WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/bash
#  $Id: alcasar.sh 2764 2019-11-11 23:07:44Z rexy $
 
# alcasar.sh
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# This script is distributed under the Gnu General Public License (GPL)
#  team@alcasar.net

	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
 
# Adapt the main conf file
# French deny HTML page
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
# Listen only on LAN side
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# The port that E2guardian listens to HTTP
	$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# The port that E2guardian listens to HTTPS

	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# Don't log
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
# Disable HTML content control
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
# ???
    cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
# Disable URL control with regex
# do nothing
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
 
# Adapt the first group file (only one for instance)
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
# Reporting (deny page) in HTML
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 
# Replace the default deny HTML page (only fr & uk) --> search why our pages make the server crash... 
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
 
# Dont filtering files by extension or mime-type (empty list)
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
 
	touch $DIR_DG/lists/bannedextensionlist
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
	touch $DIR_DG/lists/bannedmimetypelist
# Empty LAN IP list that won't be WEB filtered
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
	touch $DIR_DG/lists/exceptioniplist
# Creation of ALCASAR banned site list

	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
# update virus database every 4 hours (24h/6)
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
 
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
# update now
	/usr/bin/freshclam --no-warnings
} # End of antivirus()
 

	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
	$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
# Create the systemd unit
cat << EOF > /lib/systemd/system/tinyproxy.service
#  This file is part of systemd.

 
# This unit launches tinyproxy (a very light proxy).
# The "sleep 2" is needed because the pid file isn't ready for systemd
[Unit]
Description=Tinyproxy Web Proxy Server
After=network-online.target iptables.service
 
[Service]
Type=forking
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
ExecStartPre=/bin/sleep 2
PIDFile=/var/run/tinyproxy/tinyproxy.pid
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
 
ExecStop=/usr/bin/killall -9 tinyproxy
[Install]
WantedBy=multi-user.target
EOF
 
} # end of tinyproxy()

[Install]
WantedBy=multi-user.target
EOF
	/usr/bin/systemctl daemon-reload
# processes launched at boot time (Systemctl)
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
	do
		/usr/bin/systemctl -q enable $i.service
	done
 
# disable processes at boot time (Systemctl)

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2763 → 2764

Rev 2763		Rev 2764
Line 1...		Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar.sh 2763 2019-11-10 18:26:57Z rexy $`	2	`# $Id: alcasar.sh 2764 2019-11-11 23:07:44Z rexy $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`	5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# team@alcasar.net`	7	`# team@alcasar.net`
Line 1272...		Line 1272...
1272	`$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service`	1272	`$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service`
1273	`[ -e $DIR_DG/e2guardian.conf.default ] \|\| cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default`	1273	`[ -e $DIR_DG/e2guardian.conf.default ] \|\| cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default`
1274		1274
1275	`# Adapt the main conf file`	1275	`# Adapt the main conf file`
1276	`# French deny HTML page`	1276	`# French deny HTML page`
1277	`$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf`	1277	`$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf`
1278	`# Listen only on LAN side`	1278	`# Listen only on LAN side`
1279	`$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf`	1279	`$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf`
1280	`# The port that E2guardian listens to HTTP`	1280	`# The port that E2guardian listens to HTTP`
1281	`$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf`	1281	`$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf`
1282	`# The port that E2guardian listens to HTTPS`	1282	`# The port that E2guardian listens to HTTPS`
Line 1286...		Line 1286...
1286	`$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf`	1286	`$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf`
1287	`# Don't log`	1287	`# Don't log`
1288	`$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf`	1288	`$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf`
1289	`# Disable HTML content control`	1289	`# Disable HTML content control`
1290	`$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf`	1290	`$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf`
-		1291	`# ???`
1291	`cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default`	1292	`cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default`
1292	`$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)`	1293	`$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)`
1293	`# Disable URL control with regex`	1294	`# Disable URL control with regex`
-		1295	`# do nothing`
1294	`cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default`	1296	`cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default`
1295	`$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)`	1297	`$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)`
1296		1298
1297	`# Adapt the first group file (only one for instance)`	1299	`# Adapt the first group file (only one for instance)`
1298	`[ -e $DIR_DG/e2guardianf1.conf.default ] \|\| cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default`	1300	`[ -e $DIR_DG/e2guardianf1.conf.default ] \|\| cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default`
1299	`# Reporting (deny page) in HTML`	1301	`# Reporting (deny page) in HTML`
1300	`$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf`	1302	`$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf`
1301		1303
1302	`# Replace the default deny HTML page (only fr & uk)`	1304	`# Replace the default deny HTML page (only fr & uk) --> search why our pages make the server crash...`
1303	`[ -e /usr/share/e2guardian/languages/french/template.html.default ] \|\| mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default`	1305	`# [ -e /usr/share/e2guardian/languages/french/template.html.default ] \|\| mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default`
-		1306	`# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html`
1304	`[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] \|\| mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/french/template.html.default`	1307	`# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] \|\| mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default`
1305	`cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html`	1308	`# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html`
1306	`cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html`	-
1307	`# Dont filtering files by extension or mime-type (empty list)`	1309	`# Dont filtering files by extension or mime-type (empty list)`
1308	`[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default`	1310	`[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default`
1309	`[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default`	-
1310	`touch $DIR_DG/lists/bannedextensionlist`	1311	`touch $DIR_DG/lists/bannedextensionlist`
-		1312	`[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default`
1311	`touch $DIR_DG/lists/bannedmimetypelist`	1313	`touch $DIR_DG/lists/bannedmimetypelist`
1312	`# Empty LAN IP list that won't be WEB filtered`	1314	`# Empty LAN IP list that won't be WEB filtered`
1313	`[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default`	1315	`[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default`
1314	`touch $DIR_DG/lists/exceptioniplist`	1316	`touch $DIR_DG/lists/exceptioniplist`
1315	`# Creation of ALCASAR banned site list`	1317	`# Creation of ALCASAR banned site list`
Line 1392...		Line 1394...
1392	`cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html`	1394	`cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html`
1393	`# update virus database every 4 hours (24h/6)`	1395	`# update virus database every 4 hours (24h/6)`
1394	`[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default`	1396	`[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default`
1395	`$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf`	1397	`$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf`
1396	`$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf`	1398	`$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf`
1397	`$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf`	1399	`$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf`
1398	`$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf`	-
1399	`$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf`	1400	`$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf`
1400	`# update now`	1401	`# update now`
1401	`/usr/bin/freshclam --no-warnings`	1402	`/usr/bin/freshclam --no-warnings`
1402	`} # End of antivirus()`	1403	`} # End of antivirus()`
1403		1404
Line 1423...		Line 1424...
1423	`$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port`	1424	`$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port`
1424	`$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)`	1425	`$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)`
1425	`$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf`	1426	`$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf`
1426	`$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf`	1427	`$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf`
1427	`$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged`	1428	`$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged`
1428	`$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP`	1429	`$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP`
1429	`$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode`	1430	`$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode`
1430	`$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN`	1431	`$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN`
1431	`# Create the systemd unit`	1432	`# Create the systemd unit`
1432	`cat << EOF > /lib/systemd/system/tinyproxy.service`	1433	`cat << EOF > /lib/systemd/system/tinyproxy.service`
1433	`# This file is part of systemd.`	1434	`# This file is part of systemd.`
Line 1439...		Line 1440...
1439		1440
1440	`# This unit launches tinyproxy (a very light proxy).`	1441	`# This unit launches tinyproxy (a very light proxy).`
1441	`# The "sleep 2" is needed because the pid file isn't ready for systemd`	1442	`# The "sleep 2" is needed because the pid file isn't ready for systemd`
1442	`[Unit]`	1443	`[Unit]`
1443	`Description=Tinyproxy Web Proxy Server`	1444	`Description=Tinyproxy Web Proxy Server`
1444	`After=network.target iptables.service`	1445	`After=network-online.target iptables.service`
1445		1446
1446	`[Service]`	1447	`[Service]`
1447	`Type=forking`	1448	`Type=forking`
1448	`ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy`	1449	`ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy`
1449	`ExecStartPre=/bin/sleep 2`	1450	`ExecStartPre=/bin/sleep 2`
1450	`PIDFile=/var/run/tinyproxy/tinyproxy.pid`	1451	`PIDFile=/var/run/tinyproxy/tinyproxy.pid`
1451	`ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf`	1452	`ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf`
1452		-
-		1453	`ExecStop=/usr/bin/killall -9 tinyproxy`
1453	`[Install]`	1454	`[Install]`
1454	`WantedBy=multi-user.target`	1455	`WantedBy=multi-user.target`
1455	`EOF`	1456	`EOF`
1456		1457
1457	`} # end of tinyproxy()`	1458	`} # end of tinyproxy()`
Line 2227...		Line 2228...
2227	`[Install]`	2228	`[Install]`
2228	`WantedBy=multi-user.target`	2229	`WantedBy=multi-user.target`
2229	`EOF`	2230	`EOF`
2230	`/usr/bin/systemctl daemon-reload`	2231	`/usr/bin/systemctl daemon-reload`
2231	`# processes launched at boot time (Systemctl)`	2232	`# processes launched at boot time (Systemctl)`
2232	`for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd`	2233	`for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd`
2233	`do`	2234	`do`
2234	`/usr/bin/systemctl -q enable $i.service`	2235	`/usr/bin/systemctl -q enable $i.service`
2235	`done`	2236	`done`
2236		2237
2237	`# disable processes at boot time (Systemctl)`	2238	`# disable processes at boot time (Systemctl)`