/CHANGELOG |
---|
4,7 → 4,7 |
-------------------- 3.4.0 -------------------- |
NEWS |
- Linux Kernel 4.14.131 - ipt_NETFLOW 2.4 |
- Replace 4 DNSmasq servers with Unbound servers |
- Replace DNSmasq servers with Unbound servers |
- Add LDAPS (LDAP SSL) support. |
- Add a global group named "default" for all users (the "ldap" group still exists for users authenticated through LDAP/A.D.). |
- Add LDAP filter. |
/VERSION |
---|
1,0 → 0,0 |
3.4b |
3.4 |
/alcasar.sh |
---|
909,7 → 909,7 |
} # End of ACC() |
################################################################## |
## Fonction "CA" ## |
## Fonction "CA" ## |
## - Creating the CA and the server certificate (lighttpd) ## |
################################################################## |
CA() |
1591,7 → 1591,10 |
server=$DNS2 |
EOF |
# Create dnsmasq-whitelist unit |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
if [ "$mode" != "update" ] |
then |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
fi |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
1966,9 → 1969,9 |
fail2ban() |
{ |
/usr/bin/sh $DIR_CONF/fail2ban.sh |
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp |
[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log |
[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log |
# allow reading of 2 log files (fail2ban & watchdog). HAVP is treated in its section |
[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log |
[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log |
chmod 644 /var/log/fail2ban.log |
chmod 644 /var/Save/security/watchdog.log |
/usr/bin/touch /var/log/auth.log |
/rpms/x86_64/wget-1.20.3-1.mga6.i586.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/rpms/x86_64/wget-1.20.3-1.mga6.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Added: svn:mime-type |
+application/octet-stream |
\ No newline at end of property |
/scripts/alcasar-conf.sh |
---|
5,14 → 5,14 |
# by REXY |
# This script is distributed under the Gnu General Public License (GPL) |
# Ce script permet de mettre à jour d'ALCASAR |
# - création de l'archive des fichiers de configuration "/var/tmp/alcasar-conf.tar.gz" (alcasar-conf.sh -create) |
# - chargement de l'archive de fichiers de configuration lors de la mise à jour d'un alcasar (alcasar-conf -load). Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions |
# - application des directives du fichier de conf central "/usr/local/etc/alcasar.conf" à chaud (alcasar-conf -apply) |
# Ce script permet la mise à jour d'un ALCASAR |
# - (alcasar-conf.sh -create) : création de l'archive des fichiers de configuration (/var/tmp/alcasar-conf.tar.gz) |
# - (alcasar-conf.sh -load) : chargement de l'archive des fichiers de configuration. Le cas échéant, c'est ici qu'on met à jour les fichiers entre versions |
# - (alcasar-conf.sh -apply) : application des directives du fichier de conf central "/usr/local/etc/alcasar.conf". Peut aussi être exploité à chaud après avoir changé des valeurs du fichier de conf. |
# This script allows ALCASAR update |
# - create the configuration files backup "/var/tmp/alcasar-conf.tar.gz" (alcasar-conf.sh -create) |
# - load the backup of configuration files during the update process (alcasar-conf -load). If needed, it's here we update files between versions |
# - apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf" when hot modification are needed (alcasar-conf -apply) |
# - (alcasar-conf.sh -create) : create the configuration files backup (/var/tmp/alcasar-conf.tar.gz) |
# - (alcasar-conf.sh -load) : load the backup of configuration files. If needed, it's here we update files between versions |
# - (alcasar-conf.sh -load) : apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf". Can be use after changes of conf file values. |
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
DIR_WEB="/var/www/html" # répertoire du centre de gestion |
241,7 → 241,6 |
if [[ "$PUBLIC_IP_MASK" == "dhcp" ]] |
then |
PUBLIC_GATEWAY="dhcp" |
else |
if ! echo $PUBLIC_IP_MASK | egrep -q $PTN |
then |
286,7 → 285,6 |
else |
$DIR_BIN/alcasar-dhcp.sh --on |
fi |
# Set the local DNS (or not) |
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ] |
then |
294,7 → 292,6 |
else |
$DIR_BIN/alcasar-dns-local.sh --off |
fi |
# Set the pure ip option (or not) |
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ] |
then |
302,7 → 299,6 |
else |
bl_filter_param+="--pureip_on" |
fi |
# Set the safesearch options (or not) |
bl_filter_param="" |
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ] |
311,9 → 307,7 |
else |
bl_filter_param+="--safesearch_off " |
fi |
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param |
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ] |
then |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on |
320,10 → 314,8 |
else |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off |
fi |
# Reload the local dns configuration |
$DIR_BIN/alcasar-dns-local.sh --reload |
# Logout everybody |
$DIR_BIN/alcasar-logout.sh all |
# Services stop |
399,7 → 391,7 |
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
# FreeRADIUS Web |
# FreeRADIUS |
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf |
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf |
# CoovaChilli |
424,7 → 416,6 |
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.* |
rm -f /etc/unbound/conf.d/common/forward-zone.conf |
find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete |
# Configuration file for the dns servers forward-zone |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
forward-zone: |
432,7 → 423,6 |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
441,13 → 431,11 |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
EOF |
# Configuration file for lo of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
access-control-view: 127.0.0.1/8 lo |
view: |
name: "lo" |
view-first: yes |
458,7 → 446,6 |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
466,7 → 453,6 |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
# Configuration file for $INTIF of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
477,7 → 463,6 |
name: "$INTIF" |
view-first: yes |
EOF |
# Configuration file for $INTIF of blacklist unbound |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
487,7 → 472,6 |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of whitelist unbound |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
497,19 → 481,16 |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
# Configuration file for $INTIF of blackhole unbound |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
# dhcpd |
cat <<EOF > /etc/dhcpd.conf |
ddns-update-style none; |
517,7 → 498,6 |
option routers $PRIVATE_IP; |
option subnet-mask $PRIVATE_NETMASK; |
option domain-name-servers $PRIVATE_IP; |
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
default-lease-time 21600; |
max-lease-time 43200; |
/scripts/alcasar-uninstall.sh |
---|
62,7 → 62,7 |
freeradius () |
{ |
echo -en "(12) : " |
echo -en "(24) : " |
[ -e /etc/raddb/empty-radiusd-db.sql ] && rm -f /etc/raddb/empty-radiusd-db.sql && echo -n "1, " |
[ -e /etc/raddb/radiusd.conf.default ] && mv /etc/raddb/radiusd.conf.default /etc/raddb/radiusd.conf && echo -n "2, " |
[ -e /etc/raddb/dictionary.default ] && mv /etc/raddb/dictionary.default /etc/raddb/dictionary && echo -n "3, " |
70,20 → 70,21 |
[ -e /etc/raddb/sites-available/alcasar ] && rm /etc/raddb/sites-available/alcasar && echo -n "5, " |
[ -e /etc/raddb/sites-available/alcasar-with-ldap ] && rm /etc/raddb/sites-available/alcasar-with-ldap && echo -n "6, " |
[ -e /etc/raddb/clients.conf.default ] && mv /etc/raddb/clients.conf.default /etc/raddb/clients.conf && echo -n "7, " |
echo -n "8" |
i=7 |
for mods in sql sqlcounter attr_filter expiration logintime pap expr always |
do |
rm /etc/raddb/mods-enabled/$mods && echo -n "." |
i=`expr $i + 1` |
rm /etc/raddb/mods-enabled/$mods && echo -n "$i, " |
done |
echo -n ", " |
[ -e /etc/raddb/mods-available/ldap-alcasar ] && rm -f /etc/raddb/mods-enabled/ldap-alcasar && rm -f /etc/raddb/mods-available/ldap-alcasar && echo -n "9, " |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] && mv /etc/raddb/mods-config/sql/main/mysql/queries.conf.default /etc/raddb/mods-config/sql/main/mysql/queries.conf && echo -n "10, " |
[ -e /lib/systemd/system/radiusd.service.default ] && mv /lib/systemd/system/radiusd.service.default /lib/systemd/system/radiusd.service && echo -n "11, " |
[ -e /etc/raddb/mods-available/sqlcounter.default ] && mv /etc/raddb/mods-available/sqlcounter.default /etc/raddb/mods-available/sqlcounter && echo -n "12" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf && echo -n ", 12a" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf && echo -n ", 12b" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf && echo -n ", 12c" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf && echo -n ", 12d" |
[ -e /etc/raddb/mods-available/ldap-alcasar ] && rm -f /etc/raddb/mods-enabled/ldap-alcasar && rm -f /etc/raddb/mods-available/ldap-alcasar && echo -n "16, " |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] && mv /etc/raddb/mods-config/sql/main/mysql/queries.conf.default /etc/raddb/mods-config/sql/main/mysql/queries.conf && echo -n "17, " |
[ -e /lib/systemd/system/radiusd.service.default ] && mv /lib/systemd/system/radiusd.service.default /lib/systemd/system/radiusd.service && echo -n "18, " |
[ -e /etc/raddb/mods-available/sqlcounter.default ] && mv /etc/raddb/mods-available/sqlcounter.default /etc/raddb/mods-available/sqlcounter && echo -n "19" |
[ -e /etc/raddb/mods-available/sql.default ] && mv /etc/raddb/mods-available/sql.default /etc/raddb/mods-available/sql && echo -n "20" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf && echo -n ", 21" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf && echo -n ", 22" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf && echo -n ", 23" |
[ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] && mv /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf && echo -n ", 24" |
} |
chilli () |
201,17 → 202,16 |
fail2ban () |
{ |
echo -en "(8) : " |
[ -e /etc/fail2ban/fail2ban.conf.default ] && mv /etc/fail2ban/fail2ban.conf.default /etc/fail2ban/fail2ban.conf && echo -n "1, " |
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "2, " |
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n "3, " |
i=3 |
echo -en "(7) : " |
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "1, " |
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf && echo -n "2, " |
i=2 |
for filter in `ls /etc/fail2ban/filter.d/alcasar_* 2>/dev/null` |
do |
i=`expr $i + 1` |
rm $filter && echo -n "$i, " |
done |
[ -e /lib/systemd/system/fail2ban.service.default ] && mv /lib/systemd/system/fail2ban.service.default /lib/systemd/system/fail2ban.service && echo -n "8" |
[ -e /lib/systemd/system/fail2ban.service.default ] && mv /lib/systemd/system/fail2ban.service.default /lib/systemd/system/fail2ban.service && echo -n "7" |
} |
gammu_smsd () |