Subversion Repositories ALCASAR

Rev

Rev 3222 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3222 Rev 3230
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 3222 2024-07-17 09:56:42Z rexy $
2
#  $Id: alcasar.sh 3230 2024-11-06 23:38:15Z rexy $
3
 
3
 
4
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
4
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
5
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, apache, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6
# contact : info@alcasar.net
6
# contact : info@alcasar.net
7
 
7
 
8
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
8
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
9
# This script is distributed under the Gnu General Public License (GPLV3)
9
# This script is distributed under the Gnu General Public License (GPLV3)
10
 
10
 
Line 46... Line 46...
46
DIR_INSTALL=`pwd`						# current directory
46
DIR_INSTALL=`pwd`						# current directory
47
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
47
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
48
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
48
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
49
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
49
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
50
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
50
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
51
DIR_WEB="/var/www/html"					# directory of Lighttpd
51
DIR_WEB="/var/www/html"					# directory of Apache
52
DIR_E2G="/etc/e2guardian"				# directory of E2Guardian
52
DIR_E2G="/etc/e2guardian"				# directory of E2Guardian
53
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
53
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
54
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
54
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
55
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
55
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
56
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
56
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
Line 774... Line 774...
774
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
774
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
775
} # End of network()
775
} # End of network()
776
 
776
 
777
##################################################################
777
##################################################################
778
##                           "CA"                               ##
778
##                           "CA"                               ##
779
## - Creating the CA and the server certificate (lighttpd)      ##
779
## - Creating the CA and the server certificate (httpd)         ##
780
##################################################################
780
##################################################################
781
CA()
781
CA()
782
{
782
{
783
	$DIR_DEST_BIN/alcasar-CA.sh
783
	$DIR_DEST_BIN/alcasar-CA.sh
784
	chmod 755 /etc/pki/
784
	chmod 755 /etc/pki/
Line 792... Line 792...
792
} # End of CA()
792
} # End of CA()
793
 
793
 
794
######################################################
794
######################################################
795
##                       "ACC"                      ##
795
##                       "ACC"                      ##
796
## - copy ALCASAR Control Center (ACC) files        ##
796
## - copy ALCASAR Control Center (ACC) files        ##
797
## - configuration of the web server (Lighttpd)     ##
797
## - configuration of the web server (Apache)       ##
798
## - creation of the first ACC admin account        ##
798
## - creation of the first ACC admin account        ##
799
## - secure the ACC access                          ##
799
## - secure the ACC access                          ##
800
######################################################
800
######################################################
801
ACC()
801
ACC()
802
{
802
{
Line 844... Line 844...
844
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
844
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
845
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
845
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
846
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
846
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
847
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
847
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
848
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
848
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
849
# Configuring & securing Lighttpd
849
# Configuring & securing Apache
850
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
850
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
851
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
851
	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
852
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
852
	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
853
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
853
	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
854
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
854
	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
-
 
855
	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
855
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
856
	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
856
 
-
 
857
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
857
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
858
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
858
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
859
	$SED "s?^#[ ]*\"mod_authn_file\",.*?\"mod_authn_file\",?g" /etc/lighttpd/modules.conf
859
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
860
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
860
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
861
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
861
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
862
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
862
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
863
	$SED "s?^#include conf_dir + \"/conf.d/fastcgi.conf\".*?include conf_dir + \"/conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
863
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
864
 
-
 
865
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
864
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
-
 
865
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
-
 
866
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
-
 
867
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
-
 
868
	echo "SSLHonorCipherOrder on" >> /etc/httpd/conf/conf.d/ssl.conf # The Browser must respect the order of the cipher suite
-
 
869
	echo "SSLPassPhraseDialog  builtin" >> /etc/httpd/conf/conf.d/ssl.conf # in case of passphrase the dialog will be perform on stdin
-
 
870
	echo "SSLSessionCache \"shmcb:/run/httpd/ssl_scache(512000)\"" >> /etc/httpd/conf/conf.d/ssl.conf # default cache size
-
 
871
	echo "SSLSessionCacheTimeout 300" >> /etc/httpd/conf/conf.d/ssl.conf # default cache time in seconds
-
 
872
# Error page management
-
 
873
	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] || cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
866
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
874
	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
-
 
875
Alias /error/ "/var/www/html/"
-
 
876
<Directory "/usr/share/httpd/error">
-
 
877
    AllowOverride None
-
 
878
    Options IncludesNoExec
-
 
879
    AddOutputFilter Includes html
-
 
880
    AddHandler type-map var
-
 
881
    Require all granted
-
 
882
    LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
-
 
883
    ForceLanguagePriority Prefer Fallback
-
 
884
</Directory>
-
 
885
ErrorDocument 400 /error/error.php?error=400
-
 
886
ErrorDocument 401 /error/error.php?error=401
-
 
887
ErrorDocument 403 /error/error.php?error=403
-
 
888
ErrorDocument 404 /error/index.php
-
 
889
ErrorDocument 405 /error/error.php?error=405
-
 
890
ErrorDocument 408 /error/error.php?error=408
-
 
891
ErrorDocument 410 /error/error.php?error=410
-
 
892
ErrorDocument 411 /error/error.php?error=411
-
 
893
ErrorDocument 412 /error/error.php?error=412
-
 
894
ErrorDocument 413 /error/error.php?error=413
-
 
895
ErrorDocument 414 /error/error.php?error=414
-
 
896
ErrorDocument 415 /error/error.php?error=415
-
 
897
ErrorDocument 500 /error/error.php?error=500
-
 
898
ErrorDocument 501 /error/error.php?error=501
-
 
899
ErrorDocument 502 /error/error.php?error=502
-
 
900
ErrorDocument 503 /error/error.php?error=503
-
 
901
ErrorDocument 506 /error/error.php?error=506
867
 
902
EOF
868
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
903
	[ -e /usr/share/httpd/error/include/top.html.default ] || cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
869
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
904
	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
870
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
905
	[ -e /usr/share/httpd/error/include/bottom.html.default ] || cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
871
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
906
	cat <<EOF > /usr/share/httpd/error/include/bottom.html
-
 
907
</body>
-
 
908
</html>
872
 
909
EOF
-
 
910
# ACC partitioning
873
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
911
	rm -f /etc/httpd/conf/vhosts.d/alcasar*
874
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
912
	cat <<EOF > /etc/httpd/conf/vhosts.d/alcasar.conf
-
 
913
<Directory $DIR_WEB>
-
 
914
        AllowOverride None
-
 
915
        Order deny,allow
-
 
916
        Deny from all
-
 
917
        Allow from 127.0.0.1
-
 
918
        Allow from $PRIVATE_NETWORK_MASK
-
 
919
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
920
</Directory>
-
 
921
<Directory $DIR_WEB/certs>
-
 
922
        AddType application/x-x509-ca-cert crt
-
 
923
</Directory>
-
 
924
<Directory $DIR_ACC>
-
 
925
        SSLRequireSSL
-
 
926
        AllowOverride None
-
 
927
        Order deny,allow
-
 
928
        Deny from all
-
 
929
        Allow from 127.0.0.1
-
 
930
        Allow from $PRIVATE_NETWORK_MASK
-
 
931
        require valid-user
-
 
932
        AuthType digest
-
 
933
        AuthName "ALCASAR Control Center (ACC)"
-
 
934
        AuthDigestDomain $HOSTNAME.$DOMAIN
875
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
935
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
936
        AuthUserFile $DIR_DEST_ETC/digest/key_all
-
 
937
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
938
</Directory>
-
 
939
<Directory $DIR_ACC/admin>
-
 
940
        SSLRequireSSL
-
 
941
        AllowOverride None
-
 
942
        Order deny,allow
-
 
943
        Deny from all
-
 
944
        Allow from 127.0.0.1
-
 
945
        Allow from $PRIVATE_NETWORK_MASK
-
 
946
        require valid-user
-
 
947
        AuthType digest
-
 
948
        AuthName "ALCASAR Control Center (ACC)"
-
 
949
        AuthDigestDomain $HOSTNAME.$DOMAIN
876
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
950
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
951
        AuthUserFile $DIR_DEST_ETC/digest/key_admin
-
 
952
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
953
</Directory>
-
 
954
<Directory $DIR_ACC/manager>
-
 
955
        SSLRequireSSL
-
 
956
        AllowOverride None
-
 
957
        Order deny,allow
-
 
958
        Deny from all
-
 
959
        Allow from 127.0.0.1
-
 
960
        Allow from $PRIVATE_NETWORK_MASK
-
 
961
        require valid-user
-
 
962
        AuthType digest
-
 
963
        AuthName "ALCASAR Control Center (ACC)"
-
 
964
        AuthDigestDomain $HOSTNAME.$DOMAIN
877
	ln -s /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
965
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
-
 
966
        AuthUserFile $DIR_DEST_ETC/digest/key_manager
-
 
967
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
878
 
968
</Directory>
-
 
969
<Directory $DIR_ACC/backup>
-
 
970
        SSLRequireSSL
-
 
971
        AllowOverride None
-
 
972
        Order deny,allow
-
 
973
        Deny from all
-
 
974
        Allow from 127.0.0.1
-
 
975
        Allow from $PRIVATE_NETWORK_MASK
-
 
976
        require valid-user
-
 
977
        AuthType digest
-
 
978
        AuthName "ALCASAR Control Center (ACC)"
879
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
979
        AuthDigestDomain $HOSTNAME.$DOMAIN
880
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
980
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
881
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
981
        AuthUserFile $DIR_DEST_ETC/digest/key_backup
-
 
982
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
882
 
983
</Directory>
-
 
984
Alias /save/ "$DIR_SAVE/"
-
 
985
<Directory $DIR_SAVE>
-
 
986
        SSLRequireSSL
-
 
987
        Options Indexes
-
 
988
        Order deny,allow
-
 
989
        Deny from all
-
 
990
        Allow from 127.0.0.1
-
 
991
        Allow from $PRIVATE_NETWORK_MASK
-
 
992
        require valid-user
-
 
993
        AuthType digest
-
 
994
        AuthName "ALCASAR Control Center (ACC)"
883
	chown -R apache:apache /var/log/lighttpd
995
        AuthDigestDomain $HOSTNAME.$DOMAIN
-
 
996
        AuthUserFile $DIR_DEST_ETC/digest/key_backup
-
 
997
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
-
 
998
</Directory>
884
 
999
EOF
885
# Creation of the first account (in 'admin' profile)
1000
# Creation of the first account (in 'admin' profile)
886
	if [ "$mode" = "install" ]
1001
	if [ "$mode" = "install" ]
887
	then
1002
	then
888
		header_install
1003
		header_install
889
# Creation of keys file for the admin account ("admin")
1004
# Creation of keys file for the admin account ("admin")
Line 900... Line 1015...
900
		done
1015
		done
901
	fi
1016
	fi
902
# Creation of ACC certs links
1017
# Creation of ACC certs links
903
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
1018
	[ -d /var/www/html/certs ] || mkdir /var/www/html/certs
904
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
1019
	ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt
905
# Run lighttpd after coova (in order waiting tun0 to be up)
1020
# Run Apache after coova (in order waiting tun0 to be up)
906
	cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service
1021
	cp /lib/systemd/system/httpd.service /etc/systemd/system/httpd.service
907
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service
1022
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/httpd.service
908
	# Log file for ACC access imputability
1023
	# Log file for ACC access imputability
909
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
1024
	[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log
910
	chown root:apache $DIR_SAVE/security/acc_access.log
1025
	chown root:apache $DIR_SAVE/security/acc_access.log
911
	chmod 664 $DIR_SAVE/security/acc_access.log
1026
	chmod 664 $DIR_SAVE/security/acc_access.log
912
} # End of ACC()
1027
} # End of ACC()
Line 1803... Line 1918...
1803
bantime = 3m
1918
bantime = 3m
1804
findtime = 5m
1919
findtime = 5m
1805
EOF
1920
EOF
1806
 
1921
 
1807
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1922
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
1808
	cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1923
#	cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
1809
[lighttpd-auth]
1924
#[lighttpd-auth]
1810
enabled = true
1925
#enabled = true
1811
#enabled  = false
1926
#enabled  = false
1812
maxretry = 3
1927
#maxretry = 3
1813
bantime = 3m
1928
#bantime = 3m
1814
findtime = 3m
1929
#findtime = 3m
1815
EOF
1930
#EOF
1816
 
1931
 
1817
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1932
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
1818
	cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1933
	cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
1819
[alcasar_mod-evasive]
1934
[alcasar_mod-evasive]
1820
#enabled = true
1935
#enabled = true
1821
enabled = false
1936
enabled = false
1822
backend = auto
1937
backend = auto
1823
filter = alcasar_mod-evasive
1938
filter = alcasar_mod-evasive
1824
action = iptables-allports[name=alcasar_mod-evasive]
1939
action = iptables-allports[name=alcasar_mod-evasive]
1825
logpath = /var/log/lighttpd/access.log
1940
logpath = /var/log/httpd/access.log
1826
maxretry = 3
1941
maxretry = 3
1827
bantime = 3m
1942
bantime = 3m
1828
findtime = 3m
1943
findtime = 3m
1829
EOF
1944
EOF
1830
	cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
1945
	cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
Line 1839... Line 1954...
1839
enabled = true
1954
enabled = true
1840
#enabled = false
1955
#enabled = false
1841
backend = auto
1956
backend = auto
1842
filter = alcasar_intercept
1957
filter = alcasar_intercept
1843
action = iptables-allports[name=alcasar_intercept]
1958
action = iptables-allports[name=alcasar_intercept]
1844
logpath = /var/log/lighttpd/access.log
1959
logpath = /var/log/httpd/access.log
1845
maxretry = 5
1960
maxretry = 5
1846
bantime = 3m
1961
bantime = 3m
1847
findtime = 3m
1962
findtime = 3m
1848
EOF
1963
EOF
1849
	cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
1964
	cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
Line 1858... Line 1973...
1858
enabled = true
1973
enabled = true
1859
#enabled = false
1974
#enabled = false
1860
backend = auto
1975
backend = auto
1861
filter = alcasar_change-pwd
1976
filter = alcasar_change-pwd
1862
action = iptables-allports[name=alcasar_change-pwd]
1977
action = iptables-allports[name=alcasar_change-pwd]
1863
logpath = /var/log/lighttpd/access.log
1978
logpath = /var/log/httpd/access.log
1864
maxretry = 5
1979
maxretry = 5
1865
bantime = 3m
1980
bantime = 3m
1866
findtime = 3m
1981
findtime = 3m
1867
EOF
1982
EOF
1868
	cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
1983
	cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
Line 1879... Line 1994...
1879
	/usr/bin/touch /var/log/auth.log
1994
	/usr/bin/touch /var/log/auth.log
1880
# fail2ban unit
1995
# fail2ban unit
1881
	cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
1996
	cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
1882
	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
1997
	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
1883
	$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
1998
	$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
1884
	$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
1999
	$SED '/After=*/c After=syslog.target network.target httpd.service' /etc/systemd/system/fail2ban.service
1885
} # End of fail2ban()
2000
} # End of fail2ban()
1886
 
2001
 
1887
########################################################
2002
########################################################
1888
##                  "gammu_smsd"                      ##
2003
##                  "gammu_smsd"                      ##
1889
## - Creating of SMS management database              ##
2004
## - Creating of SMS management database              ##
Line 2150... Line 2265...
2150
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2265
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2151
	chmod 644 /etc/logrotate.d/*
2266
	chmod 644 /etc/logrotate.d/*
2152
# Log compression
2267
# Log compression
2153
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2268
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2154
# actualisation des fichiers logs compressés
2269
# actualisation des fichiers logs compressés
2155
	for dir in firewall e2guardian lighttpd
2270
	for dir in firewall e2guardian httpd
2156
	do
2271
	do
2157
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2272
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2158
	done
2273
	done
2159
	/usr/bin/systemctl daemon-reload
2274
	/usr/bin/systemctl daemon-reload
2160
# processes started at boot time (Systemctl)
2275
# processes started at boot time (Systemctl)
2161
	for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2276
	for i in alcasar-network mysqld httpd ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2162
	do
2277
	do
2163
		/usr/bin/systemctl -q enable $i.service
2278
		/usr/bin/systemctl -q enable $i.service
2164
	done
2279
	done
2165
 
2280
 
2166
# disable processes at boot time (Systemctl)
2281
# disable processes at boot time (Systemctl)