Subversion Repositories ALCASAR

Rev

Rev 3222 | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3222 Rev 3230
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 3222 2024-07-17 09:56:42Z rexy $
 2 
#  $Id: alcasar.sh 3230 2024-11-06 23:38:15Z rexy $
3 
 
 3 
 
4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
 5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, apache, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6 
# contact : info@alcasar.net
 6 
# contact : info@alcasar.net
7 
 
 7 
 
8 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
 8 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
9 
# This script is distributed under the Gnu General Public License (GPLV3)
 9 
# This script is distributed under the Gnu General Public License (GPLV3)
10 
 
 10 
 
Line 46... Line 46...
46 
DIR_INSTALL=`pwd`						# current directory
 46 
DIR_INSTALL=`pwd`						# current directory
47 
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
 47 
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
48 
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
 48 
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
49 
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
 49 
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
50 
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
 50 
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
51 
DIR_WEB="/var/www/html"					# directory of Lighttpd
 51 
DIR_WEB="/var/www/html"					# directory of Apache
52 
DIR_E2G="/etc/e2guardian"				# directory of E2Guardian
 52 
DIR_E2G="/etc/e2guardian"				# directory of E2Guardian
53 
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
 53 
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
54 
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
 54 
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
55 
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
 55 
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
56 
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
 56 
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
Line 774... Line 774...
774 
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
 774 
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
775 
} # End of network()
 775 
} # End of network()
776 
 
 776 
 
777 
##################################################################
 777 
##################################################################
778 
##                           "CA"                               ##
 778 
##                           "CA"                               ##
779 
## - Creating the CA and the server certificate (lighttpd)      ##
 779 
## - Creating the CA and the server certificate (httpd)         ##
780 
##################################################################
 780 
##################################################################
781 
CA()
 781 
CA()
782 
{
 782 
{
783 
	$DIR_DEST_BIN/alcasar-CA.sh
 783 
	$DIR_DEST_BIN/alcasar-CA.sh
784 
	chmod 755 /etc/pki/
 784 
	chmod 755 /etc/pki/
Line 792... Line 792...
792 
} # End of CA()
 792 
} # End of CA()
793 
 
 793 
 
794 
######################################################
 794 
######################################################
795 
##                       "ACC"                      ##
 795 
##                       "ACC"                      ##
796 
## - copy ALCASAR Control Center (ACC) files        ##
 796 
## - copy ALCASAR Control Center (ACC) files        ##
797 
## - configuration of the web server (Lighttpd)     ##
 797 
## - configuration of the web server (Apache)       ##
798 
## - creation of the first ACC admin account        ##
 798 
## - creation of the first ACC admin account        ##
799 
## - secure the ACC access                          ##
 799 
## - secure the ACC access                          ##
800 
######################################################
 800 
######################################################
801 
ACC()
 801 
ACC()
802 
{
 802 
{
Line 844... Line 844...
844 
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
 844 
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
845 
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
 845 
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
846 
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
 846 
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
847 
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
 847 
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
848 
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
 848 
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
849 
# Configuring & securing Lighttpd
 849 
# Configuring & securing Apache
850 
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
 850 
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
851 
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
 851 
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
852 
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
 852 
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
853 
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
 853 
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
854 
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
 854 
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
- 
 
 855 
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
855 
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 856 
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
856 
 
 - 
 
857 
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
 857 
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
858 
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
 858 
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
859 
	$SED "s?^#[ ]*\"mod_authn_file\",.*?\"mod_authn_file\",?g" /etc/lighttpd/modules.conf
 859 
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
860 
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
 860 
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
861 
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
 861 
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
862 
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
 862 
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
863 
	$SED "s?^#include conf_dir + \"/conf.d/fastcgi.conf\".*?include conf_dir + \"/conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
 863 
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
864 
 
 - 
 
865 
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
 864 
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
- 
 
 865 
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
- 
 
 866 
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
- 
 
 867 
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
- 
 
 868 
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
- 
 
 869 
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
- 
 
 870 
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
- 
 
 871 
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
- 
 
 872 
# Error page management
- 
 
 873 
	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
866 
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
 874 
	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
- 
 
 875 
Alias /error/ "/var/www/html/"
- 
 
 876 
<Directory "/usr/share/httpd/error">
- 
 
 877 
    AllowOverride None
- 
 
 878 
    Options IncludesNoExec
- 
 
 879 
    AddOutputFilter Includes html
- 
 
 880 
    AddHandler type-map var
- 
 
 881 
    Require all granted
- 
 
 882 
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
- 
 
 883 
    ForceLanguagePriority Prefer Fallback
- 
 
 884 
</Directory>
- 
 
 885 
ErrorDocument 400 /error/error.php?error=400
- 
 
 886 
ErrorDocument 401 /error/error.php?error=401
- 
 
 887 
ErrorDocument 403 /error/error.php?error=403
- 
 
 888 
ErrorDocument 404 /error/index.php
- 
 
 889 
ErrorDocument 405 /error/error.php?error=405
- 
 
 890 
ErrorDocument 408 /error/error.php?error=408
- 
 
 891 
ErrorDocument 410 /error/error.php?error=410
- 
 
 892 
ErrorDocument 411 /error/error.php?error=411
- 
 
 893 
ErrorDocument 412 /error/error.php?error=412
- 
 
 894 
ErrorDocument 413 /error/error.php?error=413
- 
 
 895 
ErrorDocument 414 /error/error.php?error=414
- 
 
 896 
ErrorDocument 415 /error/error.php?error=415
- 
 
 897 
ErrorDocument 500 /error/error.php?error=500
- 
 
 898 
ErrorDocument 501 /error/error.php?error=501
- 
 
 899 
ErrorDocument 502 /error/error.php?error=502
- 
 
 900 
ErrorDocument 503 /error/error.php?error=503
- 
 
 901 
ErrorDocument 506 /error/error.php?error=506
867 
 
 902 
EOF
868 
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
 903 
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
869 
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
 904 
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
870 
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
 905 
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
871 
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
 906 
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
- 
 
 907 
</body>
- 
 
 908 
</html>
872 
 
 909 
EOF
- 
 
 910 
# ACC partitioning
873 
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
 911 
	rm -f /etc/httpd/conf/vhosts.d/alcasar*
874 
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
 912 
	cat <<EOF > /etc/httpd/conf/vhosts.d/alcasar.conf
- 
 
 913 
<Directory $DIR_WEB>
- 
 
 914 
        AllowOverride None
- 
 
 915 
        Order deny,allow
- 
 
 916 
        Deny from all
- 
 
 917 
        Allow from 127.0.0.1
- 
 
 918 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 919 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
- 
 
 920 
</Directory>
- 
 
 921 
<Directory $DIR_WEB/certs>
- 
 
 922 
        AddType application/x-x509-ca-cert crt
- 
 
 923 
</Directory>
- 
 
 924 
<Directory $DIR_ACC>
- 
 
 925 
        SSLRequireSSL
- 
 
 926 
        AllowOverride None
- 
 
 927 
        Order deny,allow
- 
 
 928 
        Deny from all
- 
 
 929 
        Allow from 127.0.0.1
- 
 
 930 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 931 
        require valid-user
- 
 
 932 
        AuthType digest
- 
 
 933 
        AuthName "ALCASAR Control Center (ACC)"
- 
 
 934 
        AuthDigestDomain $HOSTNAME.$DOMAIN
875 
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
 935 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
- 
 
 936 
        AuthUserFile $DIR_DEST_ETC/digest/key_all
- 
 
 937 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
- 
 
 938 
</Directory>
- 
 
 939 
<Directory $DIR_ACC/admin>
- 
 
 940 
        SSLRequireSSL
- 
 
 941 
        AllowOverride None
- 
 
 942 
        Order deny,allow
- 
 
 943 
        Deny from all
- 
 
 944 
        Allow from 127.0.0.1
- 
 
 945 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 946 
        require valid-user
- 
 
 947 
        AuthType digest
- 
 
 948 
        AuthName "ALCASAR Control Center (ACC)"
- 
 
 949 
        AuthDigestDomain $HOSTNAME.$DOMAIN
876 
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
 950 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
- 
 
 951 
        AuthUserFile $DIR_DEST_ETC/digest/key_admin
- 
 
 952 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
- 
 
 953 
</Directory>
- 
 
 954 
<Directory $DIR_ACC/manager>
- 
 
 955 
        SSLRequireSSL
- 
 
 956 
        AllowOverride None
- 
 
 957 
        Order deny,allow
- 
 
 958 
        Deny from all
- 
 
 959 
        Allow from 127.0.0.1
- 
 
 960 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 961 
        require valid-user
- 
 
 962 
        AuthType digest
- 
 
 963 
        AuthName "ALCASAR Control Center (ACC)"
- 
 
 964 
        AuthDigestDomain $HOSTNAME.$DOMAIN
877 
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
 965 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
- 
 
 966 
        AuthUserFile $DIR_DEST_ETC/digest/key_manager
- 
 
 967 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
878 
 
 968 
</Directory>
- 
 
 969 
<Directory $DIR_ACC/backup>
- 
 
 970 
        SSLRequireSSL
- 
 
 971 
        AllowOverride None
- 
 
 972 
        Order deny,allow
- 
 
 973 
        Deny from all
- 
 
 974 
        Allow from 127.0.0.1
- 
 
 975 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 976 
        require valid-user
- 
 
 977 
        AuthType digest
- 
 
 978 
        AuthName "ALCASAR Control Center (ACC)"
879 
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
 979 
        AuthDigestDomain $HOSTNAME.$DOMAIN
880 
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
 980 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
881 
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
 981 
        AuthUserFile $DIR_DEST_ETC/digest/key_backup
- 
 
 982 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
882 
 
 983 
</Directory>
- 
 
 984 
Alias /save/ "$DIR_SAVE/"
- 
 
 985 
<Directory $DIR_SAVE>
- 
 
 986 
        SSLRequireSSL
- 
 
 987 
        Options Indexes
- 
 
 988 
        Order deny,allow
- 
 
 989 
        Deny from all
- 
 
 990 
        Allow from 127.0.0.1
- 
 
 991 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 992 
        require valid-user
- 
 
 993 
        AuthType digest
- 
 
 994 
        AuthName "ALCASAR Control Center (ACC)"
883 
	chown -R apache:apache /var/log/lighttpd
 995 
        AuthDigestDomain $HOSTNAME.$DOMAIN
- 
 
 996 
        AuthUserFile $DIR_DEST_ETC/digest/key_backup
- 
 
 997 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
- 
 
 998 
</Directory>
884 
 
 999 
EOF
885 
# Creation of the first account (in 'admin' profile)
 1000 
# Creation of the first account (in 'admin' profile)
886 
	if [ "$mode" = "install" ]
 1001 
	if [ "$mode" = "install" ]
887 
	then
 1002 
	then
888 
		header_install
 1003 
		header_install
889 
# Creation of keys file for the admin account ("admin")
 1004 
# Creation of keys file for the admin account ("admin")
Line 900... Line 1015...
900 
		done
 1015 
		done
901 
	fi
 1016 
	fi
902 
# Creation of ACC certs links
 1017 
# Creation of ACC certs links
903 
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
 1018 
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
904 
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
 1019 
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
905 
# Run lighttpd after coova (in order waiting tun0 to be up)
 1020 
# Run Apache after coova (in order waiting tun0 to be up)
906 
	cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
 1021 
	cp /lib/systemd/system/httpd.service /etc/systemd/system/httpd.service
907 
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
 1022 
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/httpd.service
908 
	# Log file for ACC access imputability
 1023 
	# Log file for ACC access imputability
909 
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
 1024 
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
910 
	chown root:apache $DIR_SAVE/security/acc_access.log
 1025 
	chown root:apache $DIR_SAVE/security/acc_access.log
911 
	chmod 664 $DIR_SAVE/security/acc_access.log
 1026 
	chmod 664 $DIR_SAVE/security/acc_access.log
912 
} # End of ACC()
 1027 
} # End of ACC()
Line 1803... Line 1918...
1803 
bantime = 3m
 1918 
bantime = 3m
1804 
findtime = 5m
 1919 
findtime = 5m
1805 
EOF
 1920 
EOF
1806 
 
 1921 
 
1807 
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
 1922 
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1808 
	cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
 1923 
#	cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1809 
[lighttpd-auth]
 1924 
#[lighttpd-auth]
1810 
enabled = true
 1925 
#enabled = true
1811 
#enabled  = false
 1926 
#enabled  = false
1812 
maxretry = 3
 1927 
#maxretry = 3
1813 
bantime = 3m
 1928 
#bantime = 3m
1814 
findtime = 3m
 1929 
#findtime = 3m
1815 
EOF
 1930 
#EOF
1816 
 
 1931 
 
1817 
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
 1932 
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1818 
	cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
 1933 
	cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1819 
[alcasar_mod-evasive]
 1934 
[alcasar_mod-evasive]
1820 
#enabled = true
 1935 
#enabled = true
1821 
enabled = false
 1936 
enabled = false
1822 
backend = auto
 1937 
backend = auto
1823 
filter = alcasar_mod-evasive
 1938 
filter = alcasar_mod-evasive
1824 
action = iptables-allports[name=alcasar_mod-evasive]
 1939 
action = iptables-allports[name=alcasar_mod-evasive]
1825 
logpath = /var/log/lighttpd/access.log
 1940 
logpath = /var/log/httpd/access.log
1826 
maxretry = 3
 1941 
maxretry = 3
1827 
bantime = 3m
 1942 
bantime = 3m
1828 
findtime = 3m
 1943 
findtime = 3m
1829 
EOF
 1944 
EOF
1830 
	cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
 1945 
	cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
Line 1839... Line 1954...
1839 
enabled = true
 1954 
enabled = true
1840 
#enabled = false
 1955 
#enabled = false
1841 
backend = auto
 1956 
backend = auto
1842 
filter = alcasar_intercept
 1957 
filter = alcasar_intercept
1843 
action = iptables-allports[name=alcasar_intercept]
 1958 
action = iptables-allports[name=alcasar_intercept]
1844 
logpath = /var/log/lighttpd/access.log
 1959 
logpath = /var/log/httpd/access.log
1845 
maxretry = 5
 1960 
maxretry = 5
1846 
bantime = 3m
 1961 
bantime = 3m
1847 
findtime = 3m
 1962 
findtime = 3m
1848 
EOF
 1963 
EOF
1849 
	cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
 1964 
	cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
Line 1858... Line 1973...
1858 
enabled = true
 1973 
enabled = true
1859 
#enabled = false
 1974 
#enabled = false
1860 
backend = auto
 1975 
backend = auto
1861 
filter = alcasar_change-pwd
 1976 
filter = alcasar_change-pwd
1862 
action = iptables-allports[name=alcasar_change-pwd]
 1977 
action = iptables-allports[name=alcasar_change-pwd]
1863 
logpath = /var/log/lighttpd/access.log
 1978 
logpath = /var/log/httpd/access.log
1864 
maxretry = 5
 1979 
maxretry = 5
1865 
bantime = 3m
 1980 
bantime = 3m
1866 
findtime = 3m
 1981 
findtime = 3m
1867 
EOF
 1982 
EOF
1868 
	cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
 1983 
	cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
Line 1879... Line 1994...
1879 
	/usr/bin/touch /var/log/auth.log
 1994 
	/usr/bin/touch /var/log/auth.log
1880 
# fail2ban unit
 1995 
# fail2ban unit
1881 
	cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
 1996 
	cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
1882 
	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
 1997 
	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
1883 
	$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
 1998 
	$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
1884 
	$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
 1999 
	$SED '/After=*/c After=syslog.target network.target httpd.service' /etc/systemd/system/fail2ban.service
1885 
} # End of fail2ban()
 2000 
} # End of fail2ban()
1886 
 
 2001 
 
1887 
########################################################
 2002 
########################################################
1888 
##                  "gammu_smsd"                      ##
 2003 
##                  "gammu_smsd"                      ##
1889 
## - Creating of SMS management database              ##
 2004 
## - Creating of SMS management database              ##
Line 2150... Line 2265...
2150 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
 2265 
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2151 
	chmod 644 /etc/logrotate.d/*
 2266 
	chmod 644 /etc/logrotate.d/*
2152 
# Log compression
 2267 
# Log compression
2153 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
 2268 
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2154 
# actualisation des fichiers logs compressés
 2269 
# actualisation des fichiers logs compressés
2155 
	for dir in firewall e2guardian lighttpd
 2270 
	for dir in firewall e2guardian httpd
2156 
	do
 2271 
	do
2157 
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
 2272 
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2158 
	done
 2273 
	done
2159 
	/usr/bin/systemctl daemon-reload
 2274 
	/usr/bin/systemctl daemon-reload
2160 
# processes started at boot time (Systemctl)
 2275 
# processes started at boot time (Systemctl)
2161 
	for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
 2276 
	for i in alcasar-network mysqld httpd ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2162 
	do
 2277 
	do
2163 
		/usr/bin/systemctl -q enable $i.service
 2278 
		/usr/bin/systemctl -q enable $i.service
2164 
	done
 2279 
	done
2165 
 
 2280 
 
2166 
# disable processes at boot time (Systemctl)
 2281 
# disable processes at boot time (Systemctl)