################################
|
895 |
#############################################################
|
| 894 |
## Function "time_server" ##
|
896 |
## "time_server" ##
|
| 895 |
## - Configuring NTP server ##
|
897 |
## - Configuring NTP server ##
|
| 896 |
#############################################################
|
898 |
#############################################################
|
| 897 |
time_server()
|
899 |
time_server()
|
| 898 |
{
|
900 |
{
|
| 899 |
# Set the Internet time server
|
901 |
# Set the Internet time server
|
| Line 920... |
Line 922... |
| 920 |
# Synchronize now
|
922 |
# Synchronize now
|
| 921 |
ntpd -4 -q -g &
|
923 |
ntpd -4 -q -g &
|
| 922 |
} # End of time_server()
|
924 |
} # End of time_server()
|
| 923 |
|
925 |
|
| 924 |
#####################################################################
|
926 |
#####################################################################
|
| 925 |
## Function "init_db" ##
|
927 |
## "init_db" ##
|
| 926 |
## - Mysql initialization ##
|
928 |
## - Mysql initialization ##
|
| 927 |
## - Set admin (root) password ##
|
929 |
## - Set admin (root) password ##
|
| 928 |
## - Remove unused users & databases ##
|
930 |
## - Remove unused users & databases ##
|
| 929 |
## - Radius database creation ##
|
931 |
## - Radius database creation ##
|
| 930 |
## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
|
932 |
## - Copy of accounting tables (mtotacct, totacct) & userinfo ##
|
| Line 973... |
Line 975... |
| 973 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
975 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
| 974 |
/usr/bin/systemctl daemon-reload
|
976 |
/usr/bin/systemctl daemon-reload
|
| 975 |
} # End of init_db()
|
977 |
} # End of init_db()
|
| 976 |
|
978 |
|
| 977 |
###################################################################
|
979 |
###################################################################
|
| 978 |
## Function "freeradius" ##
|
980 |
## "freeradius" ##
|
| 979 |
## - Set the configuration files ##
|
981 |
## - Set the configuration files ##
|
| 980 |
## - Set the shared secret between coova-chilli and freeradius ##
|
982 |
## - Set the shared secret between coova-chilli and freeradius ##
|
| 981 |
## - Adapt the Mysql conf file and counters ##
|
983 |
## - Adapt the Mysql conf file and counters ##
|
| 982 |
###################################################################
|
984 |
###################################################################
|
| 983 |
freeradius()
|
985 |
freeradius()
|
| Line 1059... |
Line 1061... |
| 1059 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1061 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
| 1060 |
chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1062 |
chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
| 1061 |
} # End of freeradius()
|
1063 |
} # End of freeradius()
|
| 1062 |
|
1064 |
|
| 1063 |
#############################################################################
|
1065 |
#############################################################################
|
| 1064 |
## Function "chilli" ##
|
1066 |
## "chilli" ##
|
| 1065 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1067 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
| 1066 |
## - Adapt the authentication web page (intercept.php) ##
|
1068 |
## - Adapt the authentication web page (intercept.php) ##
|
| 1067 |
#############################################################################
|
1069 |
#############################################################################
|
| 1068 |
chilli()
|
1070 |
chilli()
|
| 1069 |
{
|
1071 |
{
|
| Line 1260... |
Line 1262... |
| 1260 |
groupadd -f chilli
|
1262 |
groupadd -f chilli
|
| 1261 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
1263 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
| 1262 |
} # End of chilli()
|
1264 |
} # End of chilli()
|
| 1263 |
|
1265 |
|
| 1264 |
################################################################
|
1266 |
################################################################
|
| 1265 |
## Function "e2guardian" ##
|
1267 |
## "e2guardian" ##
|
| 1266 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1268 |
## - Set the parameters of this HTML proxy (as controler) ##
|
| 1267 |
################################################################
|
1269 |
################################################################
|
| 1268 |
e2guardian()
|
1270 |
e2guardian()
|
| 1269 |
{
|
1271 |
{
|
| 1270 |
# Adapt systemd unit
|
1272 |
# Adapt systemd unit
|
| Line 1371... |
Line 1373... |
| 1371 |
mkdir -p /var/log/e2guardian
|
1373 |
mkdir -p /var/log/e2guardian
|
| 1372 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1374 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
| 1373 |
} # End of e2guardian()
|
1375 |
} # End of e2guardian()
|
| 1374 |
|
1376 |
|
| 1375 |
##################################################################
|
1377 |
##################################################################
|
| 1376 |
## Function "antivirus" ##
|
1378 |
## "antivirus" ##
|
| 1377 |
## - Set the parameters of clamav and freshclam ##
|
1379 |
## - Set the parameters of clamav and freshclam ##
|
| 1378 |
##################################################################
|
1380 |
##################################################################
|
| 1379 |
antivirus()
|
1381 |
antivirus()
|
| 1380 |
{
|
1382 |
{
|
| 1381 |
# Clamd unit adaptation to e2guardian
|
1383 |
# Clamd unit adaptation to e2guardian
|
| Line 1406... |
Line 1408... |
| 1406 |
# update now
|
1408 |
# update now
|
| 1407 |
/usr/bin/freshclam --no-warnings --quiet
|
1409 |
/usr/bin/freshclam --no-warnings --quiet
|
| 1408 |
} # End of antivirus()
|
1410 |
} # End of antivirus()
|
| 1409 |
|
1411 |
|
| 1410 |
##############################################################
|
1412 |
##############################################################
|
| 1411 |
## function "ulogd" ##
|
1413 |
## "ulogd" ##
|
| 1412 |
## - Ulog config for multi-log files ##
|
1414 |
## - Ulog config for multi-log files ##
|
| 1413 |
##############################################################
|
1415 |
##############################################################
|
| 1414 |
ulogd()
|
1416 |
ulogd()
|
| 1415 |
{
|
1417 |
{
|
| 1416 |
# Three instances of ulogd (three different logfiles)
|
1418 |
# Three instances of ulogd (three different logfiles)
|
| Line 1434... |
Line 1436... |
| 1434 |
chmod 750 /var/log/firewall
|
1436 |
chmod 750 /var/log/firewall
|
| 1435 |
chmod 640 /var/log/firewall/*
|
1437 |
chmod 640 /var/log/firewall/*
|
| 1436 |
} # End of ulogd()
|
1438 |
} # End of ulogd()
|
| 1437 |
|
1439 |
|
| 1438 |
##########################################################
|
1440 |
##########################################################
|
| 1439 |
## Function "nfsen" ##
|
1441 |
## "nfsen" ##
|
| 1440 |
## - configure NetFlow collector (nfcapd) ##
|
1442 |
## - configure NetFlow collector (nfcapd) ##
|
| 1441 |
## - configure NetFlow grapher (nfsen-ng) ##
|
1443 |
## - configure NetFlow grapher (nfsen-ng) ##
|
| 1442 |
##########################################################
|
1444 |
##########################################################
|
| 1443 |
nfsen()
|
1445 |
nfsen()
|
| 1444 |
{
|
1446 |
{
|
| Line 1473... |
Line 1475... |
| 1473 |
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd
|
1475 |
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd
|
| 1474 |
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
|
1476 |
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
|
| 1475 |
} # End of nfsen()
|
1477 |
} # End of nfsen()
|
| 1476 |
|
1478 |
|
| 1477 |
###########################################################
|
1479 |
###########################################################
|
| 1478 |
## Function "vnstat" ##
|
1480 |
## "vnstat" ##
|
| 1479 |
## - Initialization of vnstat and vnstat-dashboard ##
|
1481 |
## - Initialization of vnstat and vnstat-dashboard ##
|
| 1480 |
###########################################################
|
1482 |
###########################################################
|
| 1481 |
vnstat()
|
1483 |
vnstat()
|
| 1482 |
{
|
1484 |
{
|
| 1483 |
# vnstat
|
1485 |
# vnstat
|
| 1484 |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
|
1486 |
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
|
| 1485 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
1487 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
| 1486 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1488 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
| 1487 |
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
|
1489 |
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
|
| 1488 |
# vnstat-dashboard
|
1490 |
# vnstat-dashboard
|
| 1489 |
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
|
1491 |
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
|
| 1490 |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
|
1492 |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
|
| 1491 |
$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
|
1493 |
$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
|
| 1492 |
} # End of vnstat()
|
1494 |
} # End of vnstat()
|
| 1493 |
|
1495 |
|
| 1494 |
###################################################################
|
1496 |
###################################################################
|
| 1495 |
## Function "dnsmasq" ##
|
1497 |
## "dnsmasq" ##
|
| 1496 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
1498 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
| 1497 |
###################################################################
|
1499 |
###################################################################
|
| 1498 |
dnsmasq()
|
1500 |
dnsmasq()
|
| 1499 |
{
|
1501 |
{
|
| 1500 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1502 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
| Line 1515... |
Line 1517... |
| 1515 |
filterwin2k
|
1517 |
filterwin2k
|
| 1516 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1518 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
| 1517 |
server=$DNS1
|
1519 |
server=$DNS1
|
| 1518 |
server=$DNS2
|
1520 |
server=$DNS2
|
| 1519 |
EOF
|
1521 |
EOF
|
| - |
|
1522 |
|
| 1520 |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
|
1523 |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
|
| 1521 |
systemctl disable dnsmasq.service
|
1524 |
systemctl disable dnsmasq.service
|
| 1522 |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
|
1525 |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
|
| 1523 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1526 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
|
| 1524 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1527 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
|
| 1525 |
} # End of dnsmasq()
|
1528 |
} # End of dnsmasq()
|
| 1526 |
|
1529 |
|
| 1527 |
#########################################################
|
1530 |
#########################################################
|
| 1528 |
## Function "unbound" ##
|
1531 |
## "unbound" ##
|
| 1529 |
## - create the conf files for 4 unbound services ##
|
1532 |
## - create the conf files for 4 unbound services ##
|
| 1530 |
## - create the systemd files for 4 unbound services ##
|
1533 |
## - create the systemd files for 4 unbound services ##
|
| 1531 |
#########################################################
|
1534 |
#########################################################
|
| 1532 |
unbound ()
|
1535 |
unbound ()
|
| 1533 |
{
|
1536 |
{
|
| Line 1687... |
Line 1690... |
| 1687 |
do-ip6: no
|
1690 |
do-ip6: no
|
| 1688 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1691 |
include: /etc/unbound/conf.d/common/local-forward/*
|
| 1689 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1692 |
include: /etc/unbound/conf.d/common/local-dns/*
|
| 1690 |
include: /etc/unbound/conf.d/blackhole/*
|
1693 |
include: /etc/unbound/conf.d/blackhole/*
|
| 1691 |
EOF
|
1694 |
EOF
|
| 1692 |
|
- |
|
| 1693 |
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
|
1695 |
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
|
| 1694 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
|
1696 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
|
| 1695 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
|
1697 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
|
| 1696 |
for list in blacklist blackhole whitelist
|
1698 |
for list in blacklist blackhole whitelist
|
| 1697 |
do
|
1699 |
do
|
| Line 1701... |
Line 1703... |
| 1701 |
done
|
1703 |
done
|
| 1702 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
|
1704 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
|
| 1703 |
} # End of unbound()
|
1705 |
} # End of unbound()
|
| 1704 |
|
1706 |
|
| 1705 |
##################################################
|
1707 |
##################################################
|
| 1706 |
## Function "dhcpd" ##
|
1708 |
## "dhcpd" ##
|
| 1707 |
##################################################
|
1709 |
##################################################
|
| 1708 |
dhcpd()
|
1710 |
dhcpd()
|
| 1709 |
{
|
1711 |
{
|
| 1710 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
1712 |
[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
|
| 1711 |
cat <<EOF > /etc/dhcpd.conf
|
1713 |
cat <<EOF > /etc/dhcpd.conf
|
| Line 1720... |
Line 1722... |
| 1720 |
}
|
1722 |
}
|
| 1721 |
EOF
|
1723 |
EOF
|
| 1722 |
} # End of dhcpd()
|
1724 |
} # End of dhcpd()
|
| 1723 |
|
1725 |
|
| 1724 |
##########################################################
|
1726 |
##########################################################
|
| 1725 |
## Function "BL" ##
|
1727 |
## "BL" ##
|
| 1726 |
## - copy & adapt Toulouse BL to ALCASAR architecture ##
|
1728 |
## - copy & adapt Toulouse BL to ALCASAR architecture ##
|
| 1727 |
## - domain names for unbound-bl & unbound-wl ##
|
1729 |
## - domain names for unbound-bl & unbound-wl ##
|
| 1728 |
## - URLs for E²guardian ##
|
1730 |
## - URLs for E²guardian ##
|
| 1729 |
## - IPs for NetFilter ##
|
1731 |
## - IPs for NetFilter ##
|
| 1730 |
## - copy additional BLs (TOR + Ultrasurf + C&C) ##
|
1732 |
## - copy additional BLs (TOR + Ultrasurf + C&C) ##
|
| 1731 |
##########################################################
|
1733 |
##########################################################
|
| 1732 |
BL()
|
1734 |
BL()
|
| 1733 |
{
|
1735 |
{
|
| 1734 |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
|
1736 |
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
|
| 1735 |
rm -rf $DIR_DG/lists/blacklists
|
1737 |
rm -rf $DIR_DG/lists/blacklists
|
| 1736 |
mkdir -p /tmp/blacklists
|
1738 |
mkdir -p /tmp/blacklists
|
| 1737 |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
|
1739 |
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
|
| 1738 |
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
|
1740 |
# creation of the additional BL and WL categorie named "ossi" (for domain names & ip only)
|
| 1739 |
mkdir -p $DIR_DG/lists/blacklists/ossi-bl
|
1741 |
mkdir -p $DIR_DG/lists/blacklists/ossi-bl
|
| Line 1758... |
Line 1760... |
| 1758 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
1760 |
$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
|
| 1759 |
rm -rf /tmp/blacklists
|
1761 |
rm -rf /tmp/blacklists
|
| 1760 |
} # End of BL()
|
1762 |
} # End of BL()
|
| 1761 |
|
1763 |
|
| 1762 |
#######################################################
|
1764 |
#######################################################
|
| 1763 |
## Function "cron" ##
|
1765 |
## "cron" ##
|
| 1764 |
## - write all cron & anacron files ##
|
1766 |
## - write all cron & anacron files ##
|
| 1765 |
#######################################################
|
1767 |
#######################################################
|
| 1766 |
cron()
|
1768 |
cron()
|
| 1767 |
{
|
1769 |
{
|
| 1768 |
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
|
1770 |
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
|
| Line 1849... |
Line 1851... |
| 1849 |
# removing the users crons
|
1851 |
# removing the users crons
|
| 1850 |
rm -f /var/spool/cron/*
|
1852 |
rm -f /var/spool/cron/*
|
| 1851 |
} # End of cron()
|
1853 |
} # End of cron()
|
| 1852 |
|
1854 |
|
| 1853 |
########################################################################
|
1855 |
########################################################################
|
| 1854 |
## Fonction "Fail2Ban" ##
|
1856 |
## "Fail2Ban" ##
|
| 1855 |
##- Adapt conf file to ALCASAR ##
|
1857 |
##- Adapt conf file to ALCASAR ##
|
| 1856 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
|
1858 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
|
| 1857 |
########################################################################
|
1859 |
########################################################################
|
| 1858 |
fail2ban()
|
1860 |
fail2ban()
|
| 1859 |
{
|
1861 |
{
|
| 1860 |
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
|
1862 |
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
|
| 1861 |
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
|
1863 |
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
|
| 1862 |
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
|
1864 |
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
|
| 1863 |
|
1865 |
|
| 1864 |
# add 5 jails and their filters
|
1866 |
# add 5 jails and their filters
|
| 1865 |
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
|
1867 |
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
|
| 1866 |
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
|
1868 |
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
|
| 1867 |
[sshd]
|
1869 |
[sshd]
|
| 1868 |
enabled = true
|
1870 |
enabled = true
|
| 1869 |
#enabled = false
|
1871 |
#enabled = false
|
| 1870 |
maxretry = 3
|
1872 |
maxretry = 3
|
| 1871 |
bantime = 3m
|
1873 |
bantime = 3m
|
| 1872 |
findtime = 5m
|
1874 |
findtime = 5m
|
| 1873 |
EOF
|
1875 |
EOF
|
| 1874 |
|
1876 |
|
| 1875 |
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
|
1877 |
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
|
| 1876 |
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
|
1878 |
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
|
| 1877 |
[lighttpd-auth]
|
1879 |
[lighttpd-auth]
|
| 1878 |
enabled = true
|
1880 |
enabled = true
|
| 1879 |
#enabled = false
|
1881 |
#enabled = false
|
| 1880 |
maxretry = 3
|
1882 |
maxretry = 3
|
| 1881 |
bantime = 3m
|
1883 |
bantime = 3m
|
| 1882 |
findtime = 3m
|
1884 |
findtime = 3m
|
| 1883 |
EOF
|
1885 |
EOF
|
| 1884 |
|
1886 |
|
| 1885 |
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
|
1887 |
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
|
| 1886 |
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
|
1888 |
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
|
| 1887 |
[alcasar_mod-evasive]
|
1889 |
[alcasar_mod-evasive]
|
| 1888 |
#enabled = true
|
1890 |
#enabled = true
|
| 1889 |
enabled = false
|
1891 |
enabled = false
|
| 1890 |
backend = auto
|
1892 |
backend = auto
|
| 1891 |
filter = alcasar_mod-evasive
|
1893 |
filter = alcasar_mod-evasive
|
| Line 1893... |
Line 1895... |
| 1893 |
logpath = /var/log/lighttpd/access.log
|
1895 |
logpath = /var/log/lighttpd/access.log
|
| 1894 |
maxretry = 3
|
1896 |
maxretry = 3
|
| 1895 |
bantime = 3m
|
1897 |
bantime = 3m
|
| 1896 |
findtime = 3m
|
1898 |
findtime = 3m
|
| 1897 |
EOF
|
1899 |
EOF
|
| 1898 |
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
|
1900 |
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
|
| 1899 |
[Definition]
|
1901 |
[Definition]
|
| 1900 |
failregex = <HOST> .+\] "[^"]+" 403
|
1902 |
failregex = <HOST> .+\] "[^"]+" 403
|
| 1901 |
ignoreregex =
|
1903 |
ignoreregex =
|
| 1902 |
EOF
|
1904 |
EOF
|
| 1903 |
|
1905 |
|
| 1904 |
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
|
1906 |
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
|
| 1905 |
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
|
1907 |
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
|
| 1906 |
[alcasar_intercept]
|
1908 |
[alcasar_intercept]
|
| 1907 |
enabled = true
|
1909 |
enabled = true
|
| 1908 |
#enabled = false
|
1910 |
#enabled = false
|
| 1909 |
backend = auto
|
1911 |
backend = auto
|
| 1910 |
filter = alcasar_intercept
|
1912 |
filter = alcasar_intercept
|
| Line 1912... |
Line 1914... |
| 1912 |
logpath = /var/log/lighttpd/access.log
|
1914 |
logpath = /var/log/lighttpd/access.log
|
| 1913 |
maxretry = 5
|
1915 |
maxretry = 5
|
| 1914 |
bantime = 3m
|
1916 |
bantime = 3m
|
| 1915 |
findtime = 3m
|
1917 |
findtime = 3m
|
| 1916 |
EOF
|
1918 |
EOF
|
| 1917 |
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
|
1919 |
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
|
| 1918 |
[Definition]
|
1920 |
[Definition]
|
| 1919 |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
|
1921 |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
|
| 1920 |
ignoreregex =
|
1922 |
ignoreregex =
|
| 1921 |
EOF
|
1923 |
EOF
|
| 1922 |
|
1924 |
|
| 1923 |
## alcasar_change-pwd : ban after 5 failed user change password attempts
|
1925 |
## alcasar_change-pwd : ban after 5 failed user change password attempts
|
| 1924 |
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
|
1926 |
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
|
| 1925 |
[alcasar_change-pwd]
|
1927 |
[alcasar_change-pwd]
|
| 1926 |
enabled = true
|
1928 |
enabled = true
|
| 1927 |
#enabled = false
|
1929 |
#enabled = false
|
| 1928 |
backend = auto
|
1930 |
backend = auto
|
| 1929 |
filter = alcasar_change-pwd
|
1931 |
filter = alcasar_change-pwd
|
| Line 1931... |
Line 1933... |
| 1931 |
logpath = /var/log/lighttpd/access.log
|
1933 |
logpath = /var/log/lighttpd/access.log
|
| 1932 |
maxretry = 5
|
1934 |
maxretry = 5
|
| 1933 |
bantime = 3m
|
1935 |
bantime = 3m
|
| 1934 |
findtime = 3m
|
1936 |
findtime = 3m
|
| 1935 |
EOF
|
1937 |
EOF
|
| 1936 |
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
|
1938 |
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
|
| 1937 |
[Definition]
|
1939 |
[Definition]
|
| 1938 |
failregex = <HOST> .* \"POST \/password\.php
|
1940 |
failregex = <HOST> .* \"POST \/password\.php
|
| 1939 |
ignoreregex =
|
1941 |
ignoreregex =
|
| 1940 |
EOF
|
1942 |
EOF
|
| 1941 |
|
1943 |
|
| Line 1944... |
Line 1946... |
| 1944 |
[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
|
1946 |
[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
|
| 1945 |
chmod 644 /var/log/fail2ban.log
|
1947 |
chmod 644 /var/log/fail2ban.log
|
| 1946 |
chmod 644 $DIR_SAVE/security/watchdog.log
|
1948 |
chmod 644 $DIR_SAVE/security/watchdog.log
|
| 1947 |
/usr/bin/touch /var/log/auth.log
|
1949 |
/usr/bin/touch /var/log/auth.log
|
| 1948 |
# fail2ban unit
|
1950 |
# fail2ban unit
|
| 1949 |
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
|
1951 |
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
|
| 1950 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
|
1952 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
|
| 1951 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
|
1953 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
|
| 1952 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
|
1954 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
|
| 1953 |
} # End of fail2ban()
|
1955 |
} # End of fail2ban()
|
| 1954 |
|
1956 |
|
| 1955 |
#########################################################
|
1957 |
########################################################
|
| 1956 |
## Fonction "gammu_smsd" ##
|
1958 |
## "gammu_smsd" ##
|
| 1957 |
## - Creating of SMS management database ##
|
1959 |
## - Creating of SMS management database ##
|
| 1958 |
## - Write the gammu a gammu_smsd conf files ##
|
1960 |
## - Write the gammu a gammu_smsd conf files ##
|
| 1959 |
#########################################################
|
1961 |
########################################################
|
| 1960 |
gammu_smsd()
|
1962 |
gammu_smsd()
|
| 1961 |
{
|
1963 |
{
|
| 1962 |
# Create 'gammu' system user
|
1964 |
# Create 'gammu' system user
|
| 1963 |
groupadd -f gammu_smsd
|
1965 |
groupadd -f gammu_smsd
|
| 1964 |
useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
|
1966 |
useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
|
| Line 2039... |
Line 2041... |
| 2039 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
2041 |
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
|
| 2040 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
2042 |
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
|
| 2041 |
|
2043 |
|
| 2042 |
} # End of gammu_smsd()
|
2044 |
} # End of gammu_smsd()
|
| 2043 |
|
2045 |
|
| 2044 |
############################################################
|
2046 |
########################################################
|
| 2045 |
## Fonction "msec" ##
|
2047 |
## "msec" ##
|
| 2046 |
## - Apply the "fileserver" security level ##
|
2048 |
## - Apply the "fileserver" security level ##
|
| 2047 |
## - remove the "system request" for rebooting ##
|
2049 |
## - remove the "system request" for rebooting ##
|
| 2048 |
## - Fix several file permissions ##
|
2050 |
## - Fix several file permissions ##
|
| 2049 |
############################################################
|
2051 |
########################################################
|
| 2050 |
msec()
|
2052 |
msec()
|
| 2051 |
{
|
2053 |
{
|
| 2052 |
|
2054 |
|
| 2053 |
# Apply fileserver security level
|
2055 |
# Apply fileserver security level
|
| 2054 |
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
|
2056 |
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
|
| 2055 |
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
|
2057 |
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
|
| 2056 |
|
2058 |
|
| 2057 |
# Set permissions monitoring and enforcement
|
2059 |
# Set permissions monitoring and enforcement
|
| 2058 |
cat <<EOF > /etc/security/msec/perm.local
|
2060 |
cat <<EOF > /etc/security/msec/perm.local
|
| 2059 |
/var/log/firewall/ root.apache 750
|
2061 |
/var/log/firewall/ root.apache 750
|
| 2060 |
/var/log/firewall/* root.apache 640
|
2062 |
/var/log/firewall/* root.apache 640
|
| Line 2075... |
Line 2077... |
| 2075 |
/var/log/clamav/ e2guardian.e2guardian 755 force
|
2077 |
/var/log/clamav/ e2guardian.e2guardian 755 force
|
| 2076 |
/var/log/clamav/* e2guardian.e2guardian 764 force
|
2078 |
/var/log/clamav/* e2guardian.e2guardian 764 force
|
| 2077 |
/var/lib/clamav/ e2guardian.e2guardian 755 force
|
2079 |
/var/lib/clamav/ e2guardian.e2guardian 755 force
|
| 2078 |
EOF
|
2080 |
EOF
|
| 2079 |
# apply now hourly & daily checks
|
2081 |
# apply now hourly & daily checks
|
| 2080 |
/usr/sbin/msec
|
2082 |
/usr/sbin/msec
|
| 2081 |
/etc/cron.weekly/msec
|
2083 |
/etc/cron.weekly/msec
|
| 2082 |
|
2084 |
|
| 2083 |
} # End of msec()
|
2085 |
} # End of msec()
|
| 2084 |
|
2086 |
|
| 2085 |
##################################################################
|
2087 |
##################################################################
|
| 2086 |
## Fonction "letsencrypt" ##
|
2088 |
## Fonction "letsencrypt" ##
|
| Line 2088... |
Line 2090... |
| 2088 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
2090 |
## - Prepare Let's Encrypt ALCASAR configuration file ##
|
| 2089 |
##################################################################
|
2091 |
##################################################################
|
| 2090 |
letsencrypt()
|
2092 |
letsencrypt()
|
| 2091 |
{
|
2093 |
{
|
| 2092 |
echo "Installing Let's Encrypt client..."
|
2094 |
echo "Installing Let's Encrypt client..."
|
| 2093 |
# Remove potential old installers
|
2095 |
# Remove potential old installers
|
| 2094 |
rm -rf /tmp/acme.sh-*
|
2096 |
rm -rf /tmp/acme.sh-*
|
| 2095 |
# Extract acme.sh
|
2097 |
# Extract acme.sh
|
| 2096 |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
|
2098 |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
|
| 2097 |
pwdInstall=$(pwd)
|
2099 |
pwdInstall=$(pwd)
|
| 2098 |
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
|
2100 |
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
|
| 2099 |
acmesh_installDir="/opt/acme.sh"
|
2101 |
acmesh_installDir="/opt/acme.sh"
|
| 2100 |
acmesh_confDir="/usr/local/etc/letsencrypt"
|
2102 |
acmesh_confDir="/usr/local/etc/letsencrypt"
|
| 2101 |
acmesh_userAgent="ALCASAR"
|
2103 |
acmesh_userAgent="ALCASAR"
|
| 2102 |
# Install acme.sh
|
2104 |
# Install acme.sh
|
| 2103 |
./acme.sh --install \
|
2105 |
./acme.sh --install \
|
| 2104 |
--home $acmesh_installDir \
|
2106 |
--home $acmesh_installDir \
|
| 2105 |
--config-home $acmesh_confDir/data \
|
2107 |
--config-home $acmesh_confDir/data \
|
| 2106 |
--certhome $acmesh_confDir/certs \
|
2108 |
--certhome $acmesh_confDir/certs \
|
| 2107 |
--accountkey $acmesh_confDir/ca/account.key \
|
2109 |
--accountkey $acmesh_confDir/ca/account.key \
|
| Line 2110... |
Line 2112... |
| 2110 |
--nocron \
|
2112 |
--nocron \
|
| 2111 |
> /dev/null
|
2113 |
> /dev/null
|
| 2112 |
if [ $? -ne 0 ]; then
|
2114 |
if [ $? -ne 0 ]; then
|
| 2113 |
echo "Error during installation of Let's Encrypt client (acme.sh)."
|
2115 |
echo "Error during installation of Let's Encrypt client (acme.sh)."
|
| 2114 |
fi
|
2116 |
fi
|
| 2115 |
# Create configuration file
|
2117 |
# Create configuration file
|
| 2116 |
cat <<EOF > /usr/local/etc/alcasar-letsencrypt
|
2118 |
cat <<EOF > /usr/local/etc/alcasar-letsencrypt
|
| 2117 |
email=
|
2119 |
email=
|
| 2118 |
dateIssueRequest=
|
2120 |
dateIssueRequest=
|
| 2119 |
domainRequest=
|
2121 |
domainRequest=
|
| 2120 |
challenge=
|
2122 |
challenge=
|
| Line 2125... |
Line 2127... |
| 2125 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
2127 |
cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
|
| 2126 |
rm -rf /tmp/acme.sh-*
|
2128 |
rm -rf /tmp/acme.sh-*
|
| 2127 |
} # End of letsencrypt()
|
2129 |
} # End of letsencrypt()
|
| 2128 |
|
2130 |
|
| 2129 |
##################################################################
|
2131 |
##################################################################
|
| - |
|
2132 |
## "mail_service" ##
|
| - |
|
2133 |
## - Install mail service for email registration method ##
|
| - |
|
2134 |
##################################################################
|
| - |
|
2135 |
mail_service()
|
| - |
|
2136 |
{
|
| - |
|
2137 |
[ -e /etc/postfix/main.cf.default ] || cp /etc/postfix/main.cf /etc/postfix/main.cf.default
|
| - |
|
2138 |
cat << EOT >> /etc/postfix/main.cf
|
| - |
|
2139 |
myhostname = $HOSTNAME.$DOMAIN
|
| - |
|
2140 |
# Enable SASL authentication
|
| - |
|
2141 |
smtp_sasl_auth_enable = yes
|
| - |
|
2142 |
# Disallow methods that allow anonymous authentication
|
| - |
|
2143 |
smtp_sasl_security_options = noanonymous
|
| - |
|
2144 |
# Location of sasl_passwd
|
| - |
|
2145 |
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
|
| - |
|
2146 |
EOT
|
| - |
|
2147 |
# postfix banner anonymisation
|
| - |
|
2148 |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
|
| - |
|
2149 |
chown -R postfix:postfix /var/lib/postfix
|
| - |
|
2150 |
} # end of mail_service
|
| - |
|
2151 |
|
| - |
|
2152 |
##################################################################
|
| 2130 |
## Fonction "post_install" ##
|
2153 |
## Fonction "post_install" ##
|
| 2131 |
## - Modifying banners (locals et ssh) & prompts ##
|
2154 |
## - Modifying banners (locals et ssh) & prompts ##
|
| 2132 |
## - SSH config ##
|
2155 |
## - SSH config ##
|
| 2133 |
## - sudoers config & files security ##
|
2156 |
## - sudoers config & files security ##
|
| 2134 |
## - log rotate & ANSSI security parameters ##
|
2157 |
## - log rotate & ANSSI security parameters ##
|
| Line 2146... |
Line 2169... |
| 2146 |
# sshd listens on EXTIF & INTIF
|
2169 |
# sshd listens on EXTIF & INTIF
|
| 2147 |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
|
2170 |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
|
| 2148 |
# sshd authorized certificate for root login
|
2171 |
# sshd authorized certificate for root login
|
| 2149 |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
|
2172 |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
|
| 2150 |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
|
2173 |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
|
| 2151 |
|
- |
|
| 2152 |
# postfix banner anonymisation
|
- |
|
| 2153 |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
|
- |
|
| 2154 |
chown -R postfix:postfix /var/lib/postfix
|
- |
|
| 2155 |
# ALCASAR conf file
|
2174 |
# ALCASAR conf file
|
| 2156 |
echo "HTTPS_LOGIN=off" >> $CONF_FILE
|
2175 |
echo "HTTPS_LOGIN=off" >> $CONF_FILE
|
| 2157 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
2176 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
| 2158 |
echo "SSH=on" >> $CONF_FILE
|
2177 |
echo "SSH=on" >> $CONF_FILE
|
| 2159 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
2178 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
| Line 2351... |
Line 2370... |
| 2351 |
-\? | -h* | --h*)
|
2370 |
-\? | -h* | --h*)
|
| 2352 |
echo "$usage"
|
2371 |
echo "$usage"
|
| 2353 |
exit 0
|
2372 |
exit 0
|
| 2354 |
;;
|
2373 |
;;
|
| 2355 |
-i | --install)
|
2374 |
-i | --install)
|
| 2356 |
for func in license testing_system testing_network
|
2375 |
for func in license system_testing network_testing
|
| 2357 |
do
|
2376 |
do
|
| 2358 |
header_install
|
2377 |
header_install
|
| 2359 |
$func
|
2378 |
$func
|
| 2360 |
if [ $DEBUG_ALCASAR == "on" ]
|
2379 |
if [ $DEBUG_ALCASAR == "on" ]
|
| 2361 |
then
|
2380 |
then
|
| Line 2438... |
Line 2457... |
| 2438 |
then echo "#### Installation avec mise à jour ####";
|
2457 |
then echo "#### Installation avec mise à jour ####";
|
| 2439 |
else echo "#### Installation with update ####";
|
2458 |
else echo "#### Installation with update ####";
|
| 2440 |
fi
|
2459 |
fi
|
| 2441 |
mode="update"
|
2460 |
mode="update"
|
| 2442 |
fi
|
2461 |
fi
|
| 2443 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
|
2462 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
|
| 2444 |
do
|
2463 |
do
|
| 2445 |
$func
|
2464 |
$func
|
| 2446 |
if [ $DEBUG_ALCASAR == "on" ]
|
2465 |
if [ $DEBUG_ALCASAR == "on" ]
|
| 2447 |
then
|
2466 |
then
|
| 2448 |
echo "*** 'debug' : end of function '$func' ***"
|
2467 |
echo "*** 'debug' : end of function '$func' ***"
|