Subversion Repositories ALCASAR

Rev

Rev 2835 | Rev 2841 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2835 Rev 2840
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2835 2020-06-15 21:30:20Z rexy $
2
#  $Id: alcasar.sh 2840 2020-06-27 22:35:40Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 16... Line 16...
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
Line 33... Line 33...
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: clamav & freshclam configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
-
 
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
39
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
40
#	nfsen			: Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
42
#	unbound			: Name server configuration
41
#	unbound			: Name server configuration
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
42
#	dnsmasq			: Name server configuration (for whitelist ipset support)
44
#	vnstat			: little network stat daemon
43
#	vnstat			: little network stat daemon
Line 1269... Line 1268...
1269
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1268
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1270
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1269
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1271
# Adapt the main conf file
1270
# Adapt the main conf file
1272
# French deny HTML page
1271
# French deny HTML page
1273
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1272
	$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
1274
# Listen only on LAN side
1273
# 2 filtergroups (8080 & 8090)
1275
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1274
	$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
1276
# E2guardian listens on 8080 (HTTP)
1275
# Listen on 8080 (HTTP for BL users) only on LAN side
-
 
1276
	$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1277
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
1277
	$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
-
 
1278
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
-
 
1279
	$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
-
 
1280
	$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
1278
# E2guardian listens transparently on 8443 (HTTPS)
1281
# E2guardian listens transparently on 8443 (HTTPS)
1279
	$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1282
	$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
1280
# DG send its flow to HAVP (127.0.0.1:8090)
-
 
1281
	$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
-
 
1282
	$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
-
 
1283
# Don't log
1283
# Don't log
1284
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1284
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1285
# Disable HTML content control (weighted & banned)
1285
# Disable HTML content control (weighted & banned)
1286
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1286
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
-
 
1287
# Enable authport plugin
-
 
1288
	$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
-
 
1289
	$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
-
 
1290
# Enable clamd scanner
-
 
1291
	$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
-
 
1292
 
-
 
1293
# RAZ bannedphraselist
1287
    cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1294
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1288
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
1295
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
-
 
1296
 
1289
# Disable URL control with regex
1297
# Disable URL control with regex
1290
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1298
    cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1291
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
1299
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
-
 
1300
 
1292
# Adapt the first group file (only one for instance)
1301
# Adapt the first group conf file
1293
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1302
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1294
# Reporting (deny page) in HTML
1303
# Reporting (deny page) in HTML
1295
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1304
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1296
 
1305
 
-
 
1306
# Copy the fist group conf file to the second
-
 
1307
	cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf
-
 
1308
 
1297
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1309
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... 
1298
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1310
#	[ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
1299
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1311
#	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1300
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1312
#	[ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1301
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
1313
#	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
Line 1347... Line 1359...
1347
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1359
	chown -R e2guardian /etc/e2guardian /var/log/e2guardian
1348
} # End of e2guardian()
1360
} # End of e2guardian()
1349
 
1361
 
1350
##################################################################
1362
##################################################################
1351
##                     Function "antivirus"                     ##
1363
##                     Function "antivirus"                     ##
1352
## - Set the parameters of havp, libclamav and freshclam        ##
1364
## - Set the parameters of clamav and freshclam                 ##
1353
##################################################################
1365
##################################################################
1354
antivirus()
1366
antivirus()
1355
{
1367
{
1356
# create 'havp' user
-
 
1357
	havp_exist=`grep -c ^havp: /etc/passwd`
-
 
1358
	if [ "$havp_exist" == "1" ]
1368
# Clamd adaptation to e2guardian
1359
	then
-
 
1360
		userdel -r havp 2>/dev/null
-
 
1361
		groupdel havp 2>/dev/null
-
 
1362
	fi
-
 
1363
	groupadd -f havp
-
 
1364
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
-
 
1365
	mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
-
 
1366
	chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
-
 
1367
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
-
 
1368
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1369
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
1369
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1370
	$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
1370
	$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
-
 
1371
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
-
 
1372
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
-
 
1373
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
-
 
1374
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
-
 
1375
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
-
 
1376
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
-
 
1377
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
-
 
1378
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
-
 
1379
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
-
 
1380
	$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config		# Use our special tmp FS (memfs)
-
 
1381
	$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config		# Use our special tmp FS (memfs)
-
 
1382
# skip checking of youtube flow (too heavy load / risk too low)
-
 
1383
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
-
 
1384
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1371
	chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
1385
	echo "*.youtube.com/*" >> /etc/havp/whitelist
-
 
1386
# adapt init script and systemd unit
-
 
1387
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
-
 
1388
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1372
	chmod 775 /var/log/clamav /var/lib/clamav
1389
    cp -f $DIR_CONF/havp.service /lib/systemd/system/
-
 
1390
	# replace of the intercept page (template)
1373
	chmod 664 /var/log/clamav/*
1391
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
-
 
1392
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
-
 
1393
# update virus database every 4 hours (24h/6)
1374
# update virus database every 4 hours (24h/6)
1394
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1375
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1395
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1376
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1396
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1377
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1397
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1378
	$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1398
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1379
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
-
 
1380
	$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam
-
 
1381
	
1399
# update now
1382
# update now
1400
	/usr/bin/freshclam --no-warnings --quiet
1383
	/usr/bin/freshclam --no-warnings --quiet
1401
} # End of antivirus()
1384
} # End of antivirus()
1402
 
1385
 
1403
################################################################################
-
 
1404
##                           Function "tinyproxy"                             ##
-
 
1405
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
-
 
1406
################################################################################
-
 
1407
tinyproxy()
-
 
1408
{
-
 
1409
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
-
 
1410
	if [ "$tinyproxy_exist" == "1" ]
-
 
1411
	then
-
 
1412
		userdel -r tinyproxy 2>/dev/null
-
 
1413
		groupdel tinyproxy 2>/dev/null
-
 
1414
	fi
-
 
1415
	groupadd -f tinyproxy
-
 
1416
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
-
 
1417
	mkdir -p /run/tinyproxy /var/log/tinyproxy
-
 
1418
	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
-
 
1419
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
-
 
1420
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
-
 
1421
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
-
 
1422
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
-
 
1423
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
-
 
1424
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
-
 
1425
	$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
-
 
1426
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
-
 
1427
	$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
-
 
1428
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
-
 
1429
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
-
 
1430
# Create the systemd unit
-
 
1431
cat << EOF > /lib/systemd/system/tinyproxy.service
-
 
1432
#  This file is part of systemd.
-
 
1433
#
-
 
1434
#  systemd is free software; you can redistribute it and/or modify it
-
 
1435
#  under the terms of the GNU General Public License as published by
-
 
1436
#  the Free Software Foundation; either version 2 of the License, or
-
 
1437
#  (at your option) any later version.
-
 
1438
 
-
 
1439
# This unit launches tinyproxy (a very light proxy).
-
 
1440
# The "sleep 2" is needed because the pid file isn't ready for systemd
-
 
1441
[Unit]
-
 
1442
Description=Tinyproxy Web Proxy Server
-
 
1443
After=network-online.target iptables.service
-
 
1444
 
-
 
1445
[Service]
-
 
1446
Type=forking
-
 
1447
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
-
 
1448
ExecStartPre=/bin/sleep 2
-
 
1449
PIDFile=/run/tinyproxy/tinyproxy.pid
-
 
1450
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
-
 
1451
ExecStop=/usr/bin/killall -9 tinyproxy
-
 
1452
[Install]
-
 
1453
WantedBy=multi-user.target
-
 
1454
EOF
-
 
1455
 
-
 
1456
} # end of tinyproxy()
-
 
1457
 
-
 
1458
##############################################################
1386
##############################################################
1459
##                            function "ulogd"              ##
1387
##                            function "ulogd"              ##
1460
## - Ulog config for multi-log files                        ##
1388
## - Ulog config for multi-log files                        ##
1461
##############################################################
1389
##############################################################
1462
ulogd()
1390
ulogd()
Line 1905... Line 1833...
1905
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1833
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1906
######################################################################
1834
######################################################################
1907
fail2ban()
1835
fail2ban()
1908
{
1836
{
1909
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1837
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1910
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
1838
# allow reading of 2 log files (fail2ban & watchdog).
1911
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1839
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1912
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1840
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1913
	chmod 644 /var/log/fail2ban.log
1841
	chmod 644 /var/log/fail2ban.log
1914
	chmod 644 /var/Save/security/watchdog.log
1842
	chmod 644 /var/Save/security/watchdog.log
1915
	/usr/bin/touch /var/log/auth.log
1843
	/usr/bin/touch /var/log/auth.log
Line 2110... Line 2038...
2110
## - log rotate & ANSSI security parameters                     ##
2038
## - log rotate & ANSSI security parameters                     ##
2111
## - Apply former conf in case of an update                     ##
2039
## - Apply former conf in case of an update                     ##
2112
##################################################################
2040
##################################################################
2113
post_install()
2041
post_install()
2114
{
2042
{
2115
# change the SSH banner
2043
# change the SSHD options
2116
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2044
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2117
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2045
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2118
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2046
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2119
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2047
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2120
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2048
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2121
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2049
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2122
# postfix banner anonymisation
-
 
2123
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
-
 
2124
	chown -R postfix:postfix /var/lib/postfix
-
 
2125
# sshd liste on EXTIF & INTIF
2050
# sshd listens on EXTIF & INTIF
2126
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2051
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2127
# sshd authorized certificate for root login
2052
# sshd authorized certificate for root login
2128
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2053
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
-
 
2054
	$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
-
 
2055
 
-
 
2056
# postfix banner anonymisation
-
 
2057
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
-
 
2058
	chown -R postfix:postfix /var/lib/postfix
2129
# ALCASAR conf file
2059
# ALCASAR conf file
2130
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2060
	echo "HTTPS_LOGIN=off" >> $CONF_FILE
2131
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2061
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2132
	echo "SSH=on" >> $CONF_FILE
2062
	echo "SSH=on" >> $CONF_FILE
2133
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2063
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
Line 2194... Line 2124...
2194
[Install]
2124
[Install]
2195
WantedBy=multi-user.target
2125
WantedBy=multi-user.target
2196
EOF
2126
EOF
2197
	/usr/bin/systemctl daemon-reload
2127
	/usr/bin/systemctl daemon-reload
2198
# processes launched at boot time (Systemctl)
2128
# processes launched at boot time (Systemctl)
2199
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2129
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2200
	do
2130
	do
2201
		/usr/bin/systemctl -q enable $i.service
2131
		/usr/bin/systemctl -q enable $i.service
2202
	done
2132
	done
2203
 
2133
 
2204
# disable processes at boot time (Systemctl)
2134
# disable processes at boot time (Systemctl)
Line 2239... Line 2169...
2239
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2169
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2240
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2170
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2241
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2171
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2242
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2172
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2243
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2173
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2244
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2174
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM
2245
	if [ $vm_vga == 0 ] # is not a VM
2175
	if [ $vm_vga == 0 ] # is not a VM
2246
	then
2176
	then
2247
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2177
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2248
		echo >> /etc/mageia-release
2178
		echo >> /etc/mageia-release
2249
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2179
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
Line 2423... Line 2353...
2423
				then echo "#### Installation avec mise à jour ####";
2353
				then echo "#### Installation avec mise à jour ####";
2424
				else echo "#### Installation with update     ####";
2354
				else echo "#### Installation with update     ####";
2425
			fi
2355
			fi
2426
			mode="update"
2356
			mode="update"
2427
		fi
2357
		fi
2428
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2358
		for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2429
		do
2359
		do
2430
			$func
2360
			$func
2431
			if [ $DEBUG_ALCASAR == "on" ]
2361
			if [ $DEBUG_ALCASAR == "on" ]
2432
			then
2362
			then
2433
				echo "*** 'debug' : end of install '$func' ***"
2363
				echo "*** 'debug' : end of install '$func' ***"