735,8 → 735,8 |
# load ipt_NETFLOW module |
echo "ipt_NETFLOW" >> /etc/modprobe.preload |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush) |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service |
cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies) |
# |
803,7 → 803,7 |
done |
chown -R root:apache $DIR_SAVE |
# Configuring & securing php |
[ -e /etc/php.d/05_date.ini ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default |
[ -e /etc/php.d/05_date.ini.default ] || cp /etc/php.d/05_date.ini /etc/php.d/05_date.ini.default |
timezone=`timedatectl show --property=Timezone|cut -d"=" -f2` |
$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.d/05_date.ini |
[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default |
873,7 → 873,8 |
[ -d /var/www/html/certs ] || mkdir /var/www/html/certs |
ln -s /etc/pki/CA/alcasar-ca.crt /var/www/html/certs/certificat_alcasar_ca.crt |
# Run lighttpd after coova (in order waiting tun0 to be up) |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service |
cp /lib/systemd/system/lighttpd.service /etc/systemd/system/lighttpd.service |
$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /etc/systemd/system/lighttpd.service |
# Log file for ACC access imputability |
[ -e $DIR_SAVE/security/acc_access.log ] || touch $DIR_SAVE/security/acc_access.log |
chown root:apache $DIR_SAVE/security/acc_access.log |
959,9 → 960,9 |
# Add an empty radius database structure |
/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql |
# modify the start script in order to close accounting connexion when the system is comming down or up |
[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service |
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service |
cp /lib/systemd/system/mysqld.service /etc/systemd/system/mysqld.service |
$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service |
$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /etc/systemd/system/mysqld.service |
/usr/bin/systemctl unset-environment MYSQLD_OPTS |
/usr/bin/systemctl daemon-reload |
} # End of init_db() |
1044,8 → 1045,8 |
cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter |
chown -R radius:radius /etc/raddb/mods-available/sqlcounter |
# make certain that mysql is up before freeradius start |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service |
cp /lib/systemd/system/radiusd.service /etc/systemd/system/radiusd.service |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /etc/systemd/system/radiusd.service |
/usr/bin/systemctl daemon-reload |
# Allow apache to change some conf files (ie : ldap on/off) |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available |
1060,7 → 1061,7 |
chilli() |
{ |
# chilli unit for systemd |
cat << EOF > /lib/systemd/system/chilli.service |
cat << EOF > /etc/systemd/system/chilli.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
1260,11 → 1261,11 |
e2guardian() |
{ |
# Adapt systemd unit |
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
cp /lib/systemd/system/e2guardian.service /etc/systemd/system/e2guardian.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /etc/systemd/system/e2guardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /etc/systemd/system/e2guardian.service |
# Adapt the main conf file |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
# Adapt the main conf file |
# French deny HTML page |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
# 2 filtergroups (8080 & 8090) |
1370,14 → 1371,14 |
################################################################## |
antivirus() |
{ |
# Clamd adaptation to e2guardian |
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
|
# Clamd unit adaptation to e2guardian |
cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service |
cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket |
# Clamd conf adaptation to e2guardian |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message |
1410,7 → 1411,7 |
nl=1 |
for log_type in traceability ssh ext-access |
do |
[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service |
cp -f /lib/systemd/system/ulogd.service /etc/systemd/system/ulogd-$log_type.service |
[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log |
cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf |
$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf |
1419,7 → 1420,7 |
file="/var/log/firewall/$log_type.log" |
sync=1 |
EOF |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /etc/systemd/system/ulogd-$log_type.service |
nl=`expr $nl + 1` |
done |
chown -R root:apache /var/log/firewall |
1437,7 → 1438,7 |
groupadd -f nfcapd |
id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd |
# nfcapd unit for systemd |
cat << EOF > /lib/systemd/system/nfcapd.service |
cat << EOF > /etc/systemd/system/nfcapd.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
1479,8 → 1480,8 |
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf |
# vnstat-dashboard |
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php |
[ -e /lib/systemd/system/vnstat.service.default ] || cp /lib/systemd/system/vnstat.service /lib/systemd/system/vnstat.service.default |
$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /lib/systemd/system/vnstat.service |
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service |
$SED "s?^PIDFILE=.*?PIDFILE=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service |
} # End of vnstat() |
|
################################################################### |
1509,11 → 1510,11 |
server=$DNS1 |
server=$DNS2 |
EOF |
# Create dnsmasq-whitelist unit |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
# Don't run dnsmasq service. Create dnsmasq-whitelist unit |
systemctl disable dnsmasq.service |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service |
} # End of dnsmasq() |
|
######################################################### |
1682,19 → 1683,16 |
include: /etc/unbound/conf.d/blackhole/* |
EOF |
|
if [ ! -e /lib/systemd/system/unbound.service.default ] |
then |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default |
fi |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service |
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service |
for list in blacklist blackhole whitelist |
do |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
cp -f /lib/systemd/system/unbound.service /etc/systemd/system/unbound-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service |
done |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service |
} # End of unbound() |
|
################################################## |
1941,10 → 1939,10 |
chmod 644 $DIR_SAVE/security/watchdog.log |
/usr/bin/touch /var/log/auth.log |
# fail2ban unit |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service |
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service |
} # End of fail2ban() |
|
######################################################### |
2005,7 → 2003,7 |
chmod 755 /etc/gammu_smsd_conf /etc/gammurc |
|
# Create the systemd unit |
cat << EOF > /lib/systemd/system/gammu-smsd.service |
cat << EOF > /etc/systemd/system/gammu-smsd.service |
[Unit] |
Description=SMS daemon for Gammu |
Documentation=man:gammu-smsd(1) |
2193,7 → 2191,7 |
find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \; |
done |
# create the alcasar-load_balancing unit |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
cat << EOF > /etc/systemd/system/alcasar-load_balancing.service |
# This file is part of systemd. |
# |
# systemd is free software; you can redistribute it and/or modify it |
2375,7 → 2373,7 |
exit 0 |
;; |
-i | --install) |
for func in license testing_system |
for func in license testing_system testing_network |
do |
header_install |
$func |
2451,7 → 2449,7 |
fi |
mode="update" |
fi |
for func in testing_network init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |