Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 3231 2024-11-10 23:12:08Z rexy $
|
2 |
# $Id: alcasar.sh 3238 2024-12-02 22:38:59Z rexy $
|
3 |
|
3 |
|
4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
4 |
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
|
5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, apache, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
5 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, apache, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
|
6 |
# contact : info@alcasar.net
|
6 |
# contact : info@alcasar.net
|
7 |
|
7 |
|
Line 60... |
Line 60... |
60 |
DB_RADIUS="radius" # database name used by FreeRadius server
|
60 |
DB_RADIUS="radius" # database name used by FreeRadius server
|
61 |
DB_USER="radius" # user name allows to request the users database
|
61 |
DB_USER="radius" # user name allows to request the users database
|
62 |
DB_GAMMU="gammu" # database name used by Gammu-smsd
|
62 |
DB_GAMMU="gammu" # database name used by Gammu-smsd
|
63 |
# ******* Network parameters - paramètres réseau *******
|
63 |
# ******* Network parameters - paramètres réseau *******
|
64 |
HOSTNAME="alcasar" # default hostname
|
64 |
HOSTNAME="alcasar" # default hostname
|
65 |
DOMAIN="localdomain" # default local domain
|
65 |
DOMAIN="lan" # default local domain
|
66 |
EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
|
66 |
EXTIF='' # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
|
67 |
INTIF='' # INTIF is connected to the consultation network
|
67 |
INTIF='' # INTIF is connected to the consultation network
|
68 |
MTU="1500"
|
68 |
MTU="1500"
|
69 |
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
|
69 |
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
|
70 |
# ****** Paths - chemin des commandes *******
|
70 |
# ****** Paths - chemin des commandes *******
|
Line 1398... |
Line 1398... |
1398 |
[ -e $DIR_E2G/e2guardian.conf.default ] || cp $DIR_E2G/e2guardian.conf $DIR_E2G/e2guardian.conf.default
|
1398 |
[ -e $DIR_E2G/e2guardian.conf.default ] || cp $DIR_E2G/e2guardian.conf $DIR_E2G/e2guardian.conf.default
|
1399 |
# French deny HTML page
|
1399 |
# French deny HTML page
|
1400 |
$SED "s?^language =.*?language = 'french'?g" $DIR_E2G/e2guardian.conf
|
1400 |
$SED "s?^language =.*?language = 'french'?g" $DIR_E2G/e2guardian.conf
|
1401 |
# Listen & loop prevention on loopback
|
1401 |
# Listen & loop prevention on loopback
|
1402 |
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_E2G/e2guardian.conf
|
1402 |
$SED "s?^#checkip = 127.0.0.1.*?checkip = 127.0.0.1?g" $DIR_E2G/e2guardian.conf
|
1403 |
# 2 filtergroups (8080 & 8090)
|
1403 |
# 2 filtergroups (8080 & 8081)
|
1404 |
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_E2G/e2guardian.conf
|
1404 |
$SED "s?^#filtergroups =.*?filtergroups = 2?g" $DIR_E2G/e2guardian.conf
|
1405 |
# Listen on LAN only
|
1405 |
# Listen on LAN only
|
1406 |
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_E2G/e2guardian.conf
|
1406 |
$SED "s?^#filterip =.*?filterip = $PRIVATE_IP?g" $DIR_E2G/e2guardian.conf
|
1407 |
# Listen on 8080 (group1 : BL users on HTTP)
|
1407 |
# Listen on 8080 (group1 : BL users on HTTP)
|
1408 |
$SED "s?^#filterports = 8080.*?filterports = 8080?g" $DIR_E2G/e2guardian.conf
|
1408 |
$SED "s?^#filterports = 8080:8081.*?filterports = 8080:8081?g" $DIR_E2G/e2guardian.conf
|
1409 |
# Listen on 8081 (group2 : previously AV users --> to be redefine)
|
1409 |
# Listen on 8081 (group2 : previously AV users --> to be redefine)
|
1410 |
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_E2G/e2guardian.conf
|
1410 |
# $SED "/^filterip = $PRIVATE_IP/a filterip = $PRIVATE_IP" $DIR_E2G/e2guardian.conf
|
1411 |
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_E2G/e2guardian.conf
|
1411 |
$SED "s?^#filterports = 8081.*?filterports = 8081?g" $DIR_E2G/e2guardian.conf
|
1412 |
# for now we don't listen transparently on 8443 (HTTPS) (only in future version)
|
1412 |
# for now we don't listen transparently on 8443 (HTTPS) (only in future version)
|
1413 |
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_E2G/e2guardian.conf
|
1413 |
$SED "s?^transparenthttpsport =.*?#transparenthttpsport = 8443?g" $DIR_E2G/e2guardian.conf
|
Line 1474... |
Line 1474... |
1474 |
# 'Safesearch' regex actualisation
|
1474 |
# 'Safesearch' regex actualisation
|
1475 |
$SED "s?images?search?g" $DIR_E2G_GROUP1/urlregexplist
|
1475 |
$SED "s?images?search?g" $DIR_E2G_GROUP1/urlregexplist
|
1476 |
# change the google safesearch ("safe=strict" instead of "safe=vss")
|
1476 |
# change the google safesearch ("safe=strict" instead of "safe=vss")
|
1477 |
$SED "s?safe=vss?safe=strict?g" $DIR_E2G_GROUP1/urlregexplist
|
1477 |
$SED "s?safe=vss?safe=strict?g" $DIR_E2G_GROUP1/urlregexplist
|
1478 |
|
1478 |
|
- |
|
1479 |
###### ALCASAR filtering for group2 (previously av_users) ####
|
1479 |
# Create & adapt group2 conf file (av + av_wl)
|
1480 |
# Create & adapt group2 conf file (av + av_wl)
|
1480 |
cp $DIR_E2G/e2guardianf1.conf.default $DIR_E2G/e2guardianf2.conf
|
1481 |
cp $DIR_E2G/e2guardianf1.conf.default $DIR_E2G/e2guardianf2.conf
|
1481 |
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_E2G/e2guardianf2.conf
|
1482 |
$SED "s?^#reportinglevel =.*?reportinglevel = 3?g" $DIR_E2G/e2guardianf2.conf
|
1482 |
$SED "s?^#groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_E2G/e2guardianf2.conf
|
1483 |
$SED "s?^#groupname =.*?groupname = 'antimalware + whitelested users'?g" $DIR_E2G/e2guardianf2.conf
|
1483 |
$SED "s?^urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist'?urllist = 'name=banned,messageno=501,path=__LISTDIR__/bannedurllist.default'?g" $DIR_E2G/e2guardianf2.conf # no banned urls
|
- |
|
1484 |
|
1484 |
|
1485 |
# create log folder
|
1485 |
# create log folder
|
1486 |
mkdir -p /var/log/e2guardian
|
1486 |
mkdir -p /var/log/e2guardian
|
1487 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1487 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
|
1488 |
} # End of e2guardian()
|
1488 |
} # End of e2guardian()
|
Line 1764... |
Line 1764... |
1764 |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
|
1764 |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
|
1765 |
default-lease-time 21600;
|
1765 |
default-lease-time 21600;
|
1766 |
max-lease-time 43200;
|
1766 |
max-lease-time 43200;
|
1767 |
}
|
1767 |
}
|
1768 |
EOF
|
1768 |
EOF
|
- |
|
1769 |
chown -R dhcpd:dhcpd /var/lib/dhcpd
|
1769 |
} # End of dhcpd()
|
1770 |
} # End of dhcpd()
|
1770 |
|
1771 |
|
1771 |
##########################################################
|
1772 |
##########################################################
|
1772 |
## "BL" ##
|
1773 |
## "BL" ##
|
1773 |
## - copy & adapt Toulouse BL to ALCASAR architecture ##
|
1774 |
## - copy & adapt Toulouse BL to ALCASAR architecture ##
|
Line 2227... |
Line 2228... |
2227 |
echo "SSH_WAN=0" >> $CONF_FILE
|
2228 |
echo "SSH_WAN=0" >> $CONF_FILE
|
2228 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
2229 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
2229 |
echo "INTERLAN=off" >> $CONF_FILE
|
2230 |
echo "INTERLAN=off" >> $CONF_FILE
|
2230 |
echo "LDAP=off" >> $CONF_FILE
|
2231 |
echo "LDAP=off" >> $CONF_FILE
|
2231 |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
|
2232 |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
|
2232 |
echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
|
2233 |
echo "LDAP_BASE=cn=Users;dc=serverad;dc=lan" >> $CONF_FILE
|
2233 |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
|
2234 |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
|
2234 |
echo "LDAP_FILTER=" >> $CONF_FILE
|
2235 |
echo "LDAP_FILTER=" >> $CONF_FILE
|
2235 |
echo "LDAP_USER=alcasar" >> $CONF_FILE
|
2236 |
echo "LDAP_USER=alcasar" >> $CONF_FILE
|
2236 |
echo "LDAP_PASSWORD=" >> $CONF_FILE
|
2237 |
echo "LDAP_PASSWORD=" >> $CONF_FILE
|
2237 |
echo "LDAP_SSL=on" >> $CONF_FILE
|
2238 |
echo "LDAP_SSL=on" >> $CONF_FILE
|