| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 2760 2019-11-06 12:26:49Z lucas.echard $
|
2 |
# $Id: alcasar.sh 2763 2019-11-10 18:26:57Z rexy $
|
| 3 |
|
3 |
|
| 4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
| 5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
| Line 537... |
Line 537... |
| 537 |
fi
|
537 |
fi
|
| 538 |
else
|
538 |
else
|
| 539 |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
|
539 |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
|
| 540 |
rm -f conf/etc/alcasar.conf
|
540 |
rm -f conf/etc/alcasar.conf
|
| 541 |
fi
|
541 |
fi
|
| 542 |
header_install
|
- |
|
| 543 |
if [ "$mode" != "update" ]
|
- |
|
| 544 |
then
|
- |
|
| 545 |
if [ $Lang == "fr" ]
|
- |
|
| 546 |
then echo "Par défaut, le nom d'hôte d'ALCASAR est : $HOSTNAME.$DOMAIN"
|
- |
|
| 547 |
else echo "The default ALCASAR hostname is : $HOSTNAME.$DOMAIN"
|
- |
|
| 548 |
fi
|
- |
|
| 549 |
response=0
|
- |
|
| 550 |
PTN='^[oOyYnN]?$'
|
- |
|
| 551 |
until [[ "$response" =~ $PTN ]]
|
- |
|
| 552 |
do
|
- |
|
| 553 |
if [ $Lang == "fr" ]
|
- |
|
| 554 |
then echo -n "Voulez-vous utiliser ce nom d'hôte (recommandé) (O/n)? : "
|
- |
|
| 555 |
else echo -n "Do you want to use this hostname (recommanded) (Y/n)? : "
|
- |
|
| 556 |
fi
|
- |
|
| 557 |
read response
|
- |
|
| 558 |
done
|
- |
|
| 559 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
- |
|
| 560 |
then
|
- |
|
| 561 |
if [ $Lang == "fr" ]
|
- |
|
| 562 |
then echo -n "Entrez le nouveau nom d'hôte pleinement qualifié (hôte.domain) : "
|
- |
|
| 563 |
else echo -n "Enter the new full qualified hostname (host.domain) : "
|
- |
|
| 564 |
fi
|
- |
|
| 565 |
read FQDN
|
- |
|
| 566 |
HOSTNAME=`echo $FQDN|cut -d"." -f1`
|
- |
|
| 567 |
DOMAIN=`echo $FQDN|cut -d"." -f2`
|
- |
|
| 568 |
fi
|
- |
|
| 569 |
fi
|
- |
|
| 570 |
# Define LAN side global parameters
|
542 |
# Define LAN side global parameters
|
| 571 |
hostnamectl set-hostname $HOSTNAME.$DOMAIN
|
543 |
hostnamectl set-hostname $HOSTNAME.$DOMAIN
|
| 572 |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
|
544 |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
|
| 573 |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4` # last octet of LAN address
|
545 |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4` # last octet of LAN address
|
| 574 |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
|
546 |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
|
| Line 788... |
Line 760... |
| 788 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
760 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
| 789 |
#
|
761 |
#
|
| 790 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
762 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
| 791 |
} # End of network()
|
763 |
} # End of network()
|
| 792 |
|
764 |
|
| - |
|
765 |
##################################################################
|
| - |
|
766 |
## Fonction "CA" ##
|
| - |
|
767 |
## - Creating the CA and the server certificate (lighttpd) ##
|
| - |
|
768 |
##################################################################
|
| - |
|
769 |
CA()
|
| - |
|
770 |
{
|
| - |
|
771 |
$DIR_DEST_BIN/alcasar-CA.sh
|
| - |
|
772 |
chown -R root:apache /etc/pki
|
| - |
|
773 |
chmod -R 750 /etc/pki
|
| - |
|
774 |
} # End of CA()
|
| - |
|
775 |
|
| 793 |
###################################################
|
776 |
###################################################
|
| 794 |
## Function "ACC" ##
|
777 |
## Function "ACC" ##
|
| 795 |
## - copy ALCASAR Control Center (ACC) files ##
|
778 |
## - copy ALCASAR Control Center (ACC) files ##
|
| 796 |
## - configuration of the web server (Lighttpd) ##
|
779 |
## - configuration of the web server (Lighttpd) ##
|
| 797 |
## - creation of the first ACC admin account ##
|
780 |
## - creation of the first ACC admin account ##
|
| Line 906... |
Line 889... |
| 906 |
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
|
889 |
[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
|
| 907 |
chown root:apache /var/Save/security/acc_access.log
|
890 |
chown root:apache /var/Save/security/acc_access.log
|
| 908 |
chmod 664 /var/Save/security/acc_access.log
|
891 |
chmod 664 /var/Save/security/acc_access.log
|
| 909 |
} # End of ACC()
|
892 |
} # End of ACC()
|
| 910 |
|
893 |
|
| 911 |
##################################################################
|
- |
|
| 912 |
## Fonction "CA" ##
|
- |
|
| 913 |
## - Creating the CA and the server certificate (lighttpd) ##
|
- |
|
| 914 |
##################################################################
|
- |
|
| 915 |
CA()
|
- |
|
| 916 |
{
|
- |
|
| 917 |
$DIR_DEST_BIN/alcasar-CA.sh
|
- |
|
| 918 |
chown -R root:apache /etc/pki
|
- |
|
| 919 |
chmod -R 750 /etc/pki
|
- |
|
| 920 |
} # End of CA()
|
- |
|
| 921 |
|
- |
|
| 922 |
#############################################################
|
894 |
#############################################################
|
| 923 |
## Function "time_server" ##
|
895 |
## Function "time_server" ##
|
| 924 |
## - Configuring NTP server ##
|
896 |
## - Configuring NTP server ##
|
| 925 |
#############################################################
|
897 |
#############################################################
|
| 926 |
time_server()
|
898 |
time_server()
|
| Line 1064... |
Line 1036... |
| 1064 |
$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
|
1036 |
$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
|
| 1065 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
|
1037 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
|
| 1066 |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
|
1038 |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
|
| 1067 |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
|
1039 |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
|
| 1068 |
# no TLS encryption on 127.0.0.1
|
1040 |
# no TLS encryption on 127.0.0.1
|
| 1069 |
$SED "s?^[\t] ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
|
1041 |
$SED "s?^[\t ]*ca_file =.*?#&?g" /etc/raddb/mods-available/sql
|
| 1070 |
$SED "s?^[\t] ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
|
1042 |
$SED "s?^[\t ]*ca_path =.*?#&?g" /etc/raddb/mods-available/sql
|
| 1071 |
$SED "s?^[\t] ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
|
1043 |
$SED "s?^[\t ]*certificate_file =.*?#&?g" /etc/raddb/mods-available/sql
|
| 1072 |
$SED "s?^[\t] ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
|
1044 |
$SED "s?^[\t ]*private_key_file =.*?#&?g" /etc/raddb/mods-available/sql
|
| 1073 |
$SED "s?^[\t] ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
|
1045 |
$SED "s?^[\t ]*cipher =.*?#&?g" /etc/raddb/mods-available/sql
|
| 1074 |
$SED "s?^[\t] ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
|
1046 |
$SED "s?^[\t ]*tls_required =.*?tls_required = no?g" /etc/raddb/mods-available/sql
|
| 1075 |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
|
1047 |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
|
| 1076 |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
|
1048 |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
|
| 1077 |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
1049 |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
| 1078 |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
1050 |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
| 1079 |
# sqlcounter modifications
|
1051 |
# sqlcounter modifications
|
| Line 1303... |
Line 1275... |
| 1303 |
# Adapt the main conf file
|
1275 |
# Adapt the main conf file
|
| 1304 |
# French deny HTML page
|
1276 |
# French deny HTML page
|
| 1305 |
$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
|
1277 |
$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
|
| 1306 |
# Listen only on LAN side
|
1278 |
# Listen only on LAN side
|
| 1307 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
|
1279 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
|
| 1308 |
# The port that E2guardian listens to
|
1280 |
# The port that E2guardian listens to HTTP
|
| 1309 |
$SED "s?^filterports =*?filteports = 8080?g" $DIR_DG/e2guardian.conf
|
1281 |
$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf
|
| - |
|
1282 |
# The port that E2guardian listens to HTTPS
|
| - |
|
1283 |
$SED "s?^transparenthttpsport =*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
|
| 1310 |
# DG send its flow to HAVP (127.0.0.1:8090)
|
1284 |
# DG send its flow to HAVP (127.0.0.1:8090)
|
| 1311 |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
|
1285 |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
|
| 1312 |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
|
1286 |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
|
| 1313 |
# Don't log
|
1287 |
# Don't log
|
| 1314 |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
|
1288 |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
|
| Line 1593... |
Line 1567... |
| 1593 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
1567 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
| 1594 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1568 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
| 1595 |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
|
1569 |
[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
|
| 1596 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
|
1570 |
$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
|
| 1597 |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
|
1571 |
$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
|
| 1598 |
/usr/bin/vnstat -i $EXTIF -u --force
|
- |
|
| 1599 |
} # End of vnstat()
|
1572 |
} # End of vnstat()
|
| 1600 |
|
1573 |
|
| 1601 |
###################################################################
|
1574 |
###################################################################
|
| 1602 |
## Function "dnsmasq" ##
|
1575 |
## Function "dnsmasq" ##
|
| 1603 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
1576 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|