Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2774 → Rev 2775

/alcasar.sh
38,7 → 38,7
# antivirus : HAVP + libclamav configuration
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
# ulogd : log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Nfsen Netflow grapher
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
# unbound : Name server configuration
# dnsmasq : Name server configuration (for whitelist ipset support)
# vnstat : little network stat daemon
764,8 → 764,6
CA()
{
$DIR_DEST_BIN/alcasar-CA.sh
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
} # End of CA()
 
###################################################
1083,7 → 1081,7
ExecStart=/usr/libexec/chilli start
ExecStop=/usr/libexec/chilli stop
ExecReload=/usr/libexec/chilli reload
PIDFile=/var/run/chilli.pid
PIDFile=/run/chilli.pid
 
[Install]
WantedBy=multi-user.target
1111,7 → 1109,7
[ -f /usr/sbin/chilli ] || exit 0
. /etc/init.d/functions
CONFIG=/etc/chilli.conf
pidfile=/var/run/chilli.pid
pidfile=/run/chilli.pid
[ -f \$CONFIG ] || {
echo "\$CONFIG Not found"
exit 0
1126,7 → 1124,7
else
gprintf "Starting \$prog: "
echo '' > \$current_users_file && chown apache:apache \$current_users_file
rm -f /var/run/chilli* # cleaning
rm -f /run/chilli* # cleaning
/usr/sbin/modprobe tun >/dev/null 2>&1
echo 1 > /proc/sys/net/ipv4/ip_forward
[ -e /dev/net/tun ] || {
1194,9 → 1192,9
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
cat <<EOF > /etc/chilli.conf
# coova config for ALCASAR
cmdsocket /var/run/chilli.sock
cmdsocket /run/chilli.sock
unixipc chilli.$INTIF.ipc
pidfile /var/run/chilli.pid
pidfile /run/chilli.pid
net $PRIVATE_NETWORK_MASK
dhcpif $INTIF
ethers $DIR_DEST_ETC/alcasar-ethers
1263,44 → 1261,38
################################################################
e2guardian()
{
mkdir -p /var/e2guardian /var/log/e2guardian
chown -R e2guardian /var/e2guardian /var/log/e2guardian
# Adapt systemd unit
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
 
# Adapt the main conf file
# French deny HTML page
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf
# Listen only on LAN side
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
# The port that E2guardian listens to HTTP
$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# The port that E2guardian listens to HTTPS
$SED "s?^transparenthttpsport =*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
# E2guardian listens on 8080 (HTTP)
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf
# E2guardian listens transparently on 8443 (HTTPS)
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf
# DG send its flow to HAVP (127.0.0.1:8090)
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
# Don't log
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
# Disable HTML content control
# Disable HTML content control (weighted & banned)
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
# ???
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
# Disable URL control with regex
# do nothing
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not)
 
# Adapt the first group file (only one for instance)
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
# Reporting (deny page) in HTML
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 
# Replace the default deny HTML page (only fr & uk) --> search why our pages make the server crash...
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash...
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default
1316,7 → 1308,8
# Creation of ALCASAR banned site list
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
cat <<EOF > $DIR_DG/lists/bannedsitelist
# E2guardian domain filter config for ALCASAR
# E2guardian filter config for ALCASAR
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound)
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
#**
# block all SSL and CONNECT tunnels
1326,18 → 1319,18
# block all sites specified only by an IP
*ip
EOF
# Creation of ALCASAR banned URL list (empty)
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function)
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
cat <<EOF > $DIR_DG/lists/bannedurllist
# E2guardian filter config for ALCASAR
EOF
# Creation of file for the rehabilited domains and urls
# Creation of files for rehabilited domains and urls
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
touch $DIR_DG/lists/exceptionsitelist
touch $DIR_DG/lists/exceptionurllist
# Add Bing to the safesearch url regext list (parental control)
[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default
cat <<EOF >> $DIR_DG/lists/urlregexplist
# Bing - add 'adlt=strict'
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1346,6 → 1339,9
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
# change the google safesearch ("safe=strict" instead of "safe=vss")
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
# create log folder
mkdir -p /var/log/e2guardian
chown -R e2guardian /etc/e2guardian /var/log/e2guardian
} # End of e2guardian()
 
##################################################################
1363,12 → 1359,12
fi
groupadd -f havp
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp
chown -R clamav:clamav /var/log/clamav /var/lib/clamav
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
1414,8 → 1410,8
fi
groupadd -f tinyproxy
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
mkdir -p /var/run/tinyproxy /var/log/tinyproxy
chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
mkdir -p /run/tinyproxy /var/log/tinyproxy
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1422,7 → 1418,7
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1444,9 → 1440,9
 
[Service]
Type=forking
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
ExecStartPre=/bin/sleep 2
PIDFile=/var/run/tinyproxy/tinyproxy.pid
PIDFile=/run/tinyproxy/tinyproxy.pid
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
ExecStop=/usr/bin/killall -9 tinyproxy
[Install]
1509,7 → 1505,7
[Service]
Type=exec
PIDFile=/run/nfcapd/nfcapd.pid
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /var/run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow
ExecReload=/bin/kill -HUP $MAINPID
 
[Install]
1516,9 → 1512,8
WantedBy=multi-user.target
EOF
[ -d /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow
[ -d /var/run/nfcapd ] || mkdir -p /var/run/nfcapd
chown -R nfcapd:nfcapd /var/log/nfsen /var/run/nfcapd
# chown -R apache:apache /var/log/nfsen/profile-data/live/alcasar_netflow
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd
} # End of nfsen()
 
###########################################################
1547,7 → 1542,7
cat << EOF > /etc/dnsmasq-whitelist.conf
# Configuration file for "dnsmasq with whitelist"
# ADD Toulouse university whitelist domains
pid-file=/var/run/dnsmasq-whitelist.pid
pid-file=/run/dnsmasq-whitelist.pid
listen-address=127.0.0.1
port=55
no-dhcp-interface=lo
1565,7 → 1560,7
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
} # End of dnsmasq()
 
#########################################################
1758,7 → 1753,7
do
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
done
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
} # End of unbound()
1926,7 → 1921,7
# fail2ban unit
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
} # End of fail2ban()
 
1996,10 → 1991,10
 
[Service]
Type=forking
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
PIDFile=/var/run/gammu-smsd.pid
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid
PIDFile=/run/gammu-smsd.pid
 
[Install]
WantedBy=multi-user.target