12,7 → 12,8 |
# -i or --install |
# -u or --uninstall |
# Functions : |
# testing : connectivity tests, free space test and mageia version test |
# system_testing : Free space test and mageia version test |
# network_testing : Internet connectivity tests |
# init : Installation of RPM and scripts |
# network : Network parameters |
# ACC : ALCASAR Control Center installation |
20,14 → 21,14 |
# time_server : NTPd configuration |
# init_db : Initilization of radius database managed with MariaDB |
# freeradius : FreeRadius initialisation |
# chilli : coovachilli initialisation (+authentication page) |
# chilli : Coovachilli initialisation (+authentication page) |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : clamav & freshclam configuration |
# ulogd : log system in userland (match NFLOG target of iptables) |
# antivirus : Clamav & freshclam configuration |
# ulogd : Log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : little network stat daemon |
# vnstat : Little network stat daemon |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter) |
# cron : Logs export + watchdog + connexion statistics |
# fail2ban : Fail2ban IDS installation and configuration |
34,6 → 35,7 |
# gammu_smsd : Autoregister addon via SMS (gammu-smsd) |
# msec : Mageia security package configuration |
# letsencrypt : Let's Encrypt client |
# mail_service : Mail service for email authentification method |
# post_install : Security, log rotation, etc. |
|
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function |
104,13 → 106,13 |
} # End of header_install() |
|
######################################################## |
## Function "testing_system" ## |
## "system_testing" ## |
## - Test Mageia version ## |
## - Test ALCASAR version (if already installed) ## |
## - Test free space on /var (>10G) ## |
## - Test Internet access ## |
######################################################## |
testing_system() |
system_testing() |
{ |
# Test of Mageia version |
# extract the current Mageia version and hardware architecture (i586 ou X64) |
222,13 → 224,13 |
fi |
exit 0 |
fi |
} # End of testing_system |
} # End of system_testing |
|
######################################################## |
## Function "testing_network" ## |
## - Test Internet access ## |
## "network_testing" ## |
## - Internet access test ## |
######################################################## |
testing_network() |
network_testing() |
{ |
# Detect external/internal interfaces |
if [ -z "$EXTIF" ]; then |
393,10 → 395,10 |
exit 1 |
fi |
echo ". : ok" |
} # End of testing_network() |
} # End of network_testing() |
|
####################################################################### |
## Function "init" ## |
## "init" ## |
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ## |
## - Creation of random password for GRUB, mariadb (admin and user) ## |
####################################################################### |
472,7 → 474,7 |
} # End of init() |
|
######################################################### |
## Function "network" ## |
## "network" ## |
## - Define the several network address ## |
## - Define the DNS naming ## |
## - INTIF parameters (consultation network) ## |
753,7 → 755,7 |
} # End of network() |
|
################################################################## |
## Fonction "CA" ## |
## "CA" ## |
## - Creating the CA and the server certificate (lighttpd) ## |
################################################################## |
CA() |
769,13 → 771,13 |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
} # End of CA() |
|
################################################### |
## Function "ACC" ## |
###################################################### |
## "ACC" ## |
## - copy ALCASAR Control Center (ACC) files ## |
## - configuration of the web server (Lighttpd) ## |
## - creation of the first ACC admin account ## |
## - secure the ACC access ## |
################################################### |
###################################################### |
ACC() |
{ |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
891,7 → 893,7 |
} # End of ACC() |
|
############################################################# |
## Function "time_server" ## |
## "time_server" ## |
## - Configuring NTP server ## |
############################################################# |
time_server() |
922,7 → 924,7 |
} # End of time_server() |
|
##################################################################### |
## Function "init_db" ## |
## "init_db" ## |
## - Mysql initialization ## |
## - Set admin (root) password ## |
## - Remove unused users & databases ## |
975,7 → 977,7 |
} # End of init_db() |
|
################################################################### |
## Function "freeradius" ## |
## "freeradius" ## |
## - Set the configuration files ## |
## - Set the shared secret between coova-chilli and freeradius ## |
## - Adapt the Mysql conf file and counters ## |
1061,7 → 1063,7 |
} # End of freeradius() |
|
############################################################################# |
## Function "chilli" ## |
## "chilli" ## |
## - Creation of the conf file and init file (systemd) for coova-chilli ## |
## - Adapt the authentication web page (intercept.php) ## |
############################################################################# |
1262,7 → 1264,7 |
} # End of chilli() |
|
################################################################ |
## Function "e2guardian" ## |
## "e2guardian" ## |
## - Set the parameters of this HTML proxy (as controler) ## |
################################################################ |
e2guardian() |
1373,7 → 1375,7 |
} # End of e2guardian() |
|
################################################################## |
## Function "antivirus" ## |
## "antivirus" ## |
## - Set the parameters of clamav and freshclam ## |
################################################################## |
antivirus() |
1408,7 → 1410,7 |
} # End of antivirus() |
|
############################################################## |
## function "ulogd" ## |
## "ulogd" ## |
## - Ulog config for multi-log files ## |
############################################################## |
ulogd() |
1436,7 → 1438,7 |
} # End of ulogd() |
|
########################################################## |
## Function "nfsen" ## |
## "nfsen" ## |
## - configure NetFlow collector (nfcapd) ## |
## - configure NetFlow grapher (nfsen-ng) ## |
########################################################## |
1475,7 → 1477,7 |
} # End of nfsen() |
|
########################################################### |
## Function "vnstat" ## |
## "vnstat" ## |
## - Initialization of vnstat and vnstat-dashboard ## |
########################################################### |
vnstat() |
1492,7 → 1494,7 |
} # End of vnstat() |
|
################################################################### |
## Function "dnsmasq" ## |
## "dnsmasq" ## |
## - creation of the conf files of dnsmasq (whitelist for ipset )## |
################################################################### |
dnsmasq() |
1517,6 → 1519,7 |
server=$DNS1 |
server=$DNS2 |
EOF |
|
# Don't run dnsmasq service. Create dnsmasq-whitelist unit |
systemctl disable dnsmasq.service |
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service |
1525,7 → 1528,7 |
} # End of dnsmasq() |
|
######################################################### |
## Function "unbound" ## |
## "unbound" ## |
## - create the conf files for 4 unbound services ## |
## - create the systemd files for 4 unbound services ## |
######################################################### |
1689,7 → 1692,6 |
include: /etc/unbound/conf.d/common/local-dns/* |
include: /etc/unbound/conf.d/blackhole/* |
EOF |
|
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service |
1703,7 → 1705,7 |
} # End of unbound() |
|
################################################## |
## Function "dhcpd" ## |
## "dhcpd" ## |
################################################## |
dhcpd() |
{ |
1722,7 → 1724,7 |
} # End of dhcpd() |
|
########################################################## |
## Function "BL" ## |
## "BL" ## |
## - copy & adapt Toulouse BL to ALCASAR architecture ## |
## - domain names for unbound-bl & unbound-wl ## |
## - URLs for EĀ²guardian ## |
1760,7 → 1762,7 |
} # End of BL() |
|
####################################################### |
## Function "cron" ## |
## "cron" ## |
## - write all cron & anacron files ## |
####################################################### |
cron() |
1851,7 → 1853,7 |
} # End of cron() |
|
######################################################################## |
## Fonction "Fail2Ban" ## |
## "Fail2Ban" ## |
##- Adapt conf file to ALCASAR ## |
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ## |
######################################################################## |
1952,11 → 1954,11 |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service |
} # End of fail2ban() |
|
######################################################### |
## Fonction "gammu_smsd" ## |
######################################################## |
## "gammu_smsd" ## |
## - Creating of SMS management database ## |
## - Write the gammu a gammu_smsd conf files ## |
######################################################### |
######################################################## |
gammu_smsd() |
{ |
# Create 'gammu' system user |
2041,12 → 2043,12 |
|
} # End of gammu_smsd() |
|
############################################################ |
## Fonction "msec" ## |
######################################################## |
## "msec" ## |
## - Apply the "fileserver" security level ## |
## - remove the "system request" for rebooting ## |
## - Fix several file permissions ## |
############################################################ |
######################################################## |
msec() |
{ |
|
2127,6 → 2129,27 |
} # End of letsencrypt() |
|
################################################################## |
## "mail_service" ## |
## - Install mail service for email registration method ## |
################################################################## |
mail_service() |
{ |
[ -e /etc/postfix/main.cf.default ] || cp /etc/postfix/main.cf /etc/postfix/main.cf.default |
cat << EOT >> /etc/postfix/main.cf |
myhostname = $HOSTNAME.$DOMAIN |
# Enable SASL authentication |
smtp_sasl_auth_enable = yes |
# Disallow methods that allow anonymous authentication |
smtp_sasl_security_options = noanonymous |
# Location of sasl_passwd |
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd |
EOT |
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
} # end of mail_service |
|
################################################################## |
## Fonction "post_install" ## |
## - Modifying banners (locals et ssh) & prompts ## |
## - SSH config ## |
2148,10 → 2171,6 |
# sshd authorized certificate for root login |
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config |
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config |
|
# postfix banner anonymisation |
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf |
chown -R postfix:postfix /var/lib/postfix |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
2353,7 → 2372,7 |
exit 0 |
;; |
-i | --install) |
for func in license testing_system testing_network |
for func in license system_testing network_testing |
do |
header_install |
$func |
2440,7 → 2459,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |