2,7 → 2,7 |
# $Id$ |
|
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump |
# contact : info@alcasar.net |
|
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
23,7 → 23,6 |
# freeradius : FreeRadius initialisation |
# chilli : Coovachilli initialisation (+authentication page) |
# e2guardian : E2Guardian filtering HTTP proxy configuration |
# antivirus : Clamav & freshclam configuration |
# ulogd : Log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
212,7 → 211,6 |
fi |
# Free /var (when updating) and test free space |
[ -d /var/log/netflow ] && rm -rf /var/log/netflow # remove old porttracker RRD database |
[ -d /var/lib/clamav ] && rm -rf /var/lib/clamav/* # remove old clamav database |
journalctl -q --vacuum-files 1 # remove previous journal logs |
free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'` |
if [ $free_space -lt 10 ] |
779,7 → 777,7 |
chmod 600 /etc/pki/CA/private/* |
chown -R root:apache /etc/pki/tls/private; chmod 750 /etc/pki/tls/private |
chmod 640 /etc/pki/tls/private/* |
chmod 644 /etc/pki/tls/certs/* # "freshclam" need to access to that bundle |
chmod 644 /etc/pki/tls/certs/* |
} # End of CA() |
|
###################################################### |
1307,8 → 1305,6 |
# Enable authport plugin |
$SED "s?^#authplugin = '/etc/e2guardian/authplugins/port.conf'?authplugin = '/etc/e2guardian/authplugins/port.conf'?g" $DIR_DG/e2guardian.conf |
$SED "s?^#mapauthtoports =.*?mapauthtoports = off?g" $DIR_DG/e2guardian.conf |
# Enable clamd scanner |
$SED "s?^#contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'?g" $DIR_DG/e2guardian.conf |
# Set Max RAM cache to 10Mb |
$SED "s?^maxcontentramcachescansize =.*?maxcontentramcachescansize = 10240?g" $DIR_DG/e2guardian.conf |
# Set Max file size cache to 20Mb |
1390,42 → 1386,6 |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian |
} # End of e2guardian() |
|
################################################################## |
## "antivirus" ## |
## - Set the parameters of clamav and freshclam ## |
################################################################## |
antivirus() |
{ |
# Clamd unit adaptation to e2guardian |
cp /lib/systemd/system/clamav-daemon.service /etc/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /etc/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /etc/systemd/system/clamav-daemon.service |
$SED "s?^StandardOuput=.*?StandardOutput=journal?g" /etc/systemd/system/clamav-daemon.service |
cp /lib/systemd/system/clamav-daemon.socket /etc/systemd/system/clamav-daemon.socket |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /etc/systemd/system/clamav-daemon.socket |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /etc/systemd/system/clamav-daemon.socket |
# Clamd conf adaptation to e2guardian |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message |
$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf |
$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf |
$SED "s?^User.*?User e2guardian?g" /etc/clamd.conf |
$SED "s?^TemporaryDirectory.*?TemporaryDirectory /var/lib/e2guardian/tmp?g" /etc/clamd.conf |
chown -R e2guardian:e2guardian /var/log/clamav /var/lib/clamav |
chmod 775 /var/log/clamav /var/lib/clamav |
chmod 664 /var/log/clamav/* |
# update virus database every 4 hours (24h/6) |
[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default |
$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf |
$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf |
$SED "s?^DatabaseOwner.*?DatabaseOwner e2guardian?g" /etc/freshclam.conf |
$SED "/^DatabaseMirror/a DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf |
$SED "s?^MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf |
# update now |
/usr/bin/freshclam --no-warnings --quiet |
} # End of antivirus() |
|
############################################################## |
## "ulogd" ## |
## - Ulog config for multi-log files ## |
2059,9 → 2019,6 |
/etc/pki/CA/private/* root.root 600 force |
/etc/pki/tls/private/ root.apache 750 force |
/etc/pki/tls/private/* root.apache 640 force |
/var/log/clamav/ e2guardian.e2guardian 755 force |
/var/log/clamav/* e2guardian.e2guardian 764 force |
/var/lib/clamav/ e2guardian.e2guardian 755 force |
EOF |
# apply now hourly & daily checks |
/usr/sbin/msec |
2076,16 → 2033,18 |
################################################################## |
letsencrypt() |
{ |
echo "Installing Let's Encrypt client..." |
acmesh_installDir="/opt/acme.sh" |
acmesh_confDir="/usr/local/etc/letsencrypt" |
acmesh_userAgent="ALCASAR" |
# Remove potential old installers |
rm -rf /tmp/acme.sh-* |
[ -d $acmesh_confDir ] && rm -rf $acmesh_confDir |
# Extract acme.sh |
tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/ |
pwdInstall=$(pwd) |
cd /tmp/acme.sh-* || { echo "Unable to find tmp ACME directory"; exit 1; } |
acmesh_installDir="/opt/acme.sh" |
acmesh_confDir="/usr/local/etc/letsencrypt" |
acmesh_userAgent="ALCASAR" |
mkdir $acmesh_confDir ; chown root:apache $acmesh_confDir ; chmod 440 $acmesh_confDir |
mkdir $acmesh_confDir/{data,certs,ca} ; chown root:apache $acmesh_confDir/{data,certs,ca} ; chmod 440 $acmesh_confDir/{data,certs,ca} |
# Install acme.sh |
./acme.sh --install \ |
--home $acmesh_installDir \ |
2095,7 → 2054,6 |
--accountconf $acmesh_confDir/data/account.conf \ |
--useragent $acmesh_userAgent \ |
--nocron \ |
--set-default-ca --server letsencrypt \ |
> /dev/null |
if [ $? -ne 0 ]; then |
echo "Error during installation of Let's Encrypt client (acme.sh)." |
2214,7 → 2172,7 |
done |
/usr/bin/systemctl daemon-reload |
# processes started at boot time (Systemctl) |
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd |
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd |
do |
/usr/bin/systemctl -q enable $i.service |
done |
2406,13 → 2364,11 |
# Avoid some RPM automatic updates |
echo "/^kernel/" > /etc/urpmi/skip.list |
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list |
echo "/^clamd/" >> /etc/urpmi/skip.list |
echo "/^clamav/" >> /etc/urpmi/skip.list |
echo "/^freeradius/" >> /etc/urpmi/skip.list |
if [ `egrep '^exclude=' /etc/dnf/dnf.conf |wc -l` -eq "1" ]; then |
$SED "s?^exclude=.*?exclude=kernel\* wkhtmltopdf clamd clamav freeradius?g" /etc/dnf/dnf.conf |
$SED "s?^exclude=.*?exclude=kernel\* wkhtmltopdf freeradius?g" /etc/dnf/dnf.conf |
else |
echo "exclude=kernel* wkhtmltopdf clamd clamav freeradius" >> /etc/dnf/dnf.conf |
echo "exclude=kernel* wkhtmltopdf freeradius" >> /etc/dnf/dnf.conf |
fi |
# Test if conf file |
if [ -e /var/tmp/alcasar-conf.tar.gz ] |
2459,7 → 2415,7 |
fi |
mode="update" |
fi |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
for func in init network CA ACC time_server init_db freeradius chilli e2guardian ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install |
do |
$func |
if [ $DEBUG_ALCASAR == "on" ] |