Subversion Repositories ALCASAR

Rev

Rev 2772 | Rev 2776 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2772 Rev 2775
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2772 2020-03-01 18:04:45Z rexy $
2
#  $Id: alcasar.sh 2775 2020-03-08 23:13:41Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 36... Line 36...
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
42
#	unbound			: Name server configuration
42
#	unbound			: Name server configuration
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
Line 762... Line 762...
762
## - Creating the CA and the server certificate (lighttpd)      ##
762
## - Creating the CA and the server certificate (lighttpd)      ##
763
##################################################################
763
##################################################################
764
CA()
764
CA()
765
{
765
{
766
	$DIR_DEST_BIN/alcasar-CA.sh
766
	$DIR_DEST_BIN/alcasar-CA.sh
767
	chown -R root:apache /etc/pki
-
 
768
	chmod -R 750 /etc/pki
-
 
769
} # End of CA()
767
} # End of CA()
770
 
768
 
771
###################################################
769
###################################################
772
##                  Function "ACC"               ##
770
##                  Function "ACC"               ##
773
## - copy ALCASAR Control Center (ACC) files     ##
771
## - copy ALCASAR Control Center (ACC) files     ##
Line 1081... Line 1079...
1081
[Service]
1079
[Service]
1082
Type=forking
1080
Type=forking
1083
ExecStart=/usr/libexec/chilli start
1081
ExecStart=/usr/libexec/chilli start
1084
ExecStop=/usr/libexec/chilli stop
1082
ExecStop=/usr/libexec/chilli stop
1085
ExecReload=/usr/libexec/chilli reload
1083
ExecReload=/usr/libexec/chilli reload
1086
PIDFile=/var/run/chilli.pid
1084
PIDFile=/run/chilli.pid
1087
 
1085
 
1088
[Install]
1086
[Install]
1089
WantedBy=multi-user.target
1087
WantedBy=multi-user.target
1090
EOF
1088
EOF
1091
# init file creation
1089
# init file creation
Line 1109... Line 1107...
1109
### END INIT INFO
1107
### END INIT INFO
1110
 
1108
 
1111
[ -f /usr/sbin/chilli ] || exit 0
1109
[ -f /usr/sbin/chilli ] || exit 0
1112
. /etc/init.d/functions
1110
. /etc/init.d/functions
1113
CONFIG=/etc/chilli.conf
1111
CONFIG=/etc/chilli.conf
1114
pidfile=/var/run/chilli.pid
1112
pidfile=/run/chilli.pid
1115
[ -f \$CONFIG ] || {
1113
[ -f \$CONFIG ] || {
1116
	echo "\$CONFIG Not found"
1114
	echo "\$CONFIG Not found"
1117
	exit 0
1115
	exit 0
1118
}
1116
}
1119
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1117
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
Line 1124... Line 1122...
1124
		if [ -f \$pidfile ] ; then
1122
		if [ -f \$pidfile ] ; then
1125
			gprintf "chilli is already running"
1123
			gprintf "chilli is already running"
1126
		else
1124
		else
1127
			gprintf "Starting \$prog: "
1125
			gprintf "Starting \$prog: "
1128
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1126
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1129
			rm -f /var/run/chilli* # cleaning
1127
			rm -f /run/chilli* # cleaning
1130
			/usr/sbin/modprobe tun >/dev/null 2>&1
1128
			/usr/sbin/modprobe tun >/dev/null 2>&1
1131
			echo 1 > /proc/sys/net/ipv4/ip_forward
1129
			echo 1 > /proc/sys/net/ipv4/ip_forward
1132
			[ -e /dev/net/tun ] || {
1130
			[ -e /dev/net/tun ] || {
1133
				(cd /dev;
1131
				(cd /dev;
1134
				mkdir net;
1132
				mkdir net;
Line 1192... Line 1190...
1192
		#Code : 42 => 2a
1190
		#Code : 42 => 2a
1193
		#Len : 4 => 04
1191
		#Len : 4 => 04
1194
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1192
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1195
	cat <<EOF > /etc/chilli.conf
1193
	cat <<EOF > /etc/chilli.conf
1196
# coova config for ALCASAR
1194
# coova config for ALCASAR
1197
cmdsocket	/var/run/chilli.sock
1195
cmdsocket	/run/chilli.sock
1198
unixipc		chilli.$INTIF.ipc
1196
unixipc		chilli.$INTIF.ipc
1199
pidfile		/var/run/chilli.pid
1197
pidfile		/run/chilli.pid
1200
net		$PRIVATE_NETWORK_MASK
1198
net		$PRIVATE_NETWORK_MASK
1201
dhcpif		$INTIF
1199
dhcpif		$INTIF
1202
ethers		$DIR_DEST_ETC/alcasar-ethers
1200
ethers		$DIR_DEST_ETC/alcasar-ethers
1203
#nodynip
1201
#nodynip
1204
#statip
1202
#statip
Line 1261... Line 1259...
1261
##                   Function "e2guardian"                    ##
1259
##                   Function "e2guardian"                    ##
1262
## - Set the parameters of this HTML proxy (as controler)     ##
1260
## - Set the parameters of this HTML proxy (as controler)     ##
1263
################################################################
1261
################################################################
1264
e2guardian()
1262
e2guardian()
1265
{
1263
{
1266
	mkdir -p /var/e2guardian /var/log/e2guardian
-
 
1267
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
-
 
1268
# Adapt systemd unit
1264
# Adapt systemd unit
1269
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1265
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
1270
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1266
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1271
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1267
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1272
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1268
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1273
 
-
 
1274
# Adapt the main conf file
1269
# Adapt the main conf file
1275
# French deny HTML page
1270
# French deny HTML page
1276
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1271
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1277
# Listen only on LAN side
1272
# Listen only on LAN side
1278
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1273
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1279
# The port that E2guardian listens to HTTP
1274
# E2guardian listens on 8080 (HTTP)
1280
	$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1275
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1281
# The port that E2guardian listens to HTTPS
1276
# E2guardian listens transparently on 8443 (HTTPS)
1282
	$SED "s?^transparenthttpsport =*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1277
	$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1283
# DG send its flow to HAVP (127.0.0.1:8090)
1278
# DG send its flow to HAVP (127.0.0.1:8090)
1284
	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
1279
	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
1285
	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1280
	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1286
# Don't log
1281
# Don't log
1287
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1282
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1288
# Disable HTML content control
1283
# Disable HTML content control (weighted & banned)
1289
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1284
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1290
# ???
-
 
1291
    cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1285
    cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1292
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1286
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1293
# Disable URL control with regex
1287
# Disable URL control with regex
1294
# do nothing
-
 
1295
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1288
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1296
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1289
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1297
 
-
 
1298
# Adapt the first group file (only one for instance)
1290
# Adapt the first group file (only one for instance)
1299
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1291
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1300
# Reporting (deny page) in HTML
1292
# Reporting (deny page) in HTML
1301
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1293
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1302
 
1294
 
1303
# Replace the default deny HTML page (only fr & uk) --> search why our pages make the server crash... 
1295
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1304
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1296
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1305
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1297
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1306
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1298
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1307
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1299
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1308
# Dont filtering files by extension or mime-type (empty list)
1300
# Dont filtering files by extension or mime-type (empty list)
Line 1314... Line 1306...
1314
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1306
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1315
	touch $DIR_DG/lists/exceptioniplist
1307
	touch $DIR_DG/lists/exceptioniplist
1316
# Creation of ALCASAR banned site list
1308
# Creation of ALCASAR banned site list
1317
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1309
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1318
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1310
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1319
# E2guardian domain filter config for ALCASAR
1311
# E2guardian filter config for ALCASAR
-
 
1312
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
1320
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1313
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1321
#**
1314
#**
1322
# block all SSL and CONNECT tunnels
1315
# block all SSL and CONNECT tunnels
1323
**s
1316
**s
1324
# block all SSL and CONNECT tunnels specified only as an IP
1317
# block all SSL and CONNECT tunnels specified only as an IP
1325
*ips
1318
*ips
1326
# block all sites specified only by an IP
1319
# block all sites specified only by an IP
1327
*ip
1320
*ip
1328
EOF
1321
EOF
1329
# Creation of ALCASAR banned URL list (empty)
1322
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
1330
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1323
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1331
	cat <<EOF > $DIR_DG/lists/bannedurllist
1324
	cat <<EOF > $DIR_DG/lists/bannedurllist
1332
# E2guardian filter config for ALCASAR
1325
# E2guardian filter config for ALCASAR
1333
EOF
1326
EOF
1334
# Creation of file for the rehabilited domains and urls
1327
# Creation of files for rehabilited domains and urls
1335
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1328
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1336
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1329
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1337
	touch $DIR_DG/lists/exceptionsitelist
1330
	touch $DIR_DG/lists/exceptionsitelist
1338
	touch $DIR_DG/lists/exceptionurllist
1331
	touch $DIR_DG/lists/exceptionurllist
1339
# Add Bing to the safesearch url regext list (parental control)
1332
# Add Bing to the safesearch url regext list (parental control)
1340
	[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1333
	[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
1341
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1334
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1342
# Bing - add 'adlt=strict'
1335
# Bing - add 'adlt=strict'
1343
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1336
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1344
EOF
1337
EOF
1345
# 'Safesearch' regex actualisation
1338
# 'Safesearch' regex actualisation
1346
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1339
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1347
# change the google safesearch ("safe=strict" instead of "safe=vss")
1340
# change the google safesearch ("safe=strict" instead of "safe=vss")
1348
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1341
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
-
 
1342
# create log folder
-
 
1343
    mkdir -p /var/log/e2guardian
-
 
1344
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1349
} # End of e2guardian()
1345
} # End of e2guardian()
1350
 
1346
 
1351
##################################################################
1347
##################################################################
1352
##                     Function "antivirus"                     ##
1348
##                     Function "antivirus"                     ##
1353
## - Set the parameters of havp, libclamav and freshclam        ##
1349
## - Set the parameters of havp, libclamav and freshclam        ##
Line 1361... Line 1357...
1361
		userdel -r havp 2>/dev/null
1357
		userdel -r havp 2>/dev/null
1362
		groupdel havp 2>/dev/null
1358
		groupdel havp 2>/dev/null
1363
	fi
1359
	fi
1364
	groupadd -f havp
1360
	groupadd -f havp
1365
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1361
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1362
	mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
1367
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1363
	chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
1368
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1364
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1369
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1365
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1370
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1366
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1371
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1367
	$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1372
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1368
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1373
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1369
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1374
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1370
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1375
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1371
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1376
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1372
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
Line 1412... Line 1408...
1412
		userdel -r tinyproxy 2>/dev/null
1408
		userdel -r tinyproxy 2>/dev/null
1413
		groupdel tinyproxy 2>/dev/null
1409
		groupdel tinyproxy 2>/dev/null
1414
	fi
1410
	fi
1415
	groupadd -f tinyproxy
1411
	groupadd -f tinyproxy
1416
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1412
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1417
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1413
	mkdir -p /run/tinyproxy /var/log/tinyproxy
1418
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1414
	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1419
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1415
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1420
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1416
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1421
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1417
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1422
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1418
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1423
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1419
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1424
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1420
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1425
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1421
	$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1426
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1422
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1427
	$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1423
	$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1428
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1424
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1429
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1425
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1430
# Create the systemd unit
1426
# Create the systemd unit
Line 1442... Line 1438...
1442
Description=Tinyproxy Web Proxy Server
1438
Description=Tinyproxy Web Proxy Server
1443
After=network-online.target iptables.service
1439
After=network-online.target iptables.service
1444
 
1440
 
1445
[Service]
1441
[Service]
1446
Type=forking
1442
Type=forking
1447
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1443
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1448
ExecStartPre=/bin/sleep 2
1444
ExecStartPre=/bin/sleep 2
1449
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1445
PIDFile=/run/tinyproxy/tinyproxy.pid
1450
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1446
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1451
ExecStop=/usr/bin/killall -9 tinyproxy
1447
ExecStop=/usr/bin/killall -9 tinyproxy
1452
[Install]
1448
[Install]
1453
WantedBy=multi-user.target
1449
WantedBy=multi-user.target
1454
EOF
1450
EOF
Line 1507... Line 1503...
1507
After=network-online.target iptables.service
1503
After=network-online.target iptables.service
1508
 
1504
 
1509
[Service]
1505
[Service]
1510
Type=exec
1506
Type=exec
1511
PIDFile=/run/nfcapd/nfcapd.pid
1507
PIDFile=/run/nfcapd/nfcapd.pid
1512
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /var/run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
1508
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
1513
ExecReload=/bin/kill -HUP $MAINPID
1509
ExecReload=/bin/kill -HUP $MAINPID
1514
 
1510
 
1515
[Install]
1511
[Install]
1516
WantedBy=multi-user.target
1512
WantedBy=multi-user.target
1517
EOF
1513
EOF
1518
    [ -d /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow
1514
    [ -d /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow
1519
    [ -d /var/run/nfcapd ] || mkdir -p /var/run/nfcapd
1515
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1520
    chown -R nfcapd:nfcapd /var/log/nfsen /var/run/nfcapd
1516
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
1521
#    chown -R apache:apache /var/log/nfsen/profile-data/live/alcasar_netflow
-
 
1522
} # End of nfsen()
1517
} # End of nfsen()
1523
 
1518
 
1524
###########################################################
1519
###########################################################
1525
##                     Function "vnstat"                 ##
1520
##                     Function "vnstat"                 ##
1526
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1521
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
Line 1545... Line 1540...
1545
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1540
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1546
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1541
	# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1547
	cat << EOF > /etc/dnsmasq-whitelist.conf
1542
	cat << EOF > /etc/dnsmasq-whitelist.conf
1548
# Configuration file for "dnsmasq with whitelist"
1543
# Configuration file for "dnsmasq with whitelist"
1549
# ADD Toulouse university whitelist domains
1544
# ADD Toulouse university whitelist domains
1550
pid-file=/var/run/dnsmasq-whitelist.pid
1545
pid-file=/run/dnsmasq-whitelist.pid
1551
listen-address=127.0.0.1
1546
listen-address=127.0.0.1
1552
port=55
1547
port=55
1553
no-dhcp-interface=lo
1548
no-dhcp-interface=lo
1554
bind-interfaces
1549
bind-interfaces
1555
cache-size=1024
1550
cache-size=1024
Line 1563... Line 1558...
1563
EOF
1558
EOF
1564
	# Create dnsmasq-whitelist unit
1559
	# Create dnsmasq-whitelist unit
1565
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1560
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1566
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1561
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1567
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1562
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1568
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1563
	$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1569
} # End of dnsmasq()
1564
} # End of dnsmasq()
1570
 
1565
 
1571
#########################################################
1566
#########################################################
1572
##              Function "unbound"                     ##
1567
##              Function "unbound"                     ##
1573
## - create the conf files for 4 unbound services      ##
1568
## - create the conf files for 4 unbound services      ##
Line 1756... Line 1751...
1756
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1751
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1757
	for list in blacklist blackhole whitelist
1752
	for list in blacklist blackhole whitelist
1758
	do
1753
	do
1759
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1754
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1760
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1755
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1761
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1756
		$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1762
	done
1757
	done
1763
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1758
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1764
} # End of unbound()
1759
} # End of unbound()
1765
 
1760
 
1766
##################################################
1761
##################################################
Line 1924... Line 1919...
1924
	chmod 644 /var/Save/security/watchdog.log
1919
	chmod 644 /var/Save/security/watchdog.log
1925
	/usr/bin/touch /var/log/auth.log
1920
	/usr/bin/touch /var/log/auth.log
1926
# fail2ban unit
1921
# fail2ban unit
1927
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1922
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1928
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1923
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1929
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1924
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1930
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1925
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1931
} # End of fail2ban()
1926
} # End of fail2ban()
1932
 
1927
 
1933
#########################################################
1928
#########################################################
1934
##                   Fonction "gammu_smsd"             ##
1929
##                   Fonction "gammu_smsd"             ##
Line 1994... Line 1989...
1994
Documentation=man:gammu-smsd(1)
1989
Documentation=man:gammu-smsd(1)
1995
After=network.target mysql.service
1990
After=network.target mysql.service
1996
 
1991
 
1997
[Service]
1992
[Service]
1998
Type=forking
1993
Type=forking
1999
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
1994
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
2000
ExecReload=/bin/kill -HUP $MAINPID
1995
ExecReload=/bin/kill -HUP $MAINPID
2001
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
1996
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
2002
PIDFile=/var/run/gammu-smsd.pid
1997
PIDFile=/run/gammu-smsd.pid
2003
 
1998
 
2004
[Install]
1999
[Install]
2005
WantedBy=multi-user.target
2000
WantedBy=multi-user.target
2006
EOF
2001
EOF
2007
 
2002