Subversion Repositories ALCASAR

Rev

Rev 3238 | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3238 Rev 3240
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 3238 2024-12-02 22:38:59Z rexy $
 2 
#  $Id: alcasar.sh 3240 2024-12-23 11:15:21Z rexy $
3 
 
 3 
 
4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, apache, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
 5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, apache, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6 
# contact : info@alcasar.net
 6 
# contact : info@alcasar.net
7 
 
 7 
 
Line 802... Line 802...
802 
{
 802 
{
803 
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
 803 
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
804 
	mkdir $DIR_WEB
 804 
	mkdir $DIR_WEB
805 
# Copy & adapt ACC files
 805 
# Copy & adapt ACC files
806 
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
 806 
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
- 
 
 807 
	ln $DIR_WEB/images/favicon-48.ico $DIR_WEB/favicon.ico
807 
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
 808 
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
808 
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
 809 
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/welcome.php
809 
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
 810 
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/welcome.php
810 
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
 811 
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/welcome.php
811 
	$SED "s?^\$csrf_key = .*?\$csrf_key = \"$csrfkey\"\;?g" $DIR_ACC/manager/htdocs/activity.php
 812 
	$SED "s?^\$csrf_key = .*?\$csrf_key = \"$csrfkey\"\;?g" $DIR_ACC/manager/htdocs/activity.php
Line 857... Line 858...
857 
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
 858 
	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] || cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
858 
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
 859 
	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
859 
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
 860 
	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
860 
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
 861 
	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
861 
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
 862 
	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
862 
	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
 863 
	$SED "s?^#LoadModule rewrite_module.*?LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
863 
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
 864 
	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
864 
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
 865 
	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] || cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
865 
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
 866 
	echo "Listen $PRIVATE_IP:443" > /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
866 
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
 867 
	echo "SSLProtocol all -SSLv2 -SSLv3" >> /etc/httpd/conf/conf.d/ssl.conf  # exclude vulnerable protocols
867 
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
 868 
	echo "SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" >> /etc/httpd/conf/conf.d/ssl.conf # Define the cipher suite
Line 964... Line 965...
964 
        AuthDigestDomain $HOSTNAME.$DOMAIN
 965 
        AuthDigestDomain $HOSTNAME.$DOMAIN
965 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 966 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
966 
        AuthUserFile $DIR_DEST_ETC/digest/key_manager
 967 
        AuthUserFile $DIR_DEST_ETC/digest/key_manager
967 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
 968 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
968 
</Directory>
 969 
</Directory>
- 
 
 970 
<Directory $DIR_ACC/manager/nfsen>
- 
 
 971 
        SSLRequireSSL
- 
 
 972 
        AllowOverride None
- 
 
 973 
        Order deny,allow
- 
 
 974 
        Deny from all
- 
 
 975 
        Allow from 127.0.0.1
- 
 
 976 
        Allow from $PRIVATE_NETWORK_MASK
- 
 
 977 
        require valid-user
- 
 
 978 
        AuthType digest
- 
 
 979 
        AuthName "ALCASAR Control Center (ACC)"
- 
 
 980 
        AuthDigestDomain $HOSTNAME.$DOMAIN
- 
 
 981 
        BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
- 
 
 982 
        AuthUserFile $DIR_DEST_ETC/digest/key_manager
- 
 
 983 
        ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
- 
 
 984 
        <IfModule mod_rewrite.c>
- 
 
 985 
                RewriteEngine On
- 
 
 986 
                RewriteCond %{REQUEST_FILENAME} !-f
- 
 
 987 
                RewriteCond %{REQUEST_FILENAME} !-d
- 
 
 988 
                RewriteRule ^api/(.*)$ backend/index.php?request=$1 [QSA,NC,L]
- 
 
 989 
                RewriteRule ^$ frontend [L]
- 
 
 990 
        </IfModule>
- 
 
 991 
</Directory>
969 
<Directory $DIR_ACC/backup>
 992 
<Directory $DIR_ACC/backup>
970 
        SSLRequireSSL
 993 
        SSLRequireSSL
971 
        AllowOverride None
 994 
        AllowOverride None
972 
        Order deny,allow
 995 
        Order deny,allow
973 
        Deny from all
 996 
        Deny from all
Line 1538... Line 1561...
1538 
Description=Netflow Capture Daemon
 1561 
Description=Netflow Capture Daemon
1539 
After=network-online.target iptables.service
 1562 
After=network-online.target iptables.service
1540 
 
 1563 
 
1541 
[Service]
 1564 
[Service]
1542 
Type=simple
 1565 
Type=simple
1543 
ExecStartPre=/bin/mkdir -p /run/nfcapd
 - 
 
1544 
ExecStartPre=/bin/chown nfcapd:nfcapd /run/nfcapd
 - 
 
1545 
PIDFile=/run/nfcapd/nfcapd.pid
 1566 
PIDFile=/run/nfcapd/nfcapd.pid
1546 
ExecStart=/usr/bin/nfcapd -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -w /var/log/nfsen/profiles-data/live/alcasar_netflow
 1567 
ExecStart=/usr/bin/nfcapd -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 1 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -w /var/log/nfsen/profiles-data/live/alcasar_netflow
1547 
ExecReload=/bin/kill -HUP $MAINPID
 1568 
ExecReload=/bin/kill -HUP $MAINPID
1548 
 
 1569 
 
1549 
[Install]
 1570 
[Install]
1550 
WantedBy=multi-user.target
 1571 
WantedBy=multi-user.target
1551 
EOF
 1572 
EOF
1552 
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
 1573 
    [ -d /var/log/nfsen/profiles-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profiles-data/live/alcasar_netflow
- 
 
 1574 
    touch /var/log/nfsen/profiles-data/live/alcasar_netflow/.nfstat
1553 
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
 1575 
    [ -d /run/nfcapd ] || mkdir -p /run/nfcapd
1554 
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
 1576 
    chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
- 
 
 1577 
# nfsen-ng
- 
 
 1578 
 
- 
 
 1579 
 
- 
 
 1580 
 
1555 
} # End of nfsen()
 1581 
} # End of nfsen()
1556 
 
 1582 
 
1557 
###########################################################
 1583 
###########################################################
1558 
##                       "vnstat"                        ##
 1584 
##                       "vnstat"                        ##
1559 
## - Initialization of vnstat and vnstat-dashboard       ##
 1585 
## - Initialization of vnstat and vnstat-dashboard       ##