Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 2933 2021-03-27 10:17:40Z rexy $
|
2 |
# $Id: alcasar.sh 2937 2021-04-05 22:17:52Z rexy $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
# team@alcasar.net
|
7 |
# team@alcasar.net
|
Line 733... |
Line 733... |
733 |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
|
733 |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
|
734 |
echo "nf_conntrack_ftp" >> /etc/modprobe.preload
|
734 |
echo "nf_conntrack_ftp" >> /etc/modprobe.preload
|
735 |
# load ipt_NETFLOW module
|
735 |
# load ipt_NETFLOW module
|
736 |
echo "ipt_NETFLOW" >> /etc/modprobe.preload
|
736 |
echo "ipt_NETFLOW" >> /etc/modprobe.preload
|
737 |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
|
737 |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
|
738 |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
|
738 |
cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
|
739 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
|
739 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
|
740 |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
|
740 |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
|
741 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
741 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
742 |
#
|
742 |
#
|
743 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
743 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
744 |
} # End of network()
|
744 |
} # End of network()
|
Line 801... |
Line 801... |
801 |
do
|
801 |
do
|
802 |
[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
|
802 |
[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
|
803 |
done
|
803 |
done
|
804 |
chown -R root:apache $DIR_SAVE
|
804 |
chown -R root:apache $DIR_SAVE
|
805 |
# Configuring & securing php
|
805 |
# Configuring & securing php
|
806 |
[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
|
806 |
[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default
|
807 |
timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
|
807 |
timezone=`timedatectl show --property=Timezone|cut -d"=" -f2`
|
808 |
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
|
808 |
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini
|
809 |
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
|
809 |
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
|
810 |
$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
|
810 |
$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
|
811 |
$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
|
811 |
$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
|
Line 871... |
Line 871... |
871 |
fi
|
871 |
fi
|
872 |
# Creation of ACC certs links
|
872 |
# Creation of ACC certs links
|
873 |
[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
|
873 |
[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
|
874 |
ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
|
874 |
ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
|
875 |
# Run lighttpd after coova (in order waiting tun0 to be up)
|
875 |
# Run lighttpd after coova (in order waiting tun0 to be up)
|
- |
|
876 |
cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
|
876 |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
|
877 |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
|
877 |
# Log file for ACC access imputability
|
878 |
# Log file for ACC access imputability
|
878 |
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
|
879 |
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
|
879 |
chown root:apache $DIR_SAVE/security/acc_access.log
|
880 |
chown root:apache $DIR_SAVE/security/acc_access.log
|
880 |
chmod 664 $DIR_SAVE/security/acc_access.log
|
881 |
chmod 664 $DIR_SAVE/security/acc_access.log
|
881 |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
|
882 |
# Copy IEEE-MAC-manuf list (origin from sanitized nmac file : see linuxnet.ca)
|
Line 957... |
Line 958... |
957 |
# Create 'radius' database
|
958 |
# Create 'radius' database
|
958 |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
959 |
$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
959 |
# Add an empty radius database structure
|
960 |
# Add an empty radius database structure
|
960 |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
|
961 |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
|
961 |
# modify the start script in order to close accounting connexion when the system is comming down or up
|
962 |
# modify the start script in order to close accounting connexion when the system is comming down or up
|
962 |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
|
963 |
cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service
|
963 |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
|
964 |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
|
964 |
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
|
965 |
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service
|
965 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
966 |
/usr/bin/systemctl unset-environment MYSQLD_OPTS
|
966 |
/usr/bin/systemctl daemon-reload
|
967 |
/usr/bin/systemctl daemon-reload
|
967 |
} # End of init_db()
|
968 |
} # End of init_db()
|
968 |
|
969 |
|
969 |
###################################################################
|
970 |
###################################################################
|
Line 1042... |
Line 1043... |
1042 |
# sqlcounter modifications
|
1043 |
# sqlcounter modifications
|
1043 |
[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
|
1044 |
[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
|
1044 |
cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
|
1045 |
cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
|
1045 |
chown -R radius:radius /etc/raddb/mods-available/sqlcounter
|
1046 |
chown -R radius:radius /etc/raddb/mods-available/sqlcounter
|
1046 |
# make certain that mysql is up before freeradius start
|
1047 |
# make certain that mysql is up before freeradius start
|
1047 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
1048 |
cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service
|
1048 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
1049 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service
|
1049 |
/usr/bin/systemctl daemon-reload
|
1050 |
/usr/bin/systemctl daemon-reload
|
1050 |
# Allow apache to change some conf files (ie : ldap on/off)
|
1051 |
# Allow apache to change some conf files (ie : ldap on/off)
|
1051 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1052 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1052 |
chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1053 |
chmod 750 /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1053 |
} # End of freeradius()
|
1054 |
} # End of freeradius()
|
Line 1058... |
Line 1059... |
1058 |
## - Adapt the authentication web page (intercept.php) ##
|
1059 |
## - Adapt the authentication web page (intercept.php) ##
|
1059 |
#############################################################################
|
1060 |
#############################################################################
|
1060 |
chilli()
|
1061 |
chilli()
|
1061 |
{
|
1062 |
{
|
1062 |
# chilli unit for systemd
|
1063 |
# chilli unit for systemd
|
1063 |
cat << EOF > /lib/systemd/system/chilli.service
|
1064 |
cat << EOF > /etc/systemd/system/chilli.service
|
1064 |
# This file is part of systemd.
|
1065 |
# This file is part of systemd.
|
1065 |
#
|
1066 |
#
|
1066 |
# systemd is free software; you can redistribute it and/or modify it
|
1067 |
# systemd is free software; you can redistribute it and/or modify it
|
1067 |
# under the terms of the GNU General Public License as published by
|
1068 |
# under the terms of the GNU General Public License as published by
|
1068 |
# the Free Software Foundation; either version 2 of the License, or
|
1069 |
# the Free Software Foundation; either version 2 of the License, or
|
Line 1258... |
Line 1259... |
1258 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1259 |
## - Set the parameters of this HTML proxy (as controler) ##
|
1259 |
################################################################
|
1260 |
################################################################
|
1260 |
e2guardian()
|
1261 |
e2guardian()
|
1261 |
{
|
1262 |
{
|
1262 |
# Adapt systemd unit
|
1263 |
# Adapt systemd unit
|
1263 |
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
|
1264 |
cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service
|
1264 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
|
1265 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service
|
1265 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
|
1266 |
$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service
|
1266 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
|
- |
|
1267 |
# Adapt the main conf file
|
1267 |
# Adapt the main conf file
|
- |
|
1268 |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
|
1268 |
# French deny HTML page
|
1269 |
# French deny HTML page
|
1269 |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
|
1270 |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
|
1270 |
# 2 filtergroups (8080 & 8090)
|
1271 |
# 2 filtergroups (8080 & 8090)
|
1271 |
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
|
1272 |
$SED "s?^filtergroups =.*?filtergroups = 2?g" $DIR_DG/e2guardian.conf
|
1272 |
# Listen on 8080 (HTTP for BL users) only on LAN side
|
1273 |
# Listen on 8080 (HTTP for BL users) only on LAN side
|
Line 1368... |
Line 1369... |
1368 |
## Function "antivirus" ##
|
1369 |
## Function "antivirus" ##
|
1369 |
## - Set the parameters of clamav and freshclam ##
|
1370 |
## - Set the parameters of clamav and freshclam ##
|
1370 |
##################################################################
|
1371 |
##################################################################
|
1371 |
antivirus()
|
1372 |
antivirus()
|
1372 |
{
|
1373 |
{
|
1373 |
# Clamd adaptation to e2guardian
|
1374 |
# Clamd unit adaptation to e2guardian
|
1374 |
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
|
1375 |
cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service
|
1375 |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
|
1376 |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service
|
1376 |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
|
1377 |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service
|
1377 |
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
|
1378 |
cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket
|
1378 |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
|
1379 |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
|
1379 |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
|
1380 |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket
|
1380 |
|
- |
|
- |
|
1381 |
# Clamd conf adaptation to e2guardian
|
1381 |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
|
1382 |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
|
1382 |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
|
1383 |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
|
1383 |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
|
1384 |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
|
1384 |
$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
|
1385 |
$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
|
1385 |
$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
|
1386 |
$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf
|
Line 1408... |
Line 1409... |
1408 |
# Three instances of ulogd (three different logfiles)
|
1409 |
# Three instances of ulogd (three different logfiles)
|
1409 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1410 |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
|
1410 |
nl=1
|
1411 |
nl=1
|
1411 |
for log_type in traceability ssh ext-access
|
1412 |
for log_type in traceability ssh ext-access
|
1412 |
do
|
1413 |
do
|
1413 |
[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
|
1414 |
cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service
|
1414 |
[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
|
1415 |
[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
|
1415 |
cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
|
1416 |
cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
|
1416 |
$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
|
1417 |
$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
|
1417 |
cat << EOF >> /etc/ulogd-$log_type.conf
|
1418 |
cat << EOF >> /etc/ulogd-$log_type.conf
|
1418 |
[emu1]
|
1419 |
[emu1]
|
1419 |
file="/var/log/firewall/$log_type.log"
|
1420 |
file="/var/log/firewall/$log_type.log"
|
1420 |
sync=1
|
1421 |
sync=1
|
1421 |
EOF
|
1422 |
EOF
|
1422 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
|
1423 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service
|
1423 |
nl=`expr $nl + 1`
|
1424 |
nl=`expr $nl + 1`
|
1424 |
done
|
1425 |
done
|
1425 |
chown -R root:apache /var/log/firewall
|
1426 |
chown -R root:apache /var/log/firewall
|
1426 |
chmod 750 /var/log/firewall
|
1427 |
chmod 750 /var/log/firewall
|
1427 |
chmod 640 /var/log/firewall/*
|
1428 |
chmod 640 /var/log/firewall/*
|
Line 1435... |
Line 1436... |
1435 |
nfsen()
|
1436 |
nfsen()
|
1436 |
{
|
1437 |
{
|
1437 |
groupadd -f nfcapd
|
1438 |
groupadd -f nfcapd
|
1438 |
id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
|
1439 |
id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
|
1439 |
# nfcapd unit for systemd
|
1440 |
# nfcapd unit for systemd
|
1440 |
cat << EOF > /lib/systemd/system/nfcapd.service
|
1441 |
cat << EOF > /etc/systemd/system/nfcapd.service
|
1441 |
# This file is part of systemd.
|
1442 |
# This file is part of systemd.
|
1442 |
#
|
1443 |
#
|
1443 |
# systemd is free software; you can redistribute it and/or modify it
|
1444 |
# systemd is free software; you can redistribute it and/or modify it
|
1444 |
# under the terms of the GNU General Public License as published by
|
1445 |
# under the terms of the GNU General Public License as published by
|
1445 |
# the Free Software Foundation; either version 2 of the License, or
|
1446 |
# the Free Software Foundation; either version 2 of the License, or
|
Line 1477... |
Line 1478... |
1477 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
1478 |
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
|
1478 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1479 |
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
|
1479 |
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
|
1480 |
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
|
1480 |
# vnstat-dashboard
|
1481 |
# vnstat-dashboard
|
1481 |
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
|
1482 |
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
|
1482 |
[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default
|
1483 |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
|
1483 |
$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service
|
1484 |
$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
|
1484 |
} # End of vnstat()
|
1485 |
} # End of vnstat()
|
1485 |
|
1486 |
|
1486 |
###################################################################
|
1487 |
###################################################################
|
1487 |
## Function "dnsmasq" ##
|
1488 |
## Function "dnsmasq" ##
|
1488 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
1489 |
## - creation of the conf files of dnsmasq (whitelist for ipset )##
|
Line 1507... |
Line 1508... |
1507 |
filterwin2k
|
1508 |
filterwin2k
|
1508 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1509 |
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
|
1509 |
server=$DNS1
|
1510 |
server=$DNS1
|
1510 |
server=$DNS2
|
1511 |
server=$DNS2
|
1511 |
EOF
|
1512 |
EOF
|
1512 |
# Create dnsmasq-whitelist unit
|
1513 |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
|
1513 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
|
1514 |
systemctl disable dnsmasq.service
|
1514 |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
|
1515 |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
|
1515 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1516 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1516 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
|
1517 |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
|
1517 |
} # End of dnsmasq()
|
1518 |
} # End of dnsmasq()
|
1518 |
|
1519 |
|
1519 |
#########################################################
|
1520 |
#########################################################
|
1520 |
## Function "unbound" ##
|
1521 |
## Function "unbound" ##
|
1521 |
## - create the conf files for 4 unbound services ##
|
1522 |
## - create the conf files for 4 unbound services ##
|
Line 1680... |
Line 1681... |
1680 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1681 |
include: /etc/unbound/conf.d/common/local-forward/*
|
1681 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1682 |
include: /etc/unbound/conf.d/common/local-dns/*
|
1682 |
include: /etc/unbound/conf.d/blackhole/*
|
1683 |
include: /etc/unbound/conf.d/blackhole/*
|
1683 |
EOF
|
1684 |
EOF
|
1684 |
|
1685 |
|
1685 |
if [ ! -e /lib/systemd/system/unbound.service.default ]
|
- |
|
1686 |
then
|
- |
|
1687 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
|
1686 |
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
|
1688 |
fi
|
- |
|
1689 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
|
1687 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
|
1690 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
|
1688 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
|
1691 |
for list in blacklist blackhole whitelist
|
1689 |
for list in blacklist blackhole whitelist
|
1692 |
do
|
1690 |
do
|
1693 |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
|
1691 |
cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service
|
1694 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
|
1692 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
|
1695 |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
|
1693 |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
|
1696 |
done
|
1694 |
done
|
1697 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
|
1695 |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
|
1698 |
} # End of unbound()
|
1696 |
} # End of unbound()
|
1699 |
|
1697 |
|
1700 |
##################################################
|
1698 |
##################################################
|
1701 |
## Function "dhcpd" ##
|
1699 |
## Function "dhcpd" ##
|
1702 |
##################################################
|
1700 |
##################################################
|
Line 1939... |
Line 1937... |
1939 |
[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
|
1937 |
[ -e $DIR_SAVE/security/watchdog.log ] || /usr/bin/touch $DIR_SAVE/security/watchdog.log
|
1940 |
chmod 644 /var/log/fail2ban.log
|
1938 |
chmod 644 /var/log/fail2ban.log
|
1941 |
chmod 644 $DIR_SAVE/security/watchdog.log
|
1939 |
chmod 644 $DIR_SAVE/security/watchdog.log
|
1942 |
/usr/bin/touch /var/log/auth.log
|
1940 |
/usr/bin/touch /var/log/auth.log
|
1943 |
# fail2ban unit
|
1941 |
# fail2ban unit
|
1944 |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
|
1942 |
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
|
1945 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
|
1943 |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
|
1946 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
|
1944 |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
|
1947 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
|
1945 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
|
1948 |
} # End of fail2ban()
|
1946 |
} # End of fail2ban()
|
1949 |
|
1947 |
|
1950 |
#########################################################
|
1948 |
#########################################################
|
1951 |
## Fonction "gammu_smsd" ##
|
1949 |
## Fonction "gammu_smsd" ##
|
1952 |
## - Creating of SMS management database ##
|
1950 |
## - Creating of SMS management database ##
|
Line 2003... |
Line 2001... |
2003 |
CheckBattery = 0
|
2001 |
CheckBattery = 0
|
2004 |
EOF
|
2002 |
EOF
|
2005 |
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
|
2003 |
chmod 755 /etc/gammu_smsd_conf /etc/gammurc
|
2006 |
|
2004 |
|
2007 |
# Create the systemd unit
|
2005 |
# Create the systemd unit
|
2008 |
cat << EOF > /lib/systemd/system/gammu-smsd.service
|
2006 |
cat << EOF > /etc/systemd/system/gammu-smsd.service
|
2009 |
[Unit]
|
2007 |
[Unit]
|
2010 |
Description=SMS daemon for Gammu
|
2008 |
Description=SMS daemon for Gammu
|
2011 |
Documentation=man:gammu-smsd(1)
|
2009 |
Documentation=man:gammu-smsd(1)
|
2012 |
After=network.target mysql.service
|
2010 |
After=network.target mysql.service
|
2013 |
|
2011 |
|
Line 2191... |
Line 2189... |
2191 |
for dir in firewall e2guardian lighttpd
|
2189 |
for dir in firewall e2guardian lighttpd
|
2192 |
do
|
2190 |
do
|
2193 |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
|
2191 |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
|
2194 |
done
|
2192 |
done
|
2195 |
# create the alcasar-load_balancing unit
|
2193 |
# create the alcasar-load_balancing unit
|
2196 |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
|
2194 |
cat << EOF > /etc/systemd/system/alcasar-load_balancing.service
|
2197 |
# This file is part of systemd.
|
2195 |
# This file is part of systemd.
|
2198 |
#
|
2196 |
#
|
2199 |
# systemd is free software; you can redistribute it and/or modify it
|
2197 |
# systemd is free software; you can redistribute it and/or modify it
|
2200 |
# under the terms of the GNU General Public License as published by
|
2198 |
# under the terms of the GNU General Public License as published by
|
2201 |
# the Free Software Foundation; either version 2 of the License, or
|
2199 |
# the Free Software Foundation; either version 2 of the License, or
|
Line 2373... |
Line 2371... |
2373 |
-\? | -h* | --h*)
|
2371 |
-\? | -h* | --h*)
|
2374 |
echo "$usage"
|
2372 |
echo "$usage"
|
2375 |
exit 0
|
2373 |
exit 0
|
2376 |
;;
|
2374 |
;;
|
2377 |
-i | --install)
|
2375 |
-i | --install)
|
2378 |
for func in license testing_system
|
2376 |
for func in license testing_system testing_network
|
2379 |
do
|
2377 |
do
|
2380 |
header_install
|
2378 |
header_install
|
2381 |
$func
|
2379 |
$func
|
2382 |
if [ $DEBUG_ALCASAR == "on" ]
|
2380 |
if [ $DEBUG_ALCASAR == "on" ]
|
2383 |
then
|
2381 |
then
|
Line 2449... |
Line 2447... |
2449 |
then echo "#### Installation avec mise à jour ####";
|
2447 |
then echo "#### Installation avec mise à jour ####";
|
2450 |
else echo "#### Installation with update ####";
|
2448 |
else echo "#### Installation with update ####";
|
2451 |
fi
|
2449 |
fi
|
2452 |
mode="update"
|
2450 |
mode="update"
|
2453 |
fi
|
2451 |
fi
|
2454 |
for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
|
2452 |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
|
2455 |
do
|
2453 |
do
|
2456 |
$func
|
2454 |
$func
|
2457 |
if [ $DEBUG_ALCASAR == "on" ]
|
2455 |
if [ $DEBUG_ALCASAR == "on" ]
|
2458 |
then
|
2456 |
then
|
2459 |
echo "*** 'debug' : end of function '$func' ***"
|
2457 |
echo "*** 'debug' : end of function '$func' ***"
|