Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2519 → Rev 2521

/alcasar.sh
18,7 → 18,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
 
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
 
# Options :
# -i or --install
34,7 → 34,7
# init_db : Initilization of radius database managed with MariaDB
# freeradius : FreeRadius initialisation
# chilli : coovachilli initialisation (+authentication page)
# dansguardian : DansGuardian filtering HTTP proxy configuration
# e2guardian : E2Guardian filtering HTTP proxy configuration
# antivirus : HAVP + libclamav configuration
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# ulogd : log system in userland (match NFLOG target of iptables)
41,7 → 41,7
# nfsen : Configuration of Nfsen Netflow grapher
# dnsmasq : Name server configuration
# vnstat : little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
# cron : Logs export + watchdog + connexion statistics
# fail2ban : Fail2ban IDS installation and configuration
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
61,7 → 61,7
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
DIR_WEB="/var/www/html" # directory of Lighttpd
DIR_DG="/etc/dansguardian" # directory of DansGuardian
DIR_DG="/etc/e2guardian" # directory of E2Guardian
DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
1225,52 → 1225,52
} # End of chilli ()
 
##################################################################
## Function "dansguardian" ##
## Function "e2guardian" ##
## - Set the parameters of this HTML proxy (as controler) ##
##################################################################
dansguardian ()
e2guardian ()
{
mkdir -p /var/dansguardian /var/log/dansguardian
chown -R dansguardian /var/dansguardian /var/log/dansguardian
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
mkdir -p /var/e2guardian /var/log/e2guardian
chown -R e2guardian /var/e2guardian /var/log/e2guardian
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
# By default the filter is off
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
# French deny HTML page
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
# Listen only on LAN side
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# DG send its flow to HAVP
$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# replace the default deny HTML page
cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
# # Change the default report page
$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/dansguardian.conf
$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
# Disable HTML content control
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
# Disable URL control with regex
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
# Configure Dansguardian for large site
# Configure E2guardian for large site
# Minimum number of processus to handle connections
$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/dansguardian.conf
$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
# Maximum number of processus to handle connections
$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/dansguardian.conf
$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
# Run at least 8 daemons
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
# minimum number of processes to spawn
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
# maximum age of a child process before it croaks it
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
# Disable download files control
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
touch $DIR_DG/lists/bannedextensionlist
1283,7 → 1283,7
# Keep a copy of URL & domain filter configuration files
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
} # End of dansguardian ()
} # End of e2guardian ()
 
##################################################################
## Function "antivirus" ##
1631,12 → 1631,12
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
touch $DIR_DG/lists/exceptionsitelist
touch $DIR_DG/lists/exceptionurllist
# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
cat <<EOF > $DIR_DG/lists/bannedurllist
# Dansguardian filter config for ALCASAR
# E2guardian filter config for ALCASAR
EOF
cat <<EOF > $DIR_DG/lists/bannedsitelist
# Dansguardian domain filter config for ALCASAR
# E2guardian domain filter config for ALCASAR
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
#**
# block all SSL and CONNECT tunnels
1667,7 → 1667,7
cp $DIR_BLACKLIST/$x $DIR_DG/lists/blacklists/ossi-bl-$x/domains
echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
done
chown -R dansguardian:apache $DIR_DG
chown -R e2guardian:apache $DIR_DG
chown -R root:apache $DIR_DEST_SHARE
chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
# adapt the Toulouse BL to ALCASAR architecture
1995,7 → 1995,7
# Log compression
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
# actualisation des fichiers logs compressés
for dir in firewall dansguardian lighttpd
for dir in firewall e2guardian lighttpd
do
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
done
2025,7 → 2025,7
WantedBy=multi-user.target
EOF
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
2241,7 → 2241,7
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
mode="update"
fi
for func in init network ACC CA time_server init_db freeradius chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]