Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 2835 2020-06-15 21:30:20Z rexy $
|
2 |
# $Id: alcasar.sh 2840 2020-06-27 22:35:40Z rexy $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
Line 16... |
Line 16... |
16 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
16 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
17 |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
|
17 |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
|
18 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
18 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
19 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
|
19 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
|
20 |
|
20 |
|
21 |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
|
21 |
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, NFsen and NFdump
|
22 |
|
22 |
|
23 |
# Options :
|
23 |
# Options :
|
24 |
# -i or --install
|
24 |
# -i or --install
|
25 |
# -u or --uninstall
|
25 |
# -u or --uninstall
|
26 |
|
26 |
|
Line 33... |
Line 33... |
33 |
# time_server : NTPd configuration
|
33 |
# time_server : NTPd configuration
|
34 |
# init_db : Initilization of radius database managed with MariaDB
|
34 |
# init_db : Initilization of radius database managed with MariaDB
|
35 |
# freeradius : FreeRadius initialisation
|
35 |
# freeradius : FreeRadius initialisation
|
36 |
# chilli : coovachilli initialisation (+authentication page)
|
36 |
# chilli : coovachilli initialisation (+authentication page)
|
37 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
37 |
# e2guardian : E2Guardian filtering HTTP proxy configuration
|
38 |
# antivirus : HAVP + libclamav configuration
|
38 |
# antivirus : clamav & freshclam configuration
|
39 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
|
- |
|
40 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
39 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
41 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
40 |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
|
42 |
# unbound : Name server configuration
|
41 |
# unbound : Name server configuration
|
43 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
42 |
# dnsmasq : Name server configuration (for whitelist ipset support)
|
44 |
# vnstat : little network stat daemon
|
43 |
# vnstat : little network stat daemon
|
Line 1269... |
Line 1268... |
1269 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
1268 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
1270 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
|
1269 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
|
1271 |
# Adapt the main conf file
|
1270 |
# Adapt the main conf file
|
1272 |
# French deny HTML page
|
1271 |
# French deny HTML page
|
1273 |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
|
1272 |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
|
1274 |
# Listen only on LAN side
|
1273 |
# 2 filtergroups (8080 & 8090)
|
1275 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
|
1274 |
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
|
1276 |
# E2guardian listens on 8080 (HTTP)
|
1275 |
# Listen on 8080 (HTTP for BL users) only on LAN side
|
- |
|
1276 |
$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
|
1277 |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
|
1277 |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
|
- |
|
1278 |
# Listen on 8090 (HTTP for WL/AV users) only on LAN side
|
- |
|
1279 |
$SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_DG/e2guardian.conf
|
- |
|
1280 |
$SED "/^filterports = 8080/a filterports = 8090" $DIR_DG/e2guardian.conf
|
1278 |
# E2guardian listens transparently on 8443 (HTTPS)
|
1281 |
# E2guardian listens transparently on 8443 (HTTPS)
|
1279 |
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
|
1282 |
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
|
1280 |
# DG send its flow to HAVP (127.0.0.1:8090)
|
- |
|
1281 |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
|
- |
|
1282 |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
|
- |
|
1283 |
# Don't log
|
1283 |
# Don't log
|
1284 |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
|
1284 |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
|
1285 |
# Disable HTML content control (weighted & banned)
|
1285 |
# Disable HTML content control (weighted & banned)
|
1286 |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
|
1286 |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
|
- |
|
1287 |
# Enable authport plugin
|
- |
|
1288 |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf
|
- |
|
1289 |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf
|
- |
|
1290 |
# Enable clamd scanner
|
- |
|
1291 |
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf
|
- |
|
1292 |
|
- |
|
1293 |
# RAZ bannedphraselist
|
1287 |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
|
1294 |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
|
1288 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
|
1295 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
|
- |
|
1296 |
|
1289 |
# Disable URL control with regex
|
1297 |
# Disable URL control with regex
|
1290 |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
|
1298 |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
|
1291 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
|
1299 |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
|
- |
|
1300 |
|
1292 |
# Adapt the first group file (only one for instance)
|
1301 |
# Adapt the first group conf file
|
1293 |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
|
1302 |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
|
1294 |
# Reporting (deny page) in HTML
|
1303 |
# Reporting (deny page) in HTML
|
1295 |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
|
1304 |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
|
1296 |
|
1305 |
|
- |
|
1306 |
# Copy the fist group conf file to the second
|
- |
|
1307 |
cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf2.conf
|
- |
|
1308 |
|
1297 |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
|
1309 |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
|
1298 |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
|
1310 |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
|
1299 |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
|
1311 |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
|
1300 |
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
|
1312 |
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
|
1301 |
# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
|
1313 |
# cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/template.html
|
Line 1347... |
Line 1359... |
1347 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1359 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1348 |
} # End of e2guardian()
|
1360 |
} # End of e2guardian()
|
1349 |
|
1361 |
|
1350 |
##################################################################
|
1362 |
##################################################################
|
1351 |
## Function "antivirus" ##
|
1363 |
## Function "antivirus" ##
|
1352 |
## - Set the parameters of havp, libclamav and freshclam ##
|
1364 |
## - Set the parameters of clamav and freshclam ##
|
1353 |
##################################################################
|
1365 |
##################################################################
|
1354 |
antivirus()
|
1366 |
antivirus()
|
1355 |
{
|
1367 |
{
|
1356 |
# create 'havp' user
|
- |
|
1357 |
havp_exist=`grep -c ^havp: /etc/passwd`
|
- |
|
1358 |
if [ "$havp_exist" == "1" ]
|
1368 |
# Clamd adaptation to e2guardian
|
1359 |
then
|
- |
|
1360 |
userdel -r havp 2>/dev/null
|
- |
|
1361 |
groupdel havp 2>/dev/null
|
- |
|
1362 |
fi
|
- |
|
1363 |
groupadd -f havp
|
- |
|
1364 |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
|
- |
|
1365 |
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
|
- |
|
1366 |
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
|
- |
|
1367 |
chown -R clamav:clamav /var/log/clamav /var/lib/clamav
|
- |
|
1368 |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
|
1369 |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
|
1369 |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
|
1370 |
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf
|
1370 |
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
|
- |
|
1371 |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
|
- |
|
1372 |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
|
- |
|
1373 |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
|
- |
|
1374 |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
|
- |
|
1375 |
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
|
- |
|
1376 |
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
|
- |
|
1377 |
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
|
- |
|
1378 |
$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
|
- |
|
1379 |
$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
|
- |
|
1380 |
$SED "s?^# SCANTEMPFILE.*?SCANTEMPFILE /var/tmp/havp/havp-XXXXXX?g" /etc/havp/havp.config # Use our special tmp FS (memfs)
|
- |
|
1381 |
$SED "s?^# TEMPDIR.*?TEMPDIR /var/tmp/havp?g" /etc/havp/havp.config # Use our special tmp FS (memfs)
|
- |
|
1382 |
# skip checking of youtube flow (too heavy load / risk too low)
|
- |
|
1383 |
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
|
- |
|
1384 |
echo "# Whitelist youtube flow" >> /etc/havp/whitelist
|
1371 |
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav
|
1385 |
echo "*.youtube.com/*" >> /etc/havp/whitelist
|
- |
|
1386 |
# adapt init script and systemd unit
|
- |
|
1387 |
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
|
- |
|
1388 |
cp -f $DIR_CONF/havp-init /etc/init.d/havp
|
1372 |
chmod 775 /var/log/clamav /var/lib/clamav
|
1389 |
cp -f $DIR_CONF/havp.service /lib/systemd/system/
|
- |
|
1390 |
# replace of the intercept page (template)
|
1373 |
chmod 664 /var/log/clamav/*
|
1391 |
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
|
- |
|
1392 |
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
|
- |
|
1393 |
# update virus database every 4 hours (24h/6)
|
1374 |
# update virus database every 4 hours (24h/6)
|
1394 |
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
|
1375 |
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
|
1395 |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
|
1376 |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
|
1396 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
|
1377 |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
|
1397 |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
|
1378 |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
|
1398 |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
|
1379 |
$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
|
- |
|
1380 |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam
|
- |
|
1381 |
|
1399 |
# update now
|
1382 |
# update now
|
1400 |
/usr/bin/freshclam --no-warnings --quiet
|
1383 |
/usr/bin/freshclam --no-warnings --quiet
|
1401 |
} # End of antivirus()
|
1384 |
} # End of antivirus()
|
1402 |
|
1385 |
|
1403 |
################################################################################
|
- |
|
1404 |
## Function "tinyproxy" ##
|
- |
|
1405 |
## - Set the parameters of tinyproxy (proxy between filtered users and havp) ##
|
- |
|
1406 |
################################################################################
|
- |
|
1407 |
tinyproxy()
|
- |
|
1408 |
{
|
- |
|
1409 |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
|
- |
|
1410 |
if [ "$tinyproxy_exist" == "1" ]
|
- |
|
1411 |
then
|
- |
|
1412 |
userdel -r tinyproxy 2>/dev/null
|
- |
|
1413 |
groupdel tinyproxy 2>/dev/null
|
- |
|
1414 |
fi
|
- |
|
1415 |
groupadd -f tinyproxy
|
- |
|
1416 |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
|
- |
|
1417 |
mkdir -p /run/tinyproxy /var/log/tinyproxy
|
- |
|
1418 |
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
|
- |
|
1419 |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
|
- |
|
1420 |
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
|
- |
|
1421 |
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
|
- |
|
1422 |
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
|
- |
|
1423 |
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
|
- |
|
1424 |
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
|
- |
|
1425 |
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
|
- |
|
1426 |
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
|
- |
|
1427 |
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
|
- |
|
1428 |
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
|
- |
|
1429 |
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
|
- |
|
1430 |
# Create the systemd unit
|
- |
|
1431 |
cat << EOF > /lib/systemd/system/tinyproxy.service
|
- |
|
1432 |
# This file is part of systemd.
|
- |
|
1433 |
#
|
- |
|
1434 |
# systemd is free software; you can redistribute it and/or modify it
|
- |
|
1435 |
# under the terms of the GNU General Public License as published by
|
- |
|
1436 |
# the Free Software Foundation; either version 2 of the License, or
|
- |
|
1437 |
# (at your option) any later version.
|
- |
|
1438 |
|
- |
|
1439 |
# This unit launches tinyproxy (a very light proxy).
|
- |
|
1440 |
# The "sleep 2" is needed because the pid file isn't ready for systemd
|
- |
|
1441 |
[Unit]
|
- |
|
1442 |
Description=Tinyproxy Web Proxy Server
|
- |
|
1443 |
After=network-online.target iptables.service
|
- |
|
1444 |
|
- |
|
1445 |
[Service]
|
- |
|
1446 |
Type=forking
|
- |
|
1447 |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
|
- |
|
1448 |
ExecStartPre=/bin/sleep 2
|
- |
|
1449 |
PIDFile=/run/tinyproxy/tinyproxy.pid
|
- |
|
1450 |
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
|
- |
|
1451 |
ExecStop=/usr/bin/killall -9 tinyproxy
|
- |
|
1452 |
[Install]
|
- |
|
1453 |
WantedBy=multi-user.target
|
- |
|
1454 |
EOF
|
- |
|
1455 |
|
- |
|
1456 |
} # end of tinyproxy()
|
- |
|
1457 |
|
- |
|
1458 |
##############################################################
|
1386 |
##############################################################
|
1459 |
## function "ulogd" ##
|
1387 |
## function "ulogd" ##
|
1460 |
## - Ulog config for multi-log files ##
|
1388 |
## - Ulog config for multi-log files ##
|
1461 |
##############################################################
|
1389 |
##############################################################
|
1462 |
ulogd()
|
1390 |
ulogd()
|
Line 1905... |
Line 1833... |
1905 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
|
1833 |
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
|
1906 |
######################################################################
|
1834 |
######################################################################
|
1907 |
fail2ban()
|
1835 |
fail2ban()
|
1908 |
{
|
1836 |
{
|
1909 |
/usr/bin/sh $DIR_CONF/fail2ban.sh
|
1837 |
/usr/bin/sh $DIR_CONF/fail2ban.sh
|
1910 |
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section
|
1838 |
# allow reading of 2 log files (fail2ban & watchdog).
|
1911 |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
|
1839 |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
|
1912 |
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
|
1840 |
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
|
1913 |
chmod 644 /var/log/fail2ban.log
|
1841 |
chmod 644 /var/log/fail2ban.log
|
1914 |
chmod 644 /var/Save/security/watchdog.log
|
1842 |
chmod 644 /var/Save/security/watchdog.log
|
1915 |
/usr/bin/touch /var/log/auth.log
|
1843 |
/usr/bin/touch /var/log/auth.log
|
Line 2110... |
Line 2038... |
2110 |
## - log rotate & ANSSI security parameters ##
|
2038 |
## - log rotate & ANSSI security parameters ##
|
2111 |
## - Apply former conf in case of an update ##
|
2039 |
## - Apply former conf in case of an update ##
|
2112 |
##################################################################
|
2040 |
##################################################################
|
2113 |
post_install()
|
2041 |
post_install()
|
2114 |
{
|
2042 |
{
|
2115 |
# change the SSH banner
|
2043 |
# change the SSHD options
|
2116 |
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
|
2044 |
cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
|
2117 |
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
|
2045 |
echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
|
2118 |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
|
2046 |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
|
2119 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
|
2047 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
|
2120 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
2048 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
2121 |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
2049 |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
2122 |
# postfix banner anonymisation
|
- |
|
2123 |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
|
- |
|
2124 |
chown -R postfix:postfix /var/lib/postfix
|
- |
|
2125 |
# sshd liste on EXTIF & INTIF
|
2050 |
# sshd listens on EXTIF & INTIF
|
2126 |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
|
2051 |
$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
|
2127 |
# sshd authorized certificate for root login
|
2052 |
# sshd authorized certificate for root login
|
2128 |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
|
2053 |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
|
- |
|
2054 |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
|
- |
|
2055 |
|
- |
|
2056 |
# postfix banner anonymisation
|
- |
|
2057 |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
|
- |
|
2058 |
chown -R postfix:postfix /var/lib/postfix
|
2129 |
# ALCASAR conf file
|
2059 |
# ALCASAR conf file
|
2130 |
echo "HTTPS_LOGIN=off" >> $CONF_FILE
|
2060 |
echo "HTTPS_LOGIN=off" >> $CONF_FILE
|
2131 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
2061 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
2132 |
echo "SSH=on" >> $CONF_FILE
|
2062 |
echo "SSH=on" >> $CONF_FILE
|
2133 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
2063 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
Line 2194... |
Line 2124... |
2194 |
[Install]
|
2124 |
[Install]
|
2195 |
WantedBy=multi-user.target
|
2125 |
WantedBy=multi-user.target
|
2196 |
EOF
|
2126 |
EOF
|
2197 |
/usr/bin/systemctl daemon-reload
|
2127 |
/usr/bin/systemctl daemon-reload
|
2198 |
# processes launched at boot time (Systemctl)
|
2128 |
# processes launched at boot time (Systemctl)
|
2199 |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
|
2129 |
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
|
2200 |
do
|
2130 |
do
|
2201 |
/usr/bin/systemctl -q enable $i.service
|
2131 |
/usr/bin/systemctl -q enable $i.service
|
2202 |
done
|
2132 |
done
|
2203 |
|
2133 |
|
2204 |
# disable processes at boot time (Systemctl)
|
2134 |
# disable processes at boot time (Systemctl)
|
Line 2239... |
Line 2169... |
2239 |
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
|
2169 |
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
|
2240 |
[ -e /etc/default/grub.default ] || cp /etc/default/grub /etc/default/grub.default
|
2170 |
[ -e /etc/default/grub.default ] || cp /etc/default/grub /etc/default/grub.default
|
2241 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
|
2171 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
|
2242 |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
|
2172 |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
|
2243 |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
|
2173 |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
|
2244 |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
|
2174 |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx|vbox"` # test if in VM
|
2245 |
if [ $vm_vga == 0 ] # is not a VM
|
2175 |
if [ $vm_vga == 0 ] # is not a VM
|
2246 |
then
|
2176 |
then
|
2247 |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
|
2177 |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
|
2248 |
echo >> /etc/mageia-release
|
2178 |
echo >> /etc/mageia-release
|
2249 |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
|
2179 |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
|
Line 2423... |
Line 2353... |
2423 |
then echo "#### Installation avec mise à jour ####";
|
2353 |
then echo "#### Installation avec mise à jour ####";
|
2424 |
else echo "#### Installation with update ####";
|
2354 |
else echo "#### Installation with update ####";
|
2425 |
fi
|
2355 |
fi
|
2426 |
mode="update"
|
2356 |
mode="update"
|
2427 |
fi
|
2357 |
fi
|
2428 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
|
2358 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
|
2429 |
do
|
2359 |
do
|
2430 |
$func
|
2360 |
$func
|
2431 |
if [ $DEBUG_ALCASAR == "on" ]
|
2361 |
if [ $DEBUG_ALCASAR == "on" ]
|
2432 |
then
|
2362 |
then
|
2433 |
echo "*** 'debug' : end of install '$func' ***"
|
2363 |
echo "*** 'debug' : end of install '$func' ***"
|