Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2989 → Rev 2990

/alcasar.sh
12,7 → 12,8
# -i or --install
# -u or --uninstall
# Functions :
# testing : connectivity tests, free space test and mageia version test
# system_testing : Free space test and mageia version test
# network_testing : Internet connectivity tests
# init : Installation of RPM and scripts
# network : Network parameters
# ACC : ALCASAR Control Center installation
20,14 → 21,14
# time_server : NTPd configuration
# init_db : Initilization of radius database managed with MariaDB
# freeradius : FreeRadius initialisation
# chilli : coovachilli initialisation (+authentication page)
# chilli : Coovachilli initialisation (+authentication page)
# e2guardian : E2Guardian filtering HTTP proxy configuration
# antivirus : clamav & freshclam configuration
# ulogd : log system in userland (match NFLOG target of iptables)
# antivirus : Clamav & freshclam configuration
# ulogd : Log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
# unbound : Name server configuration
# dnsmasq : Name server configuration (for whitelist ipset support)
# vnstat : little network stat daemon
# vnstat : Little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
# cron : Logs export + watchdog + connexion statistics
# fail2ban : Fail2ban IDS installation and configuration
34,6 → 35,7
# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
# msec : Mageia security package configuration
# letsencrypt : Let's Encrypt client
# mail_service : Mail service for email authentification method
# post_install : Security, log rotation, etc.
 
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR # Debug mode = wait (hit key) after each function
104,13 → 106,13
} # End of header_install()
 
########################################################
## Function "testing_system" ##
## "system_testing" ##
## - Test Mageia version ##
## - Test ALCASAR version (if already installed) ##
## - Test free space on /var (>10G) ##
## - Test Internet access ##
########################################################
testing_system()
system_testing()
{
# Test of Mageia version
# extract the current Mageia version and hardware architecture (i586 ou X64)
222,13 → 224,13
fi
exit 0
fi
} # End of testing_system
} # End of system_testing
 
########################################################
## Function "testing_network" ##
## - Test Internet access ##
## "network_testing" ##
## - Internet access test ##
########################################################
testing_network()
network_testing()
{
# Detect external/internal interfaces
if [ -z "$EXTIF" ]; then
393,10 → 395,10
exit 1
fi
echo ". : ok"
} # End of testing_network()
} # End of network_testing()
 
#######################################################################
## Function "init" ##
## "init" ##
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf ##
## - Creation of random password for GRUB, mariadb (admin and user) ##
#######################################################################
472,7 → 474,7
} # End of init()
 
#########################################################
## Function "network" ##
## "network" ##
## - Define the several network address ##
## - Define the DNS naming ##
## - INTIF parameters (consultation network) ##
753,7 → 755,7
} # End of network()
 
##################################################################
## Fonction "CA" ##
## "CA" ##
## - Creating the CA and the server certificate (lighttpd) ##
##################################################################
CA()
769,13 → 771,13
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle
} # End of CA()
 
###################################################
## Function "ACC" ##
## - copy ALCASAR Control Center (ACC) files ##
## - configuration of the web server (Lighttpd) ##
## - creation of the first ACC admin account ##
## - secure the ACC access ##
###################################################
######################################################
## "ACC" ##
## - copy ALCASAR Control Center (ACC) files ##
## - configuration of the web server (Lighttpd) ##
## - creation of the first ACC admin account ##
## - secure the ACC access ##
######################################################
ACC()
{
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
891,7 → 893,7
} # End of ACC()
 
#############################################################
## Function "time_server" ##
## "time_server" ##
## - Configuring NTP server ##
#############################################################
time_server()
922,7 → 924,7
} # End of time_server()
 
#####################################################################
## Function "init_db" ##
## "init_db" ##
## - Mysql initialization ##
## - Set admin (root) password ##
## - Remove unused users & databases ##
975,7 → 977,7
} # End of init_db()
 
###################################################################
## Function "freeradius" ##
## "freeradius" ##
## - Set the configuration files ##
## - Set the shared secret between coova-chilli and freeradius ##
## - Adapt the Mysql conf file and counters ##
1061,7 → 1063,7
} # End of freeradius()
 
#############################################################################
## Function "chilli" ##
## "chilli" ##
## - Creation of the conf file and init file (systemd) for coova-chilli ##
## - Adapt the authentication web page (intercept.php) ##
#############################################################################
1262,7 → 1264,7
} # End of chilli()
 
################################################################
## Function "e2guardian" ##
## "e2guardian" ##
## - Set the parameters of this HTML proxy (as controler) ##
################################################################
e2guardian()
1373,7 → 1375,7
} # End of e2guardian()
 
##################################################################
## Function "antivirus" ##
## "antivirus" ##
## - Set the parameters of clamav and freshclam ##
##################################################################
antivirus()
1408,7 → 1410,7
} # End of antivirus()
 
##############################################################
## function "ulogd" ##
## "ulogd" ##
## - Ulog config for multi-log files ##
##############################################################
ulogd()
1436,7 → 1438,7
} # End of ulogd()
 
##########################################################
## Function "nfsen" ##
## "nfsen" ##
## - configure NetFlow collector (nfcapd) ##
## - configure NetFlow grapher (nfsen-ng) ##
##########################################################
1475,17 → 1477,17
} # End of nfsen()
 
###########################################################
## Function "vnstat" ##
## "vnstat" ##
## - Initialization of vnstat and vnstat-dashboard ##
###########################################################
vnstat()
{
# vnstat
# vnstat
[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
$SED "s?^MaxBandwidth.*?MaxBandwidth 10000?g" /etc/vnstat.conf
# vnstat-dashboard
# vnstat-dashboard
$SED "s?^\$thisInterface.*?\$thisInterface = \"$EXTIF\";?" $DIR_ACC/manager/vnstat/index.php
cp /lib/systemd/system/vnstat.service /etc/systemd/system/vnstat.service
$SED "s?^PIDFile=.*?PIDFile=/run/vnstat/vnstat.pid?g" /etc/systemd/system/vnstat.service
1492,7 → 1494,7
} # End of vnstat()
 
###################################################################
## Function "dnsmasq" ##
## "dnsmasq" ##
## - creation of the conf files of dnsmasq (whitelist for ipset )##
###################################################################
dnsmasq()
1517,7 → 1519,8
server=$DNS1
server=$DNS2
EOF
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
 
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
systemctl disable dnsmasq.service
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
1525,7 → 1528,7
} # End of dnsmasq()
 
#########################################################
## Function "unbound" ##
## "unbound" ##
## - create the conf files for 4 unbound services ##
## - create the systemd files for 4 unbound services ##
#########################################################
1689,7 → 1692,6
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/blackhole/*
EOF
 
cp /lib/systemd/system/unbound.service /etc/systemd/system/unbound.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /etc/systemd/system/unbound.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound.service
1703,7 → 1705,7
} # End of unbound()
 
##################################################
## Function "dhcpd" ##
## "dhcpd" ##
##################################################
dhcpd()
{
1722,7 → 1724,7
} # End of dhcpd()
 
##########################################################
## Function "BL" ##
## "BL" ##
## - copy & adapt Toulouse BL to ALCASAR architecture ##
## - domain names for unbound-bl & unbound-wl ##
## - URLs for EĀ²guardian ##
1731,7 → 1733,7
##########################################################
BL()
{
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
rm -rf $DIR_DG/lists/blacklists
mkdir -p /tmp/blacklists
cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1760,7 → 1762,7
} # End of BL()
 
#######################################################
## Function "cron" ##
## "cron" ##
## - write all cron & anacron files ##
#######################################################
cron()
1851,7 → 1853,7
} # End of cron()
 
########################################################################
## Fonction "Fail2Ban" ##
## "Fail2Ban" ##
##- Adapt conf file to ALCASAR ##
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
########################################################################
1858,12 → 1860,12
fail2ban()
{
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
 
# add 5 jails and their filters
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
[sshd]
enabled = true
#enabled = false
1873,7 → 1875,7
EOF
 
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
[lighttpd-auth]
enabled = true
#enabled = false
1883,7 → 1885,7
EOF
 
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
[alcasar_mod-evasive]
#enabled = true
enabled = false
1895,7 → 1897,7
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
[Definition]
failregex = <HOST> .+\] "[^"]+" 403
ignoreregex =
1902,7 → 1904,7
EOF
 
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
[alcasar_intercept]
enabled = true
#enabled = false
1914,7 → 1916,7
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
[Definition]
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
ignoreregex =
1921,7 → 1923,7
EOF
 
## alcasar_change-pwd : ban after 5 failed user change password attempts
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
[alcasar_change-pwd]
enabled = true
#enabled = false
1933,7 → 1935,7
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
[Definition]
failregex = <HOST> .* \"POST \/password\.php
ignoreregex =
1946,17 → 1948,17
chmod 644 $DIR_SAVE/security/watchdog.log
/usr/bin/touch /var/log/auth.log
# fail2ban unit
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
cp /lib/systemd/system/fail2ban.service /etc/systemd/system/fail2ban.service
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /etc/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /etc/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /etc/systemd/system/fail2ban.service
} # End of fail2ban()
 
#########################################################
## Fonction "gammu_smsd" ##
## - Creating of SMS management database ##
## - Write the gammu a gammu_smsd conf files ##
#########################################################
########################################################
## "gammu_smsd" ##
## - Creating of SMS management database ##
## - Write the gammu a gammu_smsd conf files ##
########################################################
gammu_smsd()
{
# Create 'gammu' system user
2041,18 → 2043,18
 
} # End of gammu_smsd()
 
############################################################
## Fonction "msec" ##
## - Apply the "fileserver" security level ##
## - remove the "system request" for rebooting ##
## - Fix several file permissions ##
############################################################
########################################################
## "msec" ##
## - Apply the "fileserver" security level ##
## - remove the "system request" for rebooting ##
## - Fix several file permissions ##
########################################################
msec()
{
 
# Apply fileserver security level
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
 
# Set permissions monitoring and enforcement
cat <<EOF > /etc/security/msec/perm.local
2077,8 → 2079,8
/var/lib/clamav/ e2guardian.e2guardian 755 force
EOF
# apply now hourly & daily checks
/usr/sbin/msec
/etc/cron.weekly/msec
/usr/sbin/msec
/etc/cron.weekly/msec
 
} # End of msec()
 
2090,9 → 2092,9
letsencrypt()
{
echo "Installing Let's Encrypt client..."
# Remove potential old installers
# Remove potential old installers
rm -rf /tmp/acme.sh-*
# Extract acme.sh
# Extract acme.sh
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
pwdInstall=$(pwd)
cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2099,7 → 2101,7
acmesh_installDir="/opt/acme.sh"
acmesh_confDir="/usr/local/etc/letsencrypt"
acmesh_userAgent="ALCASAR"
# Install acme.sh
# Install acme.sh
./acme.sh --install \
--home $acmesh_installDir \
--config-home $acmesh_confDir/data \
2112,7 → 2114,7
if [ $? -ne 0 ]; then
echo "Error during installation of Let's Encrypt client (acme.sh)."
fi
# Create configuration file
# Create configuration file
cat <<EOF > /usr/local/etc/alcasar-letsencrypt
email=
dateIssueRequest=
2127,6 → 2129,27
} # End of letsencrypt()
 
##################################################################
## "mail_service" ##
## - Install mail service for email registration method ##
##################################################################
mail_service()
{
[ -e /etc/postfix/main.cf.default ] || cp /etc/postfix/main.cf /etc/postfix/main.cf.default
cat << EOT >> /etc/postfix/main.cf
myhostname = $HOSTNAME.$DOMAIN
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow methods that allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Location of sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
EOT
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
} # end of mail_service
 
##################################################################
## Fonction "post_install" ##
## - Modifying banners (locals et ssh) & prompts ##
## - SSH config ##
2148,10 → 2171,6
# sshd authorized certificate for root login
$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
$SED "s?^X11Forwarding.*?#X11Forwarding yes?g" /etc/ssh/sshd_config
 
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
chown -R postfix:postfix /var/lib/postfix
# ALCASAR conf file
echo "HTTPS_LOGIN=off" >> $CONF_FILE
echo "HTTPS_CHILLI=off" >> $CONF_FILE
2353,7 → 2372,7
exit 0
;;
-i | --install)
for func in license testing_system testing_network
for func in license system_testing network_testing
do
header_install
$func
2440,7 → 2459,7
fi
mode="update"
fi
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]