38,7 → 38,7 |
# antivirus : HAVP + libclamav configuration |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus" |
# ulogd : log system in userland (match NFLOG target of iptables) |
# nfsen : Configuration of Nfsen Netflow grapher |
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd) |
# unbound : Name server configuration |
# dnsmasq : Name server configuration (for whitelist ipset support) |
# vnstat : little network stat daemon |
764,8 → 764,6 |
CA() |
{ |
$DIR_DEST_BIN/alcasar-CA.sh |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End of CA() |
|
################################################### |
1083,7 → 1081,7 |
ExecStart=/usr/libexec/chilli start |
ExecStop=/usr/libexec/chilli stop |
ExecReload=/usr/libexec/chilli reload |
PIDFile=/var/run/chilli.pid |
PIDFile=/run/chilli.pid |
|
[Install] |
WantedBy=multi-user.target |
1111,7 → 1109,7 |
[ -f /usr/sbin/chilli ] || exit 0 |
. /etc/init.d/functions |
CONFIG=/etc/chilli.conf |
pidfile=/var/run/chilli.pid |
pidfile=/run/chilli.pid |
[ -f \$CONFIG ] || { |
echo "\$CONFIG Not found" |
exit 0 |
1126,7 → 1124,7 |
else |
gprintf "Starting \$prog: " |
echo '' > \$current_users_file && chown apache:apache \$current_users_file |
rm -f /var/run/chilli* # cleaning |
rm -f /run/chilli* # cleaning |
/usr/sbin/modprobe tun >/dev/null 2>&1 |
echo 1 > /proc/sys/net/ipv4/ip_forward |
[ -e /dev/net/tun ] || { |
1194,9 → 1192,9 |
PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)") |
cat <<EOF > /etc/chilli.conf |
# coova config for ALCASAR |
cmdsocket /var/run/chilli.sock |
cmdsocket /run/chilli.sock |
unixipc chilli.$INTIF.ipc |
pidfile /var/run/chilli.pid |
pidfile /run/chilli.pid |
net $PRIVATE_NETWORK_MASK |
dhcpif $INTIF |
ethers $DIR_DEST_ETC/alcasar-ethers |
1263,44 → 1261,38 |
################################################################ |
e2guardian() |
{ |
mkdir -p /var/e2guardian /var/log/e2guardian |
chown -R e2guardian /var/e2guardian /var/log/e2guardian |
# Adapt systemd unit |
[ -e /lib/systemd/system/e2guardian.service.default ] || cp /lib/systemd/system/e2guardian.service /lib/systemd/system/e2guardian.service.default |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service |
[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default |
|
# Adapt the main conf file |
# French deny HTML page |
$SED "s?^language =.*?language = 'french'?g" $DIR_DG/e2guardian.conf |
# Listen only on LAN side |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf |
# The port that E2guardian listens to HTTP |
$SED "s?^filterports =*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
# The port that E2guardian listens to HTTPS |
$SED "s?^transparenthttpsport =*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
# E2guardian listens on 8080 (HTTP) |
$SED "s?^filterports =.*?filterports = 8080?g" $DIR_DG/e2guardian.conf |
# E2guardian listens transparently on 8443 (HTTPS) |
$SED "s?^transparenthttpsport =.*?transparenthttpsport = 8443?g" $DIR_DG/e2guardian.conf |
# DG send its flow to HAVP (127.0.0.1:8090) |
$SED "s?^#proxyip.*?proxyip = 127.0.0.1?g" $DIR_DG/e2guardian.conf |
$SED "s?^#proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf |
# Don't log |
$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf |
# Disable HTML content control |
# Disable HTML content control (weighted & banned) |
$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf |
# ??? |
cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not) |
# Disable URL control with regex |
# do nothing |
cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default |
$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (comment what is not) |
|
# Adapt the first group file (only one for instance) |
[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default |
# Reporting (deny page) in HTML |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf |
|
# Replace the default deny HTML page (only fr & uk) --> search why our pages make the server crash... |
# Replace the default deny HTML page (only fr & uk) --> !!! search why our pages make the server crash... |
# [ -e /usr/share/e2guardian/languages/french/template.html.default ] || mv /usr/share/e2guardian/languages/french/template.html /usr/share/e2guardian/languages/french/template.html.default |
# cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html |
# [ -e /usr/share/e2guardian/languages/ukenglish/template.html.default ] || mv /usr/share/e2guardian/languages/ukenglish/template.html /usr/share/e2guardian/languages/ukenglish/template.html.default |
1316,7 → 1308,8 |
# Creation of ALCASAR banned site list |
[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default |
cat <<EOF > $DIR_DG/lists/bannedsitelist |
# E2guardian domain filter config for ALCASAR |
# E2guardian filter config for ALCASAR |
# In ALCASAR E2guardian filters only URLs (domains are filtered with unbound) |
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée) |
#** |
# block all SSL and CONNECT tunnels |
1326,18 → 1319,18 |
# block all sites specified only by an IP |
*ip |
EOF |
# Creation of ALCASAR banned URL list (empty) |
# Creation of ALCASAR empty banned URLs list (filled later with Toulouse BL --> see BL function) |
[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default |
cat <<EOF > $DIR_DG/lists/bannedurllist |
# E2guardian filter config for ALCASAR |
EOF |
# Creation of file for the rehabilited domains and urls |
# Creation of files for rehabilited domains and urls |
[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default |
[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default |
touch $DIR_DG/lists/exceptionsitelist |
touch $DIR_DG/lists/exceptionurllist |
# Add Bing to the safesearch url regext list (parental control) |
[ -e $DIR_DG/lists/urlregexplist.default ] || mv $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default |
[ -e $DIR_DG/lists/urlregexplist.default ] || cp $DIR_DG/lists/urlregexplist $DIR_DG/lists/urlregexplist.default |
cat <<EOF >> $DIR_DG/lists/urlregexplist |
# Bing - add 'adlt=strict' |
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict" |
1346,6 → 1339,9 |
$SED "s?images?search?g" $DIR_DG/lists/urlregexplist |
# change the google safesearch ("safe=strict" instead of "safe=vss") |
$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist |
# create log folder |
mkdir -p /var/log/e2guardian |
chown -R e2guardian /etc/e2guardian /var/log/e2guardian |
} # End of e2guardian() |
|
################################################################## |
1363,12 → 1359,12 |
fi |
groupadd -f havp |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp |
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav |
chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp |
mkdir -p /var/tmp/havp /var/log/havp /run/havp /var/log/clamav /var/lib/clamav |
chown -R havp:havp /var/tmp/havp /var/log/havp /run/havp |
chown -R clamav:clamav /var/log/clamav /var/lib/clamav |
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile |
$SED "s?^# PIDFILE.*?PIDFILE /run/havp/havp.pid?g" /etc/havp/havp.config # pidfile |
$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback) |
1414,8 → 1410,8 |
fi |
groupadd -f tinyproxy |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy |
mkdir -p /var/run/tinyproxy /var/log/tinyproxy |
chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy |
mkdir -p /run/tinyproxy /var/log/tinyproxy |
chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy |
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default |
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf |
1422,7 → 1418,7 |
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port |
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif) |
$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^#PidFile.*?PidFile \"/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf |
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged |
$SED "s?^#Upstream.*?Upstream http 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP |
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode |
1444,9 → 1440,9 |
|
[Service] |
Type=forking |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy |
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy |
ExecStartPre=/bin/sleep 2 |
PIDFile=/var/run/tinyproxy/tinyproxy.pid |
PIDFile=/run/tinyproxy/tinyproxy.pid |
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf |
ExecStop=/usr/bin/killall -9 tinyproxy |
[Install] |
1509,7 → 1505,7 |
[Service] |
Type=exec |
PIDFile=/run/nfcapd/nfcapd.pid |
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /var/run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow |
ExecStart=/usr/bin/nfcapd -w -D -b 127.0.0.1 -p 2055 -u nfcapd -g nfcapd -B 200000 -t 300 -S 7 -z -P /run/nfcapd/nfcapd.pid -I alcasar_netflow -l /var/log/nfsen/profile-data/live/alcasar_netflow |
ExecReload=/bin/kill -HUP $MAINPID |
|
[Install] |
1516,9 → 1512,8 |
WantedBy=multi-user.target |
EOF |
[ -d /var/log/nfsen/profile-data/live/alcasar_netflow ] || mkdir -p /var/log/nfsen/profile-data/live/alcasar_netflow |
[ -d /var/run/nfcapd ] || mkdir -p /var/run/nfcapd |
chown -R nfcapd:nfcapd /var/log/nfsen /var/run/nfcapd |
# chown -R apache:apache /var/log/nfsen/profile-data/live/alcasar_netflow |
[ -d /run/nfcapd ] || mkdir -p /run/nfcapd |
chown -R nfcapd:nfcapd /var/log/nfsen /run/nfcapd |
} # End of nfsen() |
|
########################################################### |
1547,7 → 1542,7 |
cat << EOF > /etc/dnsmasq-whitelist.conf |
# Configuration file for "dnsmasq with whitelist" |
# ADD Toulouse university whitelist domains |
pid-file=/var/run/dnsmasq-whitelist.pid |
pid-file=/run/dnsmasq-whitelist.pid |
listen-address=127.0.0.1 |
port=55 |
no-dhcp-interface=lo |
1565,7 → 1560,7 |
mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default |
cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
} # End of dnsmasq() |
|
######################################################### |
1758,7 → 1753,7 |
do |
cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service |
done |
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service |
} # End of unbound() |
1926,7 → 1921,7 |
# fail2ban unit |
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default |
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service |
$SED '/Type=/a\PIDFile=/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service |
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service |
} # End of fail2ban() |
|
1996,10 → 1991,10 |
|
[Service] |
Type=forking |
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon |
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/run/gammu-smsd.pid --daemon |
ExecReload=/bin/kill -HUP $MAINPID |
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid |
PIDFile=/var/run/gammu-smsd.pid |
ExecStopPost=/bin/rm -f /run/gammu-smsd.pid |
PIDFile=/run/gammu-smsd.pid |
|
[Install] |
WantedBy=multi-user.target |