Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 2772 2020-03-01 18:04:45Z rexy $
|
2 |
# $Id: alcasar.sh 2775 2020-03-08 23:13:41Z rexy $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
Line 36... |
Line 36... |
36 |
# chilli : coovachilli initialisation (+authentication page)
|
36 |
# chilli : coovachilli initialisation (+authentication page)
|
37 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
37 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
38 |
# antivirus : HAVP + libclamav configuration
|
38 |
# antivirus : HAVP + libclamav configuration
|
39 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
|
39 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
|
40 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
40 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
41 |
# nfsen : Configuration of Nfsen Netflow grapher
|
41 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
42 |
# unbound : Name server configuration
|
42 |
# unbound : Name server configuration
|
43 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
43 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
44 |
# vnstat : little network stat daemon
|
44 |
# vnstat : little network stat daemon
|
45 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
45 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
|
46 |
# cron : Logs export + watchdog + connexion statistics
|
46 |
# cron : Logs export + watchdog + connexion statistics
|
Line 762... |
Line 762... |
762 |
## - Creating the CA and the server certificate (lighttpd) ##
|
762 |
## - Creating the CA and the server certificate (lighttpd) ##
|
763 |
##################################################################
|
763 |
##################################################################
|
764 |
CA()
|
764 |
CA()
|
765 |
{
|
765 |
{
|
766 |
$DIR_DEST_BIN/alcasar-CA.sh
|
766 |
$DIR_DEST_BIN/alcasar-CA.sh
|
767 |
chown -R root:apache /etc/pki
|
- |
|
768 |
chmod -R 750 /etc/pki
|
- |
|
769 |
} # End of CA()
|
767 |
} # End of CA()
|
770 |
|
768 |
|
771 |
###################################################
|
769 |
###################################################
|
772 |
## Function "ACC" ##
|
770 |
## Function "ACC" ##
|
773 |
## - copy ALCASAR Control Center (ACC) files ##
|
771 |
## - copy ALCASAR Control Center (ACC) files ##
|
Line 1081... |
Line 1079... |
1081 |
[Service]
|
1079 |
[Service]
|
1082 |
Type=forking
|
1080 |
Type=forking
|
1083 |
ExecStart=/usr/libexec/chilli start
|
1081 |
ExecStart=/usr/libexec/chilli start
|
1084 |
ExecStop=/usr/libexec/chilli stop
|
1082 |
ExecStop=/usr/libexec/chilli stop
|
1085 |
ExecReload=/usr/libexec/chilli reload
|
1083 |
ExecReload=/usr/libexec/chilli reload
|
1086 |
PIDFile=/var/run/chilli.pid
|
1084 |
PIDFile=/run/chilli.pid
|
1087 |
|
1085 |
|
1088 |
[Install]
|
1086 |
[Install]
|
1089 |
WantedBy=multi-user.target
|
1087 |
WantedBy=multi-user.target
|
1090 |
EOF
|
1088 |
EOF
|
1091 |
# init file creation
|
1089 |
# init file creation
|
Line 1109... |
Line 1107... |
1109 |
### END INIT INFO
|
1107 |
### END INIT INFO
|
1110 |
|
1108 |
|
1111 |
[ -f /usr/sbin/chilli ] || exit 0
|
1109 |
[ -f /usr/sbin/chilli ] || exit 0
|
1112 |
. /etc/init.d/functions
|
1110 |
. /etc/init.d/functions
|
1113 |
CONFIG=/etc/chilli.conf
|
1111 |
CONFIG=/etc/chilli.conf
|
1114 |
pidfile=/var/run/chilli.pid
|
1112 |
pidfile=/run/chilli.pid
|
1115 |
[ -f \$CONFIG ] || {
|
1113 |
[ -f \$CONFIG ] || {
|
1116 |
echo "\$CONFIG Not found"
|
1114 |
echo "\$CONFIG Not found"
|
1117 |
exit 0
|
1115 |
exit 0
|
1118 |
}
|
1116 |
}
|
1119 |
current_users_file="/var/tmp/havp/current_users.txt" # file containing active users
|
1117 |
current_users_file="/var/tmp/havp/current_users.txt" # file containing active users
|
Line 1124... |
Line 1122... |
1124 |
if [ -f \$pidfile ] ; then
|
1122 |
if [ -f \$pidfile ] ; then
|
1125 |
gprintf "chilli is already running"
|
1123 |
gprintf "chilli is already running"
|
1126 |
else
|
1124 |
else
|
1127 |
gprintf "Starting \$prog: "
|
1125 |
gprintf "Starting \$prog: "
|
1128 |
echo '' > \$current_users_file && chown apache:apache \$current_users_file
|
1126 |
echo '' > \$current_users_file && chown apache:apache \$current_users_file
|
1129 |
rm -f /var/run/chilli* # cleaning
|
1127 |
rm -f /run/chilli* # cleaning
|
1130 |
/usr/sbin/modprobe tun >/dev/null 2>&1
|
1128 |
/usr/sbin/modprobe tun >/dev/null 2>&1
|
1131 |
echo 1 > /proc/sys/net/ipv4/ip_forward
|
1129 |
echo 1 > /proc/sys/net/ipv4/ip_forward
|
1132 |
[ -e /dev/net/tun ] || {
|
1130 |
[ -e /dev/net/tun ] || {
|
1133 |
(cd /dev;
|
1131 |
(cd /dev;
|
1134 |
mkdir net;
|
1132 |
mkdir net;
|
Line 1192... |
Line 1190... |
1192 |
#Code : 42 => 2a
|
1190 |
#Code : 42 => 2a
|
1193 |
#Len : 4 => 04
|
1191 |
#Len : 4 => 04
|
1194 |
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
|
1192 |
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
|
1195 |
cat <<EOF > /etc/chilli.conf
|
1193 |
cat <<EOF > /etc/chilli.conf
|
1196 |
# coova config for ALCASAR
|
1194 |
# coova config for ALCASAR
|
1197 |
cmdsocket /var/run/chilli.sock
|
1195 |
cmdsocket /run/chilli.sock
|
1198 |
unixipc chilli.$INTIF.ipc
|
1196 |
unixipc chilli.$INTIF.ipc
|
1199 |
pidfile /var/run/chilli.pid
|
1197 |
pidfile /run/chilli.pid
|
1200 |
net $PRIVATE_NETWORK_MASK
|
1198 |
net $PRIVATE_NETWORK_MASK
|
1201 |
dhcpif $INTIF
|
1199 |
dhcpif $INTIF
|
1202 |
ethers $DIR_DEST_ETC/alcasar-ethers
|
1200 |
ethers $DIR_DEST_ETC/alcasar-ethers
|
1203 |
#nodynip
|
1201 |
#nodynip
|
1204 |
#statip
|
1202 |
#statip
|
Line 1261... |
Line 1259... |
1261 |
## Function "e2guardian" ##
|
1259 |
## Function "e2guardian" ##
|
1262 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1260 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1263 |
################################################################
|
1261 |
################################################################
|
1264 |
e2guardian()
|
1262 |
e2guardian()
|
1265 |
{
|
1263 |
{
|
1266 |
mkdir -p /var/e2guardian /var/log/e2guardian
|
- |
|
1267 |
chown -R e2guardian /var/e2guardian /var/log/e2guardian
|
- |
|
1268 |
# Adapt systemd unit
|
1264 |
# Adapt systemd unit
|
1269 |
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
|
1265 |
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
|
1270 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
|
1266 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
|
1271 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
1267 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
1272 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
|
1268 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
|
1273 |
|
- |
|
1274 |
# Adapt the main conf file
|
1269 |
# Adapt the main conf file
|
1275 |
# French deny HTML page
|
1270 |
# French deny HTML page
|
1276 |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
|
1271 |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
|
1277 |
# Listen only on LAN side
|
1272 |
# Listen only on LAN side
|
1278 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
|
1273 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
|
1279 |
# The port that E2guardian listens to HTTP
|
1274 |
# E2guardian listens on 8080 (HTTP)
|
1280 |
$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf
|
1275 |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
|
1281 |
# The port that E2guardian listens to HTTPS
|
1276 |
# E2guardian listens transparently on 8443 (HTTPS)
|
1282 |
$SED "s?^transparenthttpsport =*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
|
1277 |
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
|
1283 |
# DG send its flow to HAVP (127.0.0.1:8090)
|
1278 |
# DG send its flow to HAVP (127.0.0.1:8090)
|
1284 |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
|
1279 |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
|
1285 |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
|
1280 |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
|
1286 |
# Don't log
|
1281 |
# Don't log
|
1287 |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
|
1282 |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
|
1288 |
# Disable HTML content control
|
1283 |
# Disable HTML content control (weighted & banned)
|
1289 |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
|
1284 |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
|
1290 |
# ???
|
- |
|
1291 |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
|
1285 |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
|
1292 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
|
1286 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
|
1293 |
# Disable URL control with regex
|
1287 |
# Disable URL control with regex
|
1294 |
# do nothing
|
- |
|
1295 |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
|
1288 |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
|
1296 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
|
1289 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
|
1297 |
|
- |
|
1298 |
# Adapt the first group file (only one for instance)
|
1290 |
# Adapt the first group file (only one for instance)
|
1299 |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
|
1291 |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
|
1300 |
# Reporting (deny page) in HTML
|
1292 |
# Reporting (deny page) in HTML
|
1301 |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
|
1293 |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
|
1302 |
|
1294 |
|
1303 |
# Replace the default deny HTML page (only fr & uk) --> search why our pages make the server crash...
|
1295 |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
|
1304 |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
|
1296 |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
|
1305 |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
|
1297 |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
|
1306 |
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
|
1298 |
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
|
1307 |
# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
|
1299 |
# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
|
1308 |
# Dont filtering files by extension or mime-type (empty list)
|
1300 |
# Dont filtering files by extension or mime-type (empty list)
|
Line 1314... |
Line 1306... |
1314 |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
|
1306 |
[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
|
1315 |
touch $DIR_DG/lists/exceptioniplist
|
1307 |
touch $DIR_DG/lists/exceptioniplist
|
1316 |
# Creation of ALCASAR banned site list
|
1308 |
# Creation of ALCASAR banned site list
|
1317 |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
|
1309 |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
|
1318 |
cat <<EOF > $DIR_DG/lists/bannedsitelist
|
1310 |
cat <<EOF > $DIR_DG/lists/bannedsitelist
|
1319 |
# E2guardian domain filter config for ALCASAR
|
1311 |
# E2guardian filter config for ALCASAR
|
- |
|
1312 |
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
|
1320 |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
|
1313 |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
|
1321 |
#**
|
1314 |
#**
|
1322 |
# block all SSL and CONNECT tunnels
|
1315 |
# block all SSL and CONNECT tunnels
|
1323 |
**s
|
1316 |
**s
|
1324 |
# block all SSL and CONNECT tunnels specified only as an IP
|
1317 |
# block all SSL and CONNECT tunnels specified only as an IP
|
1325 |
*ips
|
1318 |
*ips
|
1326 |
# block all sites specified only by an IP
|
1319 |
# block all sites specified only by an IP
|
1327 |
*ip
|
1320 |
*ip
|
1328 |
EOF
|
1321 |
EOF
|
1329 |
# Creation of ALCASAR banned URL list (empty)
|
1322 |
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
|
1330 |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
|
1323 |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
|
1331 |
cat <<EOF > $DIR_DG/lists/bannedurllist
|
1324 |
cat <<EOF > $DIR_DG/lists/bannedurllist
|
1332 |
# E2guardian filter config for ALCASAR
|
1325 |
# E2guardian filter config for ALCASAR
|
1333 |
EOF
|
1326 |
EOF
|
1334 |
# Creation of file for the rehabilited domains and urls
|
1327 |
# Creation of files for rehabilited domains and urls
|
1335 |
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
|
1328 |
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
|
1336 |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
|
1329 |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
|
1337 |
touch $DIR_DG/lists/exceptionsitelist
|
1330 |
touch $DIR_DG/lists/exceptionsitelist
|
1338 |
touch $DIR_DG/lists/exceptionurllist
|
1331 |
touch $DIR_DG/lists/exceptionurllist
|
1339 |
# Add Bing to the safesearch url regext list (parental control)
|
1332 |
# Add Bing to the safesearch url regext list (parental control)
|
1340 |
[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
|
1333 |
[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
|
1341 |
cat <<EOF >> $DIR_DG/lists/urlregexplist
|
1334 |
cat <<EOF >> $DIR_DG/lists/urlregexplist
|
1342 |
# Bing - add 'adlt=strict'
|
1335 |
# Bing - add 'adlt=strict'
|
1343 |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
|
1336 |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
|
1344 |
EOF
|
1337 |
EOF
|
1345 |
# 'Safesearch' regex actualisation
|
1338 |
# 'Safesearch' regex actualisation
|
1346 |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
|
1339 |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
|
1347 |
# change the google safesearch ("safe=strict" instead of "safe=vss")
|
1340 |
# change the google safesearch ("safe=strict" instead of "safe=vss")
|
1348 |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
|
1341 |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
|
- |
|
1342 |
# create log folder
|
- |
|
1343 |
mkdir -p /var/log/e2guardian
|
- |
|
1344 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1349 |
} # End of e2guardian()
|
1345 |
} # End of e2guardian()
|
1350 |
|
1346 |
|
1351 |
##################################################################
|
1347 |
##################################################################
|
1352 |
## Function "antivirus" ##
|
1348 |
## Function "antivirus" ##
|
1353 |
## - Set the parameters of havp, libclamav and freshclam ##
|
1349 |
## - Set the parameters of havp, libclamav and freshclam ##
|
Line 1361... |
Line 1357... |
1361 |
userdel -r havp 2>/dev/null
|
1357 |
userdel -r havp 2>/dev/null
|
1362 |
groupdel havp 2>/dev/null
|
1358 |
groupdel havp 2>/dev/null
|
1363 |
fi
|
1359 |
fi
|
1364 |
groupadd -f havp
|
1360 |
groupadd -f havp
|
1365 |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
|
1361 |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
|
1366 |
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
|
1362 |
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
|
1367 |
chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
|
1363 |
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
|
1368 |
chown -R clamav:clamav /var/log/clamav /var/lib/clamav
|
1364 |
chown -R clamav:clamav /var/log/clamav /var/lib/clamav
|
1369 |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
|
1365 |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
|
1370 |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
|
1366 |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
|
1371 |
$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
|
1367 |
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
|
1372 |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
|
1368 |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
|
1373 |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
|
1369 |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
|
1374 |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
|
1370 |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
|
1375 |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
|
1371 |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
|
1376 |
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
|
1372 |
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
|
Line 1412... |
Line 1408... |
1412 |
userdel -r tinyproxy 2>/dev/null
|
1408 |
userdel -r tinyproxy 2>/dev/null
|
1413 |
groupdel tinyproxy 2>/dev/null
|
1409 |
groupdel tinyproxy 2>/dev/null
|
1414 |
fi
|
1410 |
fi
|
1415 |
groupadd -f tinyproxy
|
1411 |
groupadd -f tinyproxy
|
1416 |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
|
1412 |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
|
1417 |
mkdir -p /var/run/tinyproxy /var/log/tinyproxy
|
1413 |
mkdir -p /run/tinyproxy /var/log/tinyproxy
|
1418 |
chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
|
1414 |
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
|
1419 |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
|
1415 |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
|
1420 |
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
|
1416 |
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
|
1421 |
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
|
1417 |
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
|
1422 |
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
|
1418 |
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
|
1423 |
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
|
1419 |
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
|
1424 |
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
|
1420 |
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
|
1425 |
$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
|
1421 |
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
|
1426 |
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
|
1422 |
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
|
1427 |
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
|
1423 |
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
|
1428 |
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
|
1424 |
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
|
1429 |
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
|
1425 |
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
|
1430 |
# Create the systemd unit
|
1426 |
# Create the systemd unit
|
Line 1442... |
Line 1438... |
1442 |
Description=Tinyproxy Web Proxy Server
|
1438 |
Description=Tinyproxy Web Proxy Server
|
1443 |
After=network-online.target iptables.service
|
1439 |
After=network-online.target iptables.service
|
1444 |
|
1440 |
|
1445 |
[Service]
|
1441 |
[Service]
|
1446 |
Type=forking
|
1442 |
Type=forking
|
1447 |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
|
1443 |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
|
1448 |
ExecStartPre=/bin/sleep 2
|
1444 |
ExecStartPre=/bin/sleep 2
|
1449 |
PIDFile=/var/run/tinyproxy/tinyproxy.pid
|
1445 |
PIDFile=/run/tinyproxy/tinyproxy.pid
|
1450 |
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
|
1446 |
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
|
1451 |
ExecStop=/usr/bin/killall -9 tinyproxy
|
1447 |
ExecStop=/usr/bin/killall -9 tinyproxy
|
1452 |
[Install]
|
1448 |
[Install]
|
1453 |
WantedBy=multi-user.target
|
1449 |
WantedBy=multi-user.target
|
1454 |
EOF
|
1450 |
EOF
|
Line 1507... |
Line 1503... |
1507 |
After=network-online.target iptables.service
|
1503 |
After=network-online.target iptables.service
|
1508 |
|
1504 |
|
1509 |
[Service]
|
1505 |
[Service]
|
1510 |
Type=exec
|
1506 |
Type=exec
|
1511 |
PIDFile=/run/nfcapd/nfcapd.pid
|
1507 |
PIDFile=/run/nfcapd/nfcapd.pid
|
1512 |
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /var/run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
|
1508 |
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
|
1513 |
ExecReload=/bin/kill -HUP $MAINPID
|
1509 |
ExecReload=/bin/kill -HUP $MAINPID
|
1514 |
|
1510 |
|
1515 |
[Install]
|
1511 |
[Install]
|
1516 |
WantedBy=multi-user.target
|
1512 |
WantedBy=multi-user.target
|
1517 |
EOF
|
1513 |
EOF
|
1518 |
[ -d /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow
|
1514 |
[ -d /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow
|
1519 |
[ -d /var/run/nfcapd ] || mkdir -p /var/run/nfcapd
|
1515 |
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd
|
1520 |
chown -R nfcapd:nfcapd /var/log/nfsen /var/run/nfcapd
|
1516 |
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
|
1521 |
# chown -R apache:apache /var/log/nfsen/profile-data/live/alcasar_netflow
|
- |
|
1522 |
} # End of nfsen()
|
1517 |
} # End of nfsen()
|
1523 |
|
1518 |
|
1524 |
###########################################################
|
1519 |
###########################################################
|
1525 |
## Function "vnstat" ##
|
1520 |
## Function "vnstat" ##
|
1526 |
## - Initialization of Vnstat and vnstat phpFrontEnd ##
|
1521 |
## - Initialization of Vnstat and vnstat phpFrontEnd ##
|
Line 1545... |
Line 1540... |
1545 |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
1540 |
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
1546 |
# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
|
1541 |
# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
|
1547 |
cat << EOF > /etc/dnsmasq-whitelist.conf
|
1542 |
cat << EOF > /etc/dnsmasq-whitelist.conf
|
1548 |
# Configuration file for "dnsmasq with whitelist"
|
1543 |
# Configuration file for "dnsmasq with whitelist"
|
1549 |
# ADD Toulouse university whitelist domains
|
1544 |
# ADD Toulouse university whitelist domains
|
1550 |
pid-file=/var/run/dnsmasq-whitelist.pid
|
1545 |
pid-file=/run/dnsmasq-whitelist.pid
|
1551 |
listen-address=127.0.0.1
|
1546 |
listen-address=127.0.0.1
|
1552 |
port=55
|
1547 |
port=55
|
1553 |
no-dhcp-interface=lo
|
1548 |
no-dhcp-interface=lo
|
1554 |
bind-interfaces
|
1549 |
bind-interfaces
|
1555 |
cache-size=1024
|
1550 |
cache-size=1024
|
Line 1563... |
Line 1558... |
1563 |
EOF
|
1558 |
EOF
|
1564 |
# Create dnsmasq-whitelist unit
|
1559 |
# Create dnsmasq-whitelist unit
|
1565 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
1560 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
1566 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
1561 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
1567 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1562 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1568 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1563 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1569 |
} # End of dnsmasq()
|
1564 |
} # End of dnsmasq()
|
1570 |
|
1565 |
|
1571 |
#########################################################
|
1566 |
#########################################################
|
1572 |
## Function "unbound" ##
|
1567 |
## Function "unbound" ##
|
1573 |
## - create the conf files for 4 unbound services ##
|
1568 |
## - create the conf files for 4 unbound services ##
|
Line 1756... |
Line 1751... |
1756 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
1751 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
1757 |
for list in blacklist blackhole whitelist
|
1752 |
for list in blacklist blackhole whitelist
|
1758 |
do
|
1753 |
do
|
1759 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
1754 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
1760 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
1755 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
1761 |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
1756 |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
1762 |
done
|
1757 |
done
|
1763 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
1758 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
1764 |
} # End of unbound()
|
1759 |
} # End of unbound()
|
1765 |
|
1760 |
|
1766 |
##################################################
|
1761 |
##################################################
|
Line 1924... |
Line 1919... |
1924 |
chmod 644 /var/Save/security/watchdog.log
|
1919 |
chmod 644 /var/Save/security/watchdog.log
|
1925 |
/usr/bin/touch /var/log/auth.log
|
1920 |
/usr/bin/touch /var/log/auth.log
|
1926 |
# fail2ban unit
|
1921 |
# fail2ban unit
|
1927 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1922 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1928 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1923 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1929 |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1924 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1930 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
1925 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
1931 |
} # End of fail2ban()
|
1926 |
} # End of fail2ban()
|
1932 |
|
1927 |
|
1933 |
#########################################################
|
1928 |
#########################################################
|
1934 |
## Fonction "gammu_smsd" ##
|
1929 |
## Fonction "gammu_smsd" ##
|
Line 1994... |
Line 1989... |
1994 |
Documentation=man:gammu-smsd(1)
|
1989 |
Documentation=man:gammu-smsd(1)
|
1995 |
After=network.target mysql.service
|
1990 |
After=network.target mysql.service
|
1996 |
|
1991 |
|
1997 |
[Service]
|
1992 |
[Service]
|
1998 |
Type=forking
|
1993 |
Type=forking
|
1999 |
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
|
1994 |
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
|
2000 |
ExecReload=/bin/kill -HUP $MAINPID
|
1995 |
ExecReload=/bin/kill -HUP $MAINPID
|
2001 |
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
|
1996 |
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
|
2002 |
PIDFile=/var/run/gammu-smsd.pid
|
1997 |
PIDFile=/run/gammu-smsd.pid
|
2003 |
|
1998 |
|
2004 |
[Install]
|
1999 |
[Install]
|
2005 |
WantedBy=multi-user.target
|
2000 |
WantedBy=multi-user.target
|
2006 |
EOF
|
2001 |
EOF
|
2007 |
|
2002 |
|