| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 2447 2017-12-04 23:05:51Z richard $
|
2 |
# $Id: alcasar.sh 2454 2017-12-09 18:59:31Z tom.houdayer $
|
| 3 |
|
3 |
|
| 4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
| 5 |
|
5 |
|
| 6 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
6 |
# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
|
| 7 |
# Ce programme est un logiciel libre ; This software is free and open source
|
7 |
# Ce programme est un logiciel libre ; This software is free and open source
|
| 8 |
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
|
8 |
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
|
| 9 |
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
|
9 |
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
|
| 10 |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
|
10 |
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
|
| 11 |
# Voir la Licence Publique Générale GNU pour plus de détails.
|
11 |
# Voir la Licence Publique Générale GNU pour plus de détails.
|
| 12 |
|
12 |
|
| 13 |
# team@alcasar.net
|
13 |
# team@alcasar.net
|
| 14 |
|
14 |
|
| 15 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
15 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
| 16 |
# This script is distributed under the Gnu General Public License (GPL)
|
16 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 17 |
|
17 |
|
| 18 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
18 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
| 19 |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
|
19 |
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
|
| 20 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
20 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
| 21 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
|
21 |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
|
| 22 |
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
|
22 |
# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
|
| 23 |
|
23 |
|
| 24 |
# Options :
|
24 |
# Options :
|
| 25 |
# -i or --install
|
25 |
# -i or --install
|
| 26 |
# -u or --uninstall
|
26 |
# -u or --uninstall
|
| Line 37... |
Line 37... |
| 37 |
# chilli : coovachilli initialisation (+authentication page)
|
37 |
# chilli : coovachilli initialisation (+authentication page)
|
| 38 |
# dansguardian : DansGuardian filtering HTTP proxy configuration
|
38 |
# dansguardian : DansGuardian filtering HTTP proxy configuration
|
| 39 |
# antivirus : HAVP + libclamav configuration
|
39 |
# antivirus : HAVP + libclamav configuration
|
| 40 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
|
40 |
# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
|
| 41 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
41 |
# ulogd : log system in userland (match NFLOG target of iptables)
|
| 42 |
# nfsen : Configuration of Nfsen Netflow grapher
|
42 |
# nfsen : Configuration of Nfsen Netflow grapher
|
| 43 |
# dnsmasq : Name server configuration
|
43 |
# dnsmasq : Name server configuration
|
| 44 |
# vnstat : little network stat daemon
|
44 |
# vnstat : little network stat daemon
|
| 45 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
|
45 |
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
|
| 46 |
# cron : Logs export + watchdog + connexion statistics
|
46 |
# cron : Logs export + watchdog + connexion statistics
|
| 47 |
# fail2ban : Fail2ban IDS installation and configuration
|
47 |
# fail2ban : Fail2ban IDS installation and configuration
|
| Line 53... |
Line 53... |
| 53 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
53 |
DATE=`date '+%d %B %Y - %Hh%M'`
|
| 54 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
54 |
DATE_SHORT=`date '+%d/%m/%Y'`
|
| 55 |
Lang=`echo $LANG|cut -c 1-2`
|
55 |
Lang=`echo $LANG|cut -c 1-2`
|
| 56 |
mode="install"
|
56 |
mode="install"
|
| 57 |
# ******* Files parameters - paramètres fichiers *********
|
57 |
# ******* Files parameters - paramètres fichiers *********
|
| 58 |
DIR_INSTALL=`pwd` # current directory
|
58 |
DIR_INSTALL=`pwd` # current directory
|
| 59 |
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
|
59 |
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
|
| 60 |
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
|
60 |
DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
|
| 61 |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
|
61 |
DIR_BLACKLIST="$DIR_INSTALL/blacklist" # install directory (with blacklist files)
|
| 62 |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
|
62 |
DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
|
| 63 |
DIR_WEB="/var/www/html" # directory of APACHE
|
63 |
DIR_WEB="/var/www/html" # directory of APACHE
|
| Line 133... |
Line 133... |
| 133 |
IFS=","
|
133 |
IFS=","
|
| 134 |
set $fic
|
134 |
set $fic
|
| 135 |
for i in $*
|
135 |
for i in $*
|
| 136 |
do
|
136 |
do
|
| 137 |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
|
137 |
if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
|
| 138 |
then
|
138 |
then
|
| 139 |
DISTRIBUTION=`echo $i|cut -d"=" -f2`
|
139 |
DISTRIBUTION=`echo $i|cut -d"=" -f2`
|
| 140 |
unknown_os=`expr $unknown_os + 1`
|
140 |
unknown_os=`expr $unknown_os + 1`
|
| 141 |
fi
|
141 |
fi
|
| 142 |
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
|
142 |
if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
|
| 143 |
then
|
143 |
then
|
| 144 |
CURRENT_VERSION=`echo $i|cut -d"=" -f2`
|
144 |
CURRENT_VERSION=`echo $i|cut -d"=" -f2`
|
| 145 |
unknown_os=`expr $unknown_os + 1`
|
145 |
unknown_os=`expr $unknown_os + 1`
|
| 146 |
fi
|
146 |
fi
|
| 147 |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
|
147 |
if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
|
| 148 |
then
|
148 |
then
|
| 149 |
ARCH=`echo $i|cut -d"=" -f2`
|
149 |
ARCH=`echo $i|cut -d"=" -f2`
|
| 150 |
unknown_os=`expr $unknown_os + 1`
|
150 |
unknown_os=`expr $unknown_os + 1`
|
| 151 |
fi
|
151 |
fi
|
| 152 |
done
|
152 |
done
|
| 153 |
if [ "$ARCH" == "i586" ]
|
153 |
if [ "$ARCH" == "i586" ]
|
| Line 175... |
Line 175... |
| 175 |
then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
|
175 |
then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
|
| 176 |
else echo -n "Do you want to update (Y/n)?";
|
176 |
else echo -n "Do you want to update (Y/n)?";
|
| 177 |
fi
|
177 |
fi
|
| 178 |
read response
|
178 |
read response
|
| 179 |
done
|
179 |
done
|
| 180 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
180 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
| 181 |
then
|
181 |
then
|
| 182 |
rm -f /tmp/alcasar-conf*
|
182 |
rm -f /tmp/alcasar-conf*
|
| 183 |
else
|
183 |
else
|
| 184 |
# Retrieve former NICname
|
184 |
# Retrieve former NICname
|
| 185 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
185 |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace
|
| Line 193... |
Line 193... |
| 193 |
then
|
193 |
then
|
| 194 |
if [ -e /tmp/alcasar-conf.tar.gz ] # update
|
194 |
if [ -e /tmp/alcasar-conf.tar.gz ] # update
|
| 195 |
then
|
195 |
then
|
| 196 |
echo
|
196 |
echo
|
| 197 |
if [ $Lang == "fr" ]
|
197 |
if [ $Lang == "fr" ]
|
| 198 |
then
|
198 |
then
|
| 199 |
echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
|
199 |
echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
|
| 200 |
echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
|
200 |
echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
|
| 201 |
echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
|
201 |
echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
|
| 202 |
echo "3 - Importez votre base des usagers"
|
202 |
echo "3 - Importez votre base des usagers"
|
| 203 |
else
|
203 |
else
|
| Line 206... |
Line 206... |
| 206 |
echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
|
206 |
echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
|
| 207 |
echo "3 - Import your users database"
|
207 |
echo "3 - Import your users database"
|
| 208 |
fi
|
208 |
fi
|
| 209 |
else
|
209 |
else
|
| 210 |
if [ $Lang == "fr" ]
|
210 |
if [ $Lang == "fr" ]
|
| 211 |
then
|
211 |
then
|
| 212 |
echo "L'installation d'ALCASAR ne peut pas être réalisée."
|
212 |
echo "L'installation d'ALCASAR ne peut pas être réalisée."
|
| 213 |
else
|
213 |
else
|
| 214 |
echo "The installation of ALCASAR can't be performed."
|
214 |
echo "The installation of ALCASAR can't be performed."
|
| 215 |
fi
|
215 |
fi
|
| 216 |
fi
|
216 |
fi
|
| 217 |
echo
|
217 |
echo
|
| 218 |
if [ $Lang == "fr" ]
|
218 |
if [ $Lang == "fr" ]
|
| 219 |
then
|
219 |
then
|
| 220 |
echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
|
220 |
echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
|
| 221 |
else
|
221 |
else
|
| 222 |
echo "The OS must be replaced (Mageia6-64bits)"
|
222 |
echo "The OS must be replaced (Mageia6-64bits)"
|
| 223 |
fi
|
223 |
fi
|
| 224 |
exit 0
|
224 |
exit 0
|
| Line 243... |
Line 243... |
| 243 |
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
|
243 |
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
|
| 244 |
cd /etc/sysconfig/network-scripts/
|
244 |
cd /etc/sysconfig/network-scripts/
|
| 245 |
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
|
245 |
IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
|
| 246 |
for i in $IF_INTERFACES
|
246 |
for i in $IF_INTERFACES
|
| 247 |
do
|
247 |
do
|
| 248 |
IP_INTERFACE=`/usr/sbin/ip link|grep $i`
|
248 |
IP_INTERFACE=`/usr/sbin/ip link|grep $i`
|
| 249 |
if [ -z "$IP_INTERFACE" ]
|
249 |
if [ -z "$IP_INTERFACE" ]
|
| 250 |
then
|
250 |
then
|
| 251 |
rm -f ifcfg-$i
|
251 |
rm -f ifcfg-$i
|
| 252 |
|
252 |
|
| 253 |
if [ $Lang == "fr" ]
|
253 |
if [ $Lang == "fr" ]
|
| 254 |
then echo "Suppression : ifcfg-$i"
|
254 |
then echo "Suppression : ifcfg-$i"
|
| 255 |
else echo "Deleting : ifcfg-$i"
|
255 |
else echo "Deleting : ifcfg-$i"
|
| 256 |
fi
|
256 |
fi
|
| 257 |
fi
|
257 |
fi
|
| 258 |
done
|
258 |
done
|
| 259 |
cd $DIR_INSTALL
|
259 |
cd $DIR_INSTALL
|
| 260 |
echo -n "."
|
260 |
echo -n "."
|
| 261 |
# Test Ethernet NIC links state
|
261 |
# Test Ethernet NIC links state
|
| 262 |
DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
|
262 |
DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
|
| 263 |
for i in $DOWN_IF
|
263 |
for i in $DOWN_IF
|
| 264 |
do
|
264 |
do
|
| 265 |
echo $i
|
265 |
echo $i
|
| 266 |
if [ $Lang == "fr" ]
|
266 |
if [ $Lang == "fr" ]
|
| 267 |
then
|
267 |
then
|
| 268 |
echo "Échec"
|
268 |
echo "Échec"
|
| 269 |
echo "Le lien réseau de la carte $i n'est pas actif."
|
269 |
echo "Le lien réseau de la carte $i n'est pas actif."
|
| 270 |
echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
|
270 |
echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
|
| 271 |
else
|
271 |
else
|
| 272 |
echo "Failed"
|
272 |
echo "Failed"
|
| Line 281... |
Line 281... |
| 281 |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
|
281 |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
|
| 282 |
PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
|
282 |
PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
|
| 283 |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
|
283 |
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
|
| 284 |
then
|
284 |
then
|
| 285 |
if [ $Lang == "fr" ]
|
285 |
if [ $Lang == "fr" ]
|
| 286 |
then
|
286 |
then
|
| 287 |
echo "Échec"
|
287 |
echo "Échec"
|
| 288 |
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
|
288 |
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
|
| 289 |
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
|
289 |
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
|
| 290 |
echo "Appliquez les changements : 'systemctl restart network'"
|
290 |
echo "Appliquez les changements : 'systemctl restart network'"
|
| 291 |
else
|
291 |
else
|
| Line 305... |
Line 305... |
| 305 |
fi
|
305 |
fi
|
| 306 |
echo -n "."
|
306 |
echo -n "."
|
| 307 |
# Test if default GW is set on EXTIF (router or ISP provider equipment)
|
307 |
# Test if default GW is set on EXTIF (router or ISP provider equipment)
|
| 308 |
if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
|
308 |
if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
|
| 309 |
if [ $Lang == "fr" ]
|
309 |
if [ $Lang == "fr" ]
|
| 310 |
then
|
310 |
then
|
| 311 |
echo "Échec"
|
311 |
echo "Échec"
|
| 312 |
echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
|
312 |
echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
|
| 313 |
echo "Réglez ce problème puis relancez ce script."
|
313 |
echo "Réglez ce problème puis relancez ce script."
|
| 314 |
else
|
314 |
else
|
| 315 |
echo "Failed"
|
315 |
echo "Failed"
|
| Line 320... |
Line 320... |
| 320 |
fi
|
320 |
fi
|
| 321 |
echo -n "."
|
321 |
echo -n "."
|
| 322 |
# Test if default GW is alive
|
322 |
# Test if default GW is alive
|
| 323 |
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
|
323 |
arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
|
| 324 |
if [ $(expr $arp_reply) -eq 0 ]
|
324 |
if [ $(expr $arp_reply) -eq 0 ]
|
| 325 |
then
|
325 |
then
|
| 326 |
if [ $Lang == "fr" ]
|
326 |
if [ $Lang == "fr" ]
|
| 327 |
then
|
327 |
then
|
| 328 |
echo "Échec"
|
328 |
echo "Échec"
|
| 329 |
echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
|
329 |
echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
|
| 330 |
echo "Réglez ce problème puis relancez ce script."
|
330 |
echo "Réglez ce problème puis relancez ce script."
|
| 331 |
else
|
331 |
else
|
| 332 |
echo "Failed"
|
332 |
echo "Failed"
|
| Line 340... |
Line 340... |
| 340 |
rm -rf /tmp/con_ok.html
|
340 |
rm -rf /tmp/con_ok.html
|
| 341 |
/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
|
341 |
/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
|
| 342 |
if [ ! -e /tmp/con_ok.html ]
|
342 |
if [ ! -e /tmp/con_ok.html ]
|
| 343 |
then
|
343 |
then
|
| 344 |
if [ $Lang == "fr" ]
|
344 |
if [ $Lang == "fr" ]
|
| 345 |
then
|
345 |
then
|
| 346 |
echo "La tentative de connexion vers Internet a échoué (google.fr)."
|
346 |
echo "La tentative de connexion vers Internet a échoué (google.fr)."
|
| 347 |
echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
|
347 |
echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
|
| 348 |
echo "Vérifiez la validité des adresses IP des DNS."
|
348 |
echo "Vérifiez la validité des adresses IP des DNS."
|
| 349 |
else
|
349 |
else
|
| 350 |
echo "The Internet connection try failed (google.fr)."
|
350 |
echo "The Internet connection try failed (google.fr)."
|
| Line 369... |
Line 369... |
| 369 |
# On affecte le nom d'organisme
|
369 |
# On affecte le nom d'organisme
|
| 370 |
header_install
|
370 |
header_install
|
| 371 |
ORGANISME=!
|
371 |
ORGANISME=!
|
| 372 |
PTN='^[a-zA-Z0-9-]*$'
|
372 |
PTN='^[a-zA-Z0-9-]*$'
|
| 373 |
until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
|
373 |
until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
|
| 374 |
do
|
374 |
do
|
| 375 |
if [ $Lang == "fr" ]
|
375 |
if [ $Lang == "fr" ]
|
| 376 |
then echo -n "Entrez le nom de votre organisme : "
|
376 |
then echo -n "Entrez le nom de votre organisme : "
|
| 377 |
else echo -n "Enter the name of your organism : "
|
377 |
else echo -n "Enter the name of your organism : "
|
| 378 |
fi
|
378 |
fi
|
| 379 |
read ORGANISME
|
379 |
read ORGANISME
|
| 380 |
if [ "$ORGANISME" == "" ]
|
380 |
if [ "$ORGANISME" == "" ]
|
| 381 |
then
|
381 |
then
|
| Line 386... |
Line 386... |
| 386 |
# On crée aléatoirement les mots de passe et les secrets partagés
|
386 |
# On crée aléatoirement les mots de passe et les secrets partagés
|
| 387 |
# We create random passwords and shared secrets
|
387 |
# We create random passwords and shared secrets
|
| 388 |
rm -f $PASSWD_FILE
|
388 |
rm -f $PASSWD_FILE
|
| 389 |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
|
389 |
echo "##### ALCASAR ($ORGANISME) security passwords #####" > $PASSWD_FILE
|
| 390 |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
|
390 |
grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
|
| 391 |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
|
391 |
pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
|
| 392 |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
|
392 |
LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
|
| 393 |
grep -v '[eE]nter password:' | \
|
393 |
grep -v '[eE]nter password:' | \
|
| 394 |
sed -e "s/PBKDF2 hash of your password is //"`
|
394 |
sed -e "s/PBKDF2 hash of your password is //"`
|
| 395 |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
|
395 |
echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
|
| 396 |
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
|
396 |
[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
|
| 397 |
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
|
397 |
cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux # Request password only on menu editing attempts (not when selecting an entry)
|
| 398 |
chmod 0600 /boot/grub2/user.cfg
|
398 |
chmod 0600 /boot/grub2/user.cfg
|
| 399 |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
|
399 |
echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
|
| 400 |
echo "GRUB2_user=root" >> $PASSWD_FILE
|
400 |
echo "GRUB2_user=root" >> $PASSWD_FILE
|
| 401 |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
|
401 |
echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
|
| 402 |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
402 |
mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
| 403 |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
|
403 |
echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
|
| 404 |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
|
404 |
echo "db_root=$mysqlpwd" >> $PASSWD_FILE
|
| 405 |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
405 |
radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
|
| 406 |
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
|
406 |
echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
|
| Line 473... |
Line 473... |
| 473 |
else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
|
473 |
else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
|
| 474 |
fi
|
474 |
fi
|
| 475 |
read PRIVATE_IP_MASK
|
475 |
read PRIVATE_IP_MASK
|
| 476 |
done
|
476 |
done
|
| 477 |
else
|
477 |
else
|
| 478 |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
|
478 |
PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
|
| 479 |
fi
|
479 |
fi
|
| 480 |
else
|
480 |
else
|
| 481 |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
|
481 |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
|
| 482 |
rm -rf conf/etc/alcasar.conf
|
482 |
rm -rf conf/etc/alcasar.conf
|
| 483 |
fi
|
483 |
fi
|
| 484 |
# Define LAN side global parameters
|
484 |
# Define LAN side global parameters
|
| 485 |
hostnamectl set-hostname $HOSTNAME.$DOMAIN
|
485 |
hostnamectl set-hostname $HOSTNAME.$DOMAIN
|
| 486 |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
|
486 |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
|
| Line 488... |
Line 488... |
| 488 |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
|
488 |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
|
| 489 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24)
|
489 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2` # network prefix (ie. 24)
|
| 490 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
|
490 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
|
| 491 |
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
|
491 |
if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
|
| 492 |
then
|
492 |
then
|
| 493 |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
|
493 |
PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
|
| 494 |
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
|
494 |
PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
|
| 495 |
fi
|
495 |
fi
|
| 496 |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
|
496 |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address
|
| 497 |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
|
497 |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
|
| 498 |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
|
498 |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
|
| 499 |
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
|
499 |
classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
|
| 500 |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
|
500 |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
|
| Line 524... |
Line 524... |
| 524 |
for i in $INTERFACES
|
524 |
for i in $INTERFACES
|
| 525 |
do
|
525 |
do
|
| 526 |
SUB=`echo ${i:0:2}`
|
526 |
SUB=`echo ${i:0:2}`
|
| 527 |
if [ $SUB = "wl" ]
|
527 |
if [ $SUB = "wl" ]
|
| 528 |
then WIFIF=$i
|
528 |
then WIFIF=$i
|
| 529 |
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
|
529 |
elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
|
| 530 |
then LANIF=$i
|
530 |
then LANIF=$i
|
| 531 |
fi
|
531 |
fi
|
| 532 |
done
|
532 |
done
|
| 533 |
|
533 |
|
| 534 |
if [ -n "$WIFIF" ]
|
534 |
if [ -n "$WIFIF" ]
|
| 535 |
then echo "WIFIF=$WIFIF" >> $CONF_FILE
|
535 |
then echo "WIFIF=$WIFIF" >> $CONF_FILE
|
| 536 |
elif [ -n "$LANIF" ]
|
536 |
elif [ -n "$LANIF" ]
|
| 537 |
then echo "LANIF=$LANIF" >> $CONF_FILE
|
537 |
then echo "LANIF=$LANIF" >> $CONF_FILE
|
| 538 |
fi
|
538 |
fi
|
| 539 |
#########################################################################################################
|
539 |
#########################################################################################################
|
| 540 |
|
540 |
|
| 541 |
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # IP setting (static or dynamic)
|
541 |
IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # IP setting (static or dynamic)
|
| 542 |
if [ $IP_SETTING == "dhcp" ]
|
542 |
if [ $IP_SETTING == "dhcp" ]
|
| 543 |
then
|
543 |
then
|
| 544 |
echo "PUBLIC_IP=dhcp" >> $CONF_FILE
|
544 |
echo "PUBLIC_IP=dhcp" >> $CONF_FILE
|
| 545 |
echo "GW=dhcp" >> $CONF_FILE
|
545 |
echo "GW=dhcp" >> $CONF_FILE
|
| Line 588... |
Line 588... |
| 588 |
IPV6TO4INIT=no
|
588 |
IPV6TO4INIT=no
|
| 589 |
ACCOUNTING=no
|
589 |
ACCOUNTING=no
|
| 590 |
USERCTL=no
|
590 |
USERCTL=no
|
| 591 |
MTU=$MTU
|
591 |
MTU=$MTU
|
| 592 |
EOF
|
592 |
EOF
|
| 593 |
else
|
593 |
else
|
| 594 |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
|
594 |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
|
| 595 |
DEVICE=$EXTIF
|
595 |
DEVICE=$EXTIF
|
| 596 |
BOOTPROTO=static
|
596 |
BOOTPROTO=static
|
| 597 |
IPADDR=$PUBLIC_IP
|
597 |
IPADDR=$PUBLIC_IP
|
| 598 |
NETMASK=$PUBLIC_NETMASK
|
598 |
NETMASK=$PUBLIC_NETMASK
|
| Line 664... |
Line 664... |
| 664 |
IPV6TO4INIT=no
|
664 |
IPV6TO4INIT=no
|
| 665 |
ACCOUNTING=no
|
665 |
ACCOUNTING=no
|
| 666 |
USERCTL=no
|
666 |
USERCTL=no
|
| 667 |
EOF
|
667 |
EOF
|
| 668 |
fi
|
668 |
fi
|
| 669 |
#########################################################################################################
|
669 |
#########################################################################################################
|
| 670 |
# Renseignement des fichiers hosts.allow et hosts.deny
|
670 |
# Renseignement des fichiers hosts.allow et hosts.deny
|
| 671 |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default
|
671 |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default
|
| 672 |
cat <<EOF > /etc/hosts.allow
|
672 |
cat <<EOF > /etc/hosts.allow
|
| 673 |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
|
673 |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
|
| 674 |
sshd: ALL
|
674 |
sshd: ALL
|
| Line 689... |
Line 689... |
| 689 |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
|
689 |
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
|
| 690 |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
|
690 |
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
|
| 691 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
|
691 |
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
|
| 692 |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
|
692 |
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
|
| 693 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
693 |
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
|
| 694 |
#
|
694 |
#
|
| 695 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
695 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
| 696 |
} # End of network ()
|
696 |
} # End of network ()
|
| 697 |
|
697 |
|
| 698 |
##################################################################
|
698 |
##################################################################
|
| 699 |
## Function "ACC" ##
|
699 |
## Function "ACC" ##
|
| Line 817... |
Line 817... |
| 817 |
PTN='^[a-zA-Z0-9-]*$'
|
817 |
PTN='^[a-zA-Z0-9-]*$'
|
| 818 |
until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
|
818 |
until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
|
| 819 |
do
|
819 |
do
|
| 820 |
header_install
|
820 |
header_install
|
| 821 |
if [ $Lang == "fr" ]
|
821 |
if [ $Lang == "fr" ]
|
| 822 |
then
|
822 |
then
|
| 823 |
echo ""
|
823 |
echo ""
|
| 824 |
echo "Définissez un premier compte d'administration d'ALCASAR :"
|
824 |
echo "Définissez un premier compte d'administration d'ALCASAR :"
|
| 825 |
echo
|
825 |
echo
|
| 826 |
echo -n "Nom : "
|
826 |
echo -n "Nom : "
|
| 827 |
else
|
827 |
else
|
| Line 867... |
Line 867... |
| 867 |
Deny from all
|
867 |
Deny from all
|
| 868 |
Allow from 127.0.0.1
|
868 |
Allow from 127.0.0.1
|
| 869 |
Allow from $PRIVATE_NETWORK_MASK
|
869 |
Allow from $PRIVATE_NETWORK_MASK
|
| 870 |
require valid-user
|
870 |
require valid-user
|
| 871 |
AuthType digest
|
871 |
AuthType digest
|
| 872 |
AuthName "ALCASAR Control Center (ACC)"
|
872 |
AuthName "ALCASAR Control Center (ACC)"
|
| 873 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
873 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
| 874 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
874 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
| 875 |
AuthUserFile $DIR_DEST_ETC/digest/key_all
|
875 |
AuthUserFile $DIR_DEST_ETC/digest/key_all
|
| 876 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
876 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
| 877 |
</Directory>
|
877 |
</Directory>
|
| Line 882... |
Line 882... |
| 882 |
Deny from all
|
882 |
Deny from all
|
| 883 |
Allow from 127.0.0.1
|
883 |
Allow from 127.0.0.1
|
| 884 |
Allow from $PRIVATE_NETWORK_MASK
|
884 |
Allow from $PRIVATE_NETWORK_MASK
|
| 885 |
require valid-user
|
885 |
require valid-user
|
| 886 |
AuthType digest
|
886 |
AuthType digest
|
| 887 |
AuthName "ALCASAR Control Center (ACC)"
|
887 |
AuthName "ALCASAR Control Center (ACC)"
|
| 888 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
888 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
| 889 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
889 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
| 890 |
AuthUserFile $DIR_DEST_ETC/digest/key_admin
|
890 |
AuthUserFile $DIR_DEST_ETC/digest/key_admin
|
| 891 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
891 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
| 892 |
</Directory>
|
892 |
</Directory>
|
| Line 897... |
Line 897... |
| 897 |
Deny from all
|
897 |
Deny from all
|
| 898 |
Allow from 127.0.0.1
|
898 |
Allow from 127.0.0.1
|
| 899 |
Allow from $PRIVATE_NETWORK_MASK
|
899 |
Allow from $PRIVATE_NETWORK_MASK
|
| 900 |
require valid-user
|
900 |
require valid-user
|
| 901 |
AuthType digest
|
901 |
AuthType digest
|
| 902 |
AuthName "ALCASAR Control Center (ACC)"
|
902 |
AuthName "ALCASAR Control Center (ACC)"
|
| 903 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
903 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
| 904 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
904 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
| 905 |
AuthUserFile $DIR_DEST_ETC/digest/key_manager
|
905 |
AuthUserFile $DIR_DEST_ETC/digest/key_manager
|
| 906 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
906 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
| 907 |
</Directory>
|
907 |
</Directory>
|
| Line 912... |
Line 912... |
| 912 |
Deny from all
|
912 |
Deny from all
|
| 913 |
Allow from 127.0.0.1
|
913 |
Allow from 127.0.0.1
|
| 914 |
Allow from $PRIVATE_NETWORK_MASK
|
914 |
Allow from $PRIVATE_NETWORK_MASK
|
| 915 |
require valid-user
|
915 |
require valid-user
|
| 916 |
AuthType digest
|
916 |
AuthType digest
|
| 917 |
AuthName "ALCASAR Control Center (ACC)"
|
917 |
AuthName "ALCASAR Control Center (ACC)"
|
| 918 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
918 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
| 919 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
919 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
| 920 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
920 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
| 921 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
921 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
| 922 |
</Directory>
|
922 |
</Directory>
|
| Line 928... |
Line 928... |
| 928 |
Deny from all
|
928 |
Deny from all
|
| 929 |
Allow from 127.0.0.1
|
929 |
Allow from 127.0.0.1
|
| 930 |
Allow from $PRIVATE_NETWORK_MASK
|
930 |
Allow from $PRIVATE_NETWORK_MASK
|
| 931 |
require valid-user
|
931 |
require valid-user
|
| 932 |
AuthType digest
|
932 |
AuthType digest
|
| 933 |
AuthName "ALCASAR Control Center (ACC)"
|
933 |
AuthName "ALCASAR Control Center (ACC)"
|
| 934 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
934 |
AuthDigestDomain $HOSTNAME.$DOMAIN
|
| 935 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
935 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
| 936 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
936 |
ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
|
| 937 |
</Directory>
|
937 |
</Directory>
|
| 938 |
EOF
|
938 |
EOF
|
| Line 1048... |
Line 1048... |
| 1048 |
MYSQL="/usr/bin/mysql --execute"
|
1048 |
MYSQL="/usr/bin/mysql --execute"
|
| 1049 |
# Secure the server
|
1049 |
# Secure the server
|
| 1050 |
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
|
1050 |
$MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
|
| 1051 |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
|
1051 |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
|
| 1052 |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
|
1052 |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
|
| 1053 |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
|
1053 |
$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
|
| 1054 |
# Create 'radius' database
|
1054 |
# Create 'radius' database
|
| 1055 |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
1055 |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
|
| 1056 |
# Add an empty radius database structure
|
1056 |
# Add an empty radius database structure
|
| 1057 |
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
|
1057 |
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
|
| 1058 |
# modify the start script in order to close accounting connexion when the system is comming down or up
|
1058 |
# modify the start script in order to close accounting connexion when the system is comming down or up
|
| Line 1086... |
Line 1086... |
| 1086 |
cat << EOF > /etc/raddb/clients.conf
|
1086 |
cat << EOF > /etc/raddb/clients.conf
|
| 1087 |
client localhost {
|
1087 |
client localhost {
|
| 1088 |
ipaddr = 127.0.0.1
|
1088 |
ipaddr = 127.0.0.1
|
| 1089 |
secret = $secretradius
|
1089 |
secret = $secretradius
|
| 1090 |
shortname = chilli
|
1090 |
shortname = chilli
|
| 1091 |
nas_type = other
|
1091 |
nas_type = other
|
| 1092 |
}
|
1092 |
}
|
| 1093 |
EOF
|
1093 |
EOF
|
| 1094 |
# Set Virtual server (remvove all except "alcasar virtual site")
|
1094 |
# Set Virtual server (remvove all except "alcasar virtual site")
|
| 1095 |
rm -f /etc/raddb/sites-enabled/*
|
1095 |
rm -f /etc/raddb/sites-enabled/*
|
| 1096 |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
|
1096 |
cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
|
| 1097 |
chown radius:apache /etc/raddb/sites-available/alcasar
|
1097 |
chown radius:apache /etc/raddb/sites-available/alcasar
|
| 1098 |
chmod 660 /etc/raddb/sites-available/alcasar
|
1098 |
chmod 660 /etc/raddb/sites-available/alcasar
|
| 1099 |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
|
1099 |
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
|
| 1100 |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
|
1100 |
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
|
| 1101 |
|
1101 |
|
| 1102 |
# Set modules
|
1102 |
# Set modules
|
| 1103 |
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
|
1103 |
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
|
| 1104 |
rm -rf /etc/raddb/mods-enabled/*
|
1104 |
rm -rf /etc/raddb/mods-enabled/*
|
| 1105 |
for mods in sql sqlcounter attr_filter expiration logintime pap expr
|
1105 |
for mods in sql sqlcounter attr_filter expiration logintime pap expr
|
| 1106 |
do
|
1106 |
do
|
| 1107 |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
|
1107 |
ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
|
| 1108 |
done
|
1108 |
done
|
| 1109 |
# Configure SQL mod
|
1109 |
# Configure SQL mod
|
| 1110 |
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
|
1110 |
[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
|
| 1111 |
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
|
1111 |
$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
|
| 1112 |
$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
|
1112 |
$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
|
| 1113 |
$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
|
1113 |
$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
|
| 1114 |
$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
|
1114 |
$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
|
| 1115 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
|
1115 |
$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
|
| 1116 |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
|
1116 |
$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
|
| 1117 |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
|
1117 |
$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
|
| 1118 |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
|
1118 |
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
|
| 1119 |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
|
1119 |
[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
|
| 1120 |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
1120 |
cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
| 1121 |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
1121 |
chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
|
| 1122 |
# sqlcounter modifications
|
1122 |
# sqlcounter modifications
|
| 1123 |
[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
|
1123 |
[ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
|
| Line 1150... |
Line 1150... |
| 1150 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
1150 |
[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
|
| 1151 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
1151 |
$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
|
| 1152 |
/usr/bin/systemctl daemon-reload
|
1152 |
/usr/bin/systemctl daemon-reload
|
| 1153 |
# Allow apache to change some conf files (ie : ldap on/off)
|
1153 |
# Allow apache to change some conf files (ie : ldap on/off)
|
| 1154 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
1154 |
chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
|
| 1155 |
|
1155 |
|
| 1156 |
} # End freeradius ()
|
1156 |
} # End freeradius ()
|
| 1157 |
|
1157 |
|
| 1158 |
#############################################################################
|
1158 |
#############################################################################
|
| 1159 |
## Fonction "chilli" ##
|
1159 |
## Fonction "chilli" ##
|
| 1160 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
1160 |
## - Creation of the conf file and init file (systemd) for coova-chilli ##
|
| Line 1193... |
Line 1193... |
| 1193 |
#
|
1193 |
#
|
| 1194 |
# chkconfig: 2345 65 35
|
1194 |
# chkconfig: 2345 65 35
|
| 1195 |
# description: CoovaChilli
|
1195 |
# description: CoovaChilli
|
| 1196 |
### BEGIN INIT INFO
|
1196 |
### BEGIN INIT INFO
|
| 1197 |
# Provides: chilli
|
1197 |
# Provides: chilli
|
| 1198 |
# Required-Start: network
|
1198 |
# Required-Start: network
|
| 1199 |
# Should-Start:
|
1199 |
# Should-Start:
|
| 1200 |
# Required-Stop: network
|
1200 |
# Required-Stop: network
|
| 1201 |
# Should-Stop:
|
1201 |
# Should-Stop:
|
| 1202 |
# Default-Start: 2 3 5
|
1202 |
# Default-Start: 2 3 5
|
| 1203 |
# Default-Stop:
|
1203 |
# Default-Stop:
|
| 1204 |
# Description: CoovaChilli access controller
|
1204 |
# Description: CoovaChilli access controller
|
| 1205 |
### END INIT INFO
|
1205 |
### END INIT INFO
|
| 1206 |
|
1206 |
|
| Line 1215... |
Line 1215... |
| 1215 |
current_users_file="/var/tmp/havp/current_users.txt" # file containing active users
|
1215 |
current_users_file="/var/tmp/havp/current_users.txt" # file containing active users
|
| 1216 |
RETVAL=0
|
1216 |
RETVAL=0
|
| 1217 |
prog="chilli"
|
1217 |
prog="chilli"
|
| 1218 |
case \$1 in
|
1218 |
case \$1 in
|
| 1219 |
start)
|
1219 |
start)
|
| 1220 |
if [ -f \$pidfile ] ; then
|
1220 |
if [ -f \$pidfile ] ; then
|
| 1221 |
gprintf "chilli is already running"
|
1221 |
gprintf "chilli is already running"
|
| 1222 |
else
|
1222 |
else
|
| 1223 |
gprintf "Starting \$prog: "
|
1223 |
gprintf "Starting \$prog: "
|
| 1224 |
echo '' > \$current_users_file && chown apache:apache \$current_users_file
|
1224 |
echo '' > \$current_users_file && chown apache:apache \$current_users_file
|
| 1225 |
rm -f /var/run/chilli* # cleaning
|
1225 |
rm -f /var/run/chilli* # cleaning
|
| 1226 |
/usr/sbin/modprobe tun >/dev/null 2>&1
|
1226 |
/usr/sbin/modprobe tun >/dev/null 2>&1
|
| 1227 |
echo 1 > /proc/sys/net/ipv4/ip_forward
|
1227 |
echo 1 > /proc/sys/net/ipv4/ip_forward
|
| 1228 |
[ -e /dev/net/tun ] || {
|
1228 |
[ -e /dev/net/tun ] || {
|
| 1229 |
(cd /dev;
|
1229 |
(cd /dev;
|
| 1230 |
mkdir net;
|
1230 |
mkdir net;
|
| 1231 |
cd net;
|
1231 |
cd net;
|
| 1232 |
mknod tun c 10 200)
|
1232 |
mknod tun c 10 200)
|
| 1233 |
}
|
1233 |
}
|
| 1234 |
ifconfig $INTIF 0.0.0.0
|
1234 |
ifconfig $INTIF 0.0.0.0
|
| 1235 |
/usr/sbin/ethtool -K $INTIF gro off
|
1235 |
/usr/sbin/ethtool -K $INTIF gro off
|
| 1236 |
daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
|
1236 |
daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
|
| Line 1252... |
Line 1252... |
| 1252 |
status chilli
|
1252 |
status chilli
|
| 1253 |
RETVAL=0
|
1253 |
RETVAL=0
|
| 1254 |
;;
|
1254 |
;;
|
| 1255 |
|
1255 |
|
| 1256 |
stop)
|
1256 |
stop)
|
| 1257 |
if [ -f \$pidfile ] ; then
|
1257 |
if [ -f \$pidfile ] ; then
|
| 1258 |
gprintf "Shutting down \$prog: "
|
1258 |
gprintf "Shutting down \$prog: "
|
| 1259 |
killproc /usr/sbin/chilli
|
1259 |
killproc /usr/sbin/chilli
|
| 1260 |
RETVAL=\$?
|
1260 |
RETVAL=\$?
|
| 1261 |
[ \$RETVAL = 0 ] && rm -f \$pidfile
|
1261 |
[ \$RETVAL = 0 ] && rm -f \$pidfile
|
| 1262 |
[ -e \$current_users_file ] && rm -f \$current_users_file
|
1262 |
[ -e \$current_users_file ] && rm -f \$current_users_file
|
| 1263 |
else
|
1263 |
else
|
| 1264 |
gprintf "chilli is not running"
|
1264 |
gprintf "chilli is not running"
|
| 1265 |
fi
|
1265 |
fi
|
| 1266 |
;;
|
1266 |
;;
|
| 1267 |
|
1267 |
|
| 1268 |
*)
|
1268 |
*)
|
| Line 1277... |
Line 1277... |
| 1277 |
[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
|
1277 |
[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
|
| 1278 |
#NTP Option configuration for DHCP
|
1278 |
#NTP Option configuration for DHCP
|
| 1279 |
#DHCP Options : rfc2132
|
1279 |
#DHCP Options : rfc2132
|
| 1280 |
#dhcp option value will be convert in hexa.
|
1280 |
#dhcp option value will be convert in hexa.
|
| 1281 |
#NTP option (or 'option 42') is like :
|
1281 |
#NTP option (or 'option 42') is like :
|
| 1282 |
#
|
1282 |
#
|
| 1283 |
# Code Len Address 1 Address 2
|
1283 |
# Code Len Address 1 Address 2
|
| 1284 |
# +-----+-----+-----+-----+-----+-----+-----+-----+--
|
1284 |
# +-----+-----+-----+-----+-----+-----+-----+-----+--
|
| 1285 |
# | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ...
|
1285 |
# | 42 | n | a1 | a2 | a3 | a4 | a1 | a2 | ...
|
| 1286 |
# +-----+-----+-----+-----+-----+-----+-----+-----+--
|
1286 |
# +-----+-----+-----+-----+-----+-----+-----+-----+--
|
| 1287 |
#
|
1287 |
#
|
| Line 1344... |
Line 1344... |
| 1344 |
$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
|
1344 |
$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
|
| 1345 |
# user 'chilli' creation (in order to run conup/off and up/down scripts
|
1345 |
# user 'chilli' creation (in order to run conup/off and up/down scripts
|
| 1346 |
chilli_exist=`grep -c ^chilli: /etc/passwd`
|
1346 |
chilli_exist=`grep -c ^chilli: /etc/passwd`
|
| 1347 |
if [ "$chilli_exist" == "1" ]
|
1347 |
if [ "$chilli_exist" == "1" ]
|
| 1348 |
then
|
1348 |
then
|
| 1349 |
userdel -r chilli 2>/dev/null
|
1349 |
userdel -r chilli 2>/dev/null
|
| 1350 |
fi
|
1350 |
fi
|
| 1351 |
groupadd -f chilli
|
1351 |
groupadd -f chilli
|
| 1352 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
1352 |
useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
|
| 1353 |
} # End of chilli ()
|
1353 |
} # End of chilli ()
|
| 1354 |
|
1354 |
|
| Line 1361... |
Line 1361... |
| 1361 |
mkdir -p /var/dansguardian /var/log/dansguardian
|
1361 |
mkdir -p /var/dansguardian /var/log/dansguardian
|
| 1362 |
chown -R dansguardian /var/dansguardian /var/log/dansguardian
|
1362 |
chown -R dansguardian /var/dansguardian /var/log/dansguardian
|
| 1363 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
|
1363 |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
|
| 1364 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
|
1364 |
$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
|
| 1365 |
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
|
1365 |
[ -e $DIR_DG/dansguardian.conf.default ] || cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
|
| 1366 |
# By default the filter is off
|
1366 |
# By default the filter is off
|
| 1367 |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
|
1367 |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
|
| 1368 |
# French deny HTML page
|
1368 |
# French deny HTML page
|
| 1369 |
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
|
1369 |
$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
|
| 1370 |
# Listen only on LAN side
|
1370 |
# Listen only on LAN side
|
| 1371 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
|
1371 |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
|
| Line 1393... |
Line 1393... |
| 1393 |
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
|
1393 |
$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/dansguardian.conf
|
| 1394 |
# minimum number of processes to spawn
|
1394 |
# minimum number of processes to spawn
|
| 1395 |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
|
1395 |
$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/dansguardian.conf
|
| 1396 |
# maximum age of a child process before it croaks it
|
1396 |
# maximum age of a child process before it croaks it
|
| 1397 |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
|
1397 |
$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/dansguardian.conf
|
| 1398 |
|
1398 |
|
| 1399 |
# on désactive par défaut le contrôle de téléchargement de fichiers
|
1399 |
# on désactive par défaut le contrôle de téléchargement de fichiers
|
| 1400 |
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
|
1400 |
[ -e $DIR_DG/dansguardianf1.conf.default ] || cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
|
| 1401 |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
|
1401 |
$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
|
| 1402 |
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
|
1402 |
[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
|
| 1403 |
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
|
1403 |
[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
|
| Line 1415... |
Line 1415... |
| 1415 |
|
1415 |
|
| 1416 |
##################################################################
|
1416 |
##################################################################
|
| 1417 |
## Fonction "antivirus" ##
|
1417 |
## Fonction "antivirus" ##
|
| 1418 |
## - configuration of havp, libclamav and freshclam ##
|
1418 |
## - configuration of havp, libclamav and freshclam ##
|
| 1419 |
##################################################################
|
1419 |
##################################################################
|
| 1420 |
antivirus ()
|
1420 |
antivirus ()
|
| 1421 |
{
|
1421 |
{
|
| 1422 |
# create 'havp' user
|
1422 |
# create 'havp' user
|
| 1423 |
havp_exist=`grep -c ^havp: /etc/passwd`
|
1423 |
havp_exist=`grep -c ^havp: /etc/passwd`
|
| 1424 |
if [ "$havp_exist" == "1" ]
|
1424 |
if [ "$havp_exist" == "1" ]
|
| 1425 |
then
|
1425 |
then
|
| 1426 |
userdel -r havp 2>/dev/null
|
1426 |
userdel -r havp 2>/dev/null
|
| 1427 |
groupdel havp 2>/dev/null
|
1427 |
groupdel havp 2>/dev/null
|
| 1428 |
fi
|
1428 |
fi
|
| 1429 |
groupadd -f havp
|
1429 |
groupadd -f havp
|
| 1430 |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
|
1430 |
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
|
| 1431 |
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
|
1431 |
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
|
| 1432 |
chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
|
1432 |
chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
|
| Line 1469... |
Line 1469... |
| 1469 |
|
1469 |
|
| 1470 |
##########################################################################
|
1470 |
##########################################################################
|
| 1471 |
## Fonction "tinyproxy" ##
|
1471 |
## Fonction "tinyproxy" ##
|
| 1472 |
## - configuration of tinyproxy (proxy between filterde users and havp) ##
|
1472 |
## - configuration of tinyproxy (proxy between filterde users and havp) ##
|
| 1473 |
##########################################################################
|
1473 |
##########################################################################
|
| 1474 |
tinyproxy ()
|
1474 |
tinyproxy ()
|
| 1475 |
{
|
1475 |
{
|
| 1476 |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
|
1476 |
tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
|
| 1477 |
if [ "$tinyproxy_exist" == "1" ]
|
1477 |
if [ "$tinyproxy_exist" == "1" ]
|
| 1478 |
then
|
1478 |
then
|
| 1479 |
userdel -r tinyproxy 2>/dev/null
|
1479 |
userdel -r tinyproxy 2>/dev/null
|
| 1480 |
groupdel tinyproxy 2>/dev/null
|
1480 |
groupdel tinyproxy 2>/dev/null
|
| 1481 |
fi
|
1481 |
fi
|
| 1482 |
groupadd -f tinyproxy
|
1482 |
groupadd -f tinyproxy
|
| 1483 |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
|
1483 |
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
|
| 1484 |
mkdir -p /var/run/tinyproxy /var/log/tinyproxy
|
1484 |
mkdir -p /var/run/tinyproxy /var/log/tinyproxy
|
| 1485 |
chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
|
1485 |
chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
|
| Line 1594... |
Line 1594... |
| 1594 |
Type=oneshot
|
1594 |
Type=oneshot
|
| 1595 |
RemainAfterExit=yes
|
1595 |
RemainAfterExit=yes
|
| 1596 |
PIDFile=/var/run/nfsen/nfsen.pid
|
1596 |
PIDFile=/var/run/nfsen/nfsen.pid
|
| 1597 |
ExecStartPre=/bin/mkdir -p /var/run/nfsen
|
1597 |
ExecStartPre=/bin/mkdir -p /var/run/nfsen
|
| 1598 |
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
|
1598 |
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
|
| 1599 |
ExecStart=/usr/bin/nfsen start
|
1599 |
ExecStart=/usr/bin/nfsen start
|
| 1600 |
ExecStop=/usr/bin/nfsen stop
|
1600 |
ExecStop=/usr/bin/nfsen stop
|
| 1601 |
ExecReload=/usr/bin/nfsen restart
|
1601 |
ExecReload=/usr/bin/nfsen restart
|
| 1602 |
TimeoutSec=0
|
1602 |
TimeoutSec=0
|
| 1603 |
|
1603 |
|
| 1604 |
[Install]
|
1604 |
[Install]
|
| 1605 |
WantedBy=multi-user.target
|
1605 |
WantedBy=multi-user.target
|
| 1606 |
EOF
|
1606 |
EOF
|
| 1607 |
# Add the listen port to collect netflow packet (nfcapd)
|
1607 |
# Add the listen port to collect netflow packet (nfcapd)
|
| 1608 |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
|
1608 |
$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
|
| 1609 |
# expire delay for the profile "live"
|
1609 |
# expire delay for the profile "live"
|
| 1610 |
/usr/bin/systemctl start nfsen
|
1610 |
/usr/bin/systemctl start nfsen
|
| 1611 |
/bin/nfsen -m live -e 62d 2>/dev/null
|
1611 |
/bin/nfsen -m live -e 62d 2>/dev/null
|
| 1612 |
# add SURFmap plugin
|
1612 |
# add SURFmap plugin
|
| 1613 |
cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
|
1613 |
cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
|
| Line 1641... |
Line 1641... |
| 1641 |
##################################################
|
1641 |
##################################################
|
| 1642 |
dnsmasq ()
|
1642 |
dnsmasq ()
|
| 1643 |
{
|
1643 |
{
|
| 1644 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
1644 |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
|
| 1645 |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
|
1645 |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
|
| 1646 |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
1646 |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
|
| 1647 |
cat << EOF > /etc/dnsmasq.conf
|
1647 |
cat << EOF > /etc/dnsmasq.conf
|
| 1648 |
# Configuration file for "dnsmasq in forward mode"
|
1648 |
# Configuration file for "dnsmasq in forward mode"
|
| 1649 |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
|
1649 |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
|
| 1650 |
listen-address=$PRIVATE_IP
|
1650 |
listen-address=$PRIVATE_IP
|
| 1651 |
pid-file=/var/run/dnsmasq.pid
|
1651 |
pid-file=/var/run/dnsmasq.pid
|
| 1652 |
listen-address=127.0.0.1
|
1652 |
listen-address=127.0.0.1
|
| Line 1710... |
Line 1710... |
| 1710 |
domain-needed
|
1710 |
domain-needed
|
| 1711 |
expand-hosts
|
1711 |
expand-hosts
|
| 1712 |
bogus-priv
|
1712 |
bogus-priv
|
| 1713 |
filterwin2k
|
1713 |
filterwin2k
|
| 1714 |
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
|
1714 |
ipset=/#/wl_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
|
| 1715 |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
|
1715 |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
|
| 1716 |
EOF
|
1716 |
EOF
|
| 1717 |
# 4th dnsmasq listen on udp 56 ("blackhole")
|
1717 |
# 4th dnsmasq listen on udp 56 ("blackhole")
|
| 1718 |
cat << EOF > /etc/dnsmasq-blackhole.conf
|
1718 |
cat << EOF > /etc/dnsmasq-blackhole.conf
|
| 1719 |
# Configuration file for "dnsmasq as a blackhole"
|
1719 |
# Configuration file for "dnsmasq as a blackhole"
|
| 1720 |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
|
1720 |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
|
| Line 1824... |
Line 1824... |
| 1824 |
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
|
1824 |
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
|
| 1825 |
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
|
1825 |
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
|
| 1826 |
EOF
|
1826 |
EOF
|
| 1827 |
[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
|
1827 |
[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
|
| 1828 |
cat <<EOF >> /etc/anacrontab
|
1828 |
cat <<EOF >> /etc/anacrontab
|
| 1829 |
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
|
1829 |
7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
|
| 1830 |
7 10 cron.logExport nice /etc/cron.d/alcasar-archive
|
1830 |
7 10 cron.logExport nice /etc/cron.d/alcasar-archive
|
| 1831 |
7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
|
1831 |
7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
|
| 1832 |
EOF
|
1832 |
EOF
|
| 1833 |
|
1833 |
|
| 1834 |
cat <<EOF > /etc/cron.d/alcasar-mysql
|
1834 |
cat <<EOF > /etc/cron.d/alcasar-mysql
|
| 1835 |
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
|
1835 |
# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
|
| Line 1839... |
Line 1839... |
| 1839 |
EOF
|
1839 |
EOF
|
| 1840 |
cat <<EOF > /etc/cron.d/alcasar-archive
|
1840 |
cat <<EOF > /etc/cron.d/alcasar-archive
|
| 1841 |
# Archive des logs et de la base de données (tous les lundi à 5h35)
|
1841 |
# Archive des logs et de la base de données (tous les lundi à 5h35)
|
| 1842 |
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
|
1842 |
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
|
| 1843 |
EOF
|
1843 |
EOF
|
| 1844 |
cat << EOF > /etc/cron.d/alcasar-ticket-clean
|
1844 |
cat <<EOF > /etc/cron.d/alcasar-ticket-clean
|
| 1845 |
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
|
1845 |
# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
|
| 1846 |
30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
|
1846 |
30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
|
| 1847 |
EOF
|
1847 |
EOF
|
| 1848 |
cat << EOF > /etc/cron.d/alcasar-distrib-updates
|
1848 |
cat <<EOF > /etc/cron.d/alcasar-distrib-updates
|
| 1849 |
# mise à jour automatique de la distribution tous les jours 3h30
|
1849 |
# mise à jour automatique de la distribution tous les jours 3h30
|
| 1850 |
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
|
1850 |
30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
|
| 1851 |
EOF
|
1851 |
EOF
|
| 1852 |
|
1852 |
|
| 1853 |
cat << EOF > /etc/cron.d/alcasar-connections-stats
|
1853 |
cat <<EOF > /etc/cron.d/alcasar-connections-stats
|
| 1854 |
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
|
1854 |
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
|
| 1855 |
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
|
1855 |
# 'alcasar-tot_stats' (everyday at 01h01 pm) : aggregating the daily connections of users (write in the table 'totacct')
|
| 1856 |
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
|
1856 |
# 'alcasar-monthly_tot_stat' (everyday at 01h05 pm) : aggregating the monthly connections of users (write in table 'mtotacct')
|
| 1857 |
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
|
1857 |
# 'alcasar-truncate_raddact' (every month, the first at 01h10 pm) : removing the log sessions of users older than 365 days
|
| 1858 |
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
|
1858 |
# 'alcasar-clean_radacct' (every month, the first at 01h15 pm) : closing the sessions openned for more than 30 days
|
| Line 1861... |
Line 1861... |
| 1861 |
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
|
1861 |
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
|
| 1862 |
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
|
1862 |
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
|
| 1863 |
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
|
1863 |
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
|
| 1864 |
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
|
1864 |
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
|
| 1865 |
EOF
|
1865 |
EOF
|
| 1866 |
cat << EOF > /etc/cron.d/alcasar-watchdog
|
1866 |
cat <<EOF > /etc/cron.d/alcasar-watchdog
|
| 1867 |
# run the "watchdog" every 3'
|
1867 |
# run the "watchdog" every 3'
|
| 1868 |
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
|
1868 |
# empty the IPSET of the whitelisted IP (loaded dynamically with dnsmasq-whitelist) when every whitelisted users are logged out (every sunday at 0h05
|
| 1869 |
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
|
1869 |
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
|
| 1870 |
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
|
1870 |
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
|
| 1871 |
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
|
1871 |
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
|
| 1872 |
EOF
|
1872 |
EOF
|
| 1873 |
# Enabling the watchdog every 18'
|
1873 |
# Enabling the watchdog every 18'
|
| 1874 |
cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
|
1874 |
cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
|
| 1875 |
# activate the daemon-watchdog after boot process
|
1875 |
# activate the daemon-watchdog after boot process
|
| 1876 |
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
|
1876 |
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
|
| 1877 |
# activate the daemon-watchdog every 18'
|
1877 |
# activate the daemon-watchdog every 18'
|
| 1878 |
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
|
1878 |
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
|
| 1879 |
EOF
|
1879 |
EOF
|
| 1880 |
|
1880 |
|
| 1881 |
# Enabling category update from rsync
|
1881 |
# Enabling category update from rsync
|
| 1882 |
cat << EOF > /etc/cron.d/alcasar-rsync-bl
|
1882 |
cat <<EOF > /etc/cron.d/alcasar-rsync-bl
|
| 1883 |
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
|
1883 |
# Automatic update of BL via rsync every 12 hours. The categories are listed in the file '/usr/local/etc/update_cat.conf' (no sync if empty).
|
| 1884 |
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
|
1884 |
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
|
| 1885 |
EOF
|
1885 |
EOF
|
| 1886 |
|
1886 |
|
| 1887 |
# Renew the Let's Encrypt certificate
|
1887 |
# Renew the Let's Encrypt certificate
|
| 1888 |
cat <<EOF > /etc/cron.d/alcasar-letsencrypt
|
1888 |
cat <<EOF > /etc/cron.d/alcasar-letsencrypt
|
| Line 1957... |
Line 1957... |
| 1957 |
;LoopSleep = 2
|
1957 |
;LoopSleep = 2
|
| 1958 |
|
1958 |
|
| 1959 |
;ResetFrequency = 300
|
1959 |
;ResetFrequency = 300
|
| 1960 |
;HardResetFrequency = 120
|
1960 |
;HardResetFrequency = 120
|
| 1961 |
|
1961 |
|
| 1962 |
CheckSecurity = 1
|
1962 |
CheckSecurity = 1
|
| 1963 |
CheckSignal = 1
|
1963 |
CheckSignal = 1
|
| 1964 |
CheckBattery = 0
|
1964 |
CheckBattery = 0
|
| 1965 |
EOF
|
1965 |
EOF
|
| 1966 |
|
1966 |
|
| 1967 |
chmod 755 /etc/gammu_smsd_conf
|
1967 |
chmod 755 /etc/gammu_smsd_conf
|
| Line 2009... |
Line 2009... |
| 2009 |
/etc/raddb/sites-available/alcasar radius.apache 660
|
2009 |
/etc/raddb/sites-available/alcasar radius.apache 660
|
| 2010 |
/etc/pki/* root.apache 750
|
2010 |
/etc/pki/* root.apache 750
|
| 2011 |
/var/log/netflow/porttracker root.apache 770
|
2011 |
/var/log/netflow/porttracker root.apache 770
|
| 2012 |
/var/log/netflow/porttracker/* root.apache 660
|
2012 |
/var/log/netflow/porttracker/* root.apache 660
|
| 2013 |
EOF
|
2013 |
EOF
|
| 2014 |
# apply now hourly & daily checks
|
2014 |
# apply now hourly & daily checks
|
| 2015 |
/usr/sbin/msec
|
2015 |
/usr/sbin/msec
|
| 2016 |
/etc/cron.weekly/msec
|
2016 |
/etc/cron.weekly/msec
|
| 2017 |
|
2017 |
|
| 2018 |
} # End msec()
|
2018 |
} # End msec()
|
| 2019 |
|
2019 |
|
| Line 2097... |
Line 2097... |
| 2097 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
2097 |
echo "HTTPS_CHILLI=off" >> $CONF_FILE
|
| 2098 |
echo "SSH=on" >> $CONF_FILE
|
2098 |
echo "SSH=on" >> $CONF_FILE
|
| 2099 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
2099 |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
| 2100 |
echo "LDAP=off" >> $CONF_FILE
|
2100 |
echo "LDAP=off" >> $CONF_FILE
|
| 2101 |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
|
2101 |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
|
| 2102 |
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE
|
2102 |
echo "LDAP_BASE=ou=my_lan;dc=server_name;dc=localdoamin" >> $CONF_FILE
|
| 2103 |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
|
2103 |
echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
|
| 2104 |
echo "LDAP_FILTER=" >> $CONF_FILE
|
2104 |
echo "LDAP_FILTER=" >> $CONF_FILE
|
| 2105 |
echo "LDAP_USER=alcasar" >> $CONF_FILE
|
2105 |
echo "LDAP_USER=alcasar" >> $CONF_FILE
|
| 2106 |
echo "LDAP_PASSWORD=" >> $CONF_FILE
|
2106 |
echo "LDAP_PASSWORD=" >> $CONF_FILE
|
| 2107 |
echo "MULTIWAN=off" >> $CONF_FILE
|
2107 |
echo "MULTIWAN=off" >> $CONF_FILE
|
| 2108 |
echo "FAILOVER=30" >> $CONF_FILE
|
2108 |
echo "FAILOVER=30" >> $CONF_FILE
|
| 2109 |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
|
2109 |
echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
|
| 2110 |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
|
2110 |
echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
|
| 2111 |
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
|
2111 |
echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
|
| 2112 |
# Prompt customisation (colors)
|
2112 |
# Prompt customisation (colors)
|
| Line 2123... |
Line 2123... |
| 2123 |
# Log compression
|
2123 |
# Log compression
|
| 2124 |
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
|
2124 |
$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
|
| 2125 |
# actualisation des fichiers logs compressés
|
2125 |
# actualisation des fichiers logs compressés
|
| 2126 |
for dir in firewall dansguardian httpd
|
2126 |
for dir in firewall dansguardian httpd
|
| 2127 |
do
|
2127 |
do
|
| 2128 |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
|
2128 |
find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
|
| 2129 |
done
|
2129 |
done
|
| 2130 |
# create the alcasar-load_balancing unit
|
2130 |
# create the alcasar-load_balancing unit
|
| 2131 |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
|
2131 |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
|
| 2132 |
# This file is part of systemd.
|
2132 |
# This file is part of systemd.
|
| 2133 |
#
|
2133 |
#
|
| Line 2155... |
Line 2155... |
| 2155 |
# processes launched at boot time (Systemctl)
|
2155 |
# processes launched at boot time (Systemctl)
|
| 2156 |
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
|
2156 |
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
|
| 2157 |
do
|
2157 |
do
|
| 2158 |
/usr/bin/systemctl -q enable $i.service
|
2158 |
/usr/bin/systemctl -q enable $i.service
|
| 2159 |
done
|
2159 |
done
|
| 2160 |
|
2160 |
|
| 2161 |
# disable processes at boot time (Systemctl)
|
2161 |
# disable processes at boot time (Systemctl)
|
| 2162 |
for i in ulogd gpm
|
2162 |
for i in ulogd gpm
|
| 2163 |
do
|
2163 |
do
|
| 2164 |
/usr/bin/systemctl -q disable $i.service
|
2164 |
/usr/bin/systemctl -q disable $i.service
|
| 2165 |
done
|
2165 |
done
|
| 2166 |
|
2166 |
|
| 2167 |
# Apply French Security Agency (ANSSI) rules
|
2167 |
# Apply French Security Agency (ANSSI) rules
|
| 2168 |
# ignore ICMP broadcast (smurf attack)
|
2168 |
# ignore ICMP broadcast (smurf attack)
|
| 2169 |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
|
2169 |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
|
| 2170 |
# ignore ICMP errors bogus
|
2170 |
# ignore ICMP errors bogus
|
| 2171 |
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
|
2171 |
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
|
| Line 2178... |
Line 2178... |
| 2178 |
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
|
2178 |
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
|
| 2179 |
# ignore source routing
|
2179 |
# ignore source routing
|
| 2180 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
|
2180 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
|
| 2181 |
# set conntrack timer to 1h (3600s) instead of 5 weeks
|
2181 |
# set conntrack timer to 1h (3600s) instead of 5 weeks
|
| 2182 |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
|
2182 |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
|
| 2183 |
# disable log_martians (ALCASAR is often installed between two private network addresses)
|
2183 |
# disable log_martians (ALCASAR is often installed between two private network addresses)
|
| 2184 |
echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
|
2184 |
echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
|
| 2185 |
# disable iptables_helpers
|
2185 |
# disable iptables_helpers
|
| 2186 |
echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
|
2186 |
echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
|
| 2187 |
# Switch to the router mode
|
2187 |
# Switch to the router mode
|
| 2188 |
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
|
2188 |
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
|
| Line 2197... |
Line 2197... |
| 2197 |
[ -e /etc/default/grub.default ] || cp /etc/default/grub /etc/default/grub.default
|
2197 |
[ -e /etc/default/grub.default ] || cp /etc/default/grub /etc/default/grub.default
|
| 2198 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
|
2198 |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
|
| 2199 |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
|
2199 |
$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
|
| 2200 |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
|
2200 |
[ -e /etc/mageia-release.default ] || cp /etc/mageia-release /etc/mageia-release.default
|
| 2201 |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
|
2201 |
vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
|
| 2202 |
if [ $vm_vga == 0 ] # is not a VM
|
2202 |
if [ $vm_vga == 0 ] # is not a VM
|
| - |
|
2203 |
then
|
| - |
|
2204 |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
|
| - |
|
2205 |
echo >> /etc/mageia-release
|
| - |
|
2206 |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
|
| - |
|
2207 |
fi
|
| - |
|
2208 |
if [ $Lang == "fr" ]
|
| 2203 |
then
|
2209 |
then
|
| 2204 |
cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
|
- |
|
| 2205 |
echo >> /etc/mageia-release
|
- |
|
| 2206 |
$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
|
- |
|
| 2207 |
fi
|
- |
|
| 2208 |
if [ $Lang == "fr" ]
|
- |
|
| 2209 |
then
|
- |
|
| 2210 |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
|
2210 |
echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
|
| 2211 |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
|
2211 |
echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
|
| 2212 |
else
|
2212 |
else
|
| 2213 |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
|
2213 |
echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
|
| 2214 |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
|
2214 |
echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
|
| 2215 |
fi
|
2215 |
fi
|
| 2216 |
/usr/bin/update-grub2
|
2216 |
/usr/bin/update-grub2
|
| 2217 |
# Load and apply the previous conf file
|
2217 |
# Load and apply the previous conf file
|
| 2218 |
if [ "$mode" = "update" ]
|
2218 |
if [ "$mode" = "update" ]
|
| 2219 |
then
|
2219 |
then
|
| 2220 |
$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
|
2220 |
$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
|
| 2221 |
$DIR_DEST_BIN/alcasar-conf.sh --load
|
2221 |
$DIR_DEST_BIN/alcasar-conf.sh --load
|
| 2222 |
PARENT_SCRIPT=`basename $0`
|
2222 |
PARENT_SCRIPT=`basename $0`
|
| 2223 |
export PARENT_SCRIPT # to avoid stop&start process during the installation process
|
2223 |
export PARENT_SCRIPT # to avoid stop&start process during the installation process
|
| 2224 |
$DIR_DEST_BIN/alcasar-conf.sh --apply
|
2224 |
$DIR_DEST_BIN/alcasar-conf.sh --apply
|
| 2225 |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
|
2225 |
$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
|
| 2226 |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
|
2226 |
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
|
| 2227 |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
|
2227 |
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
|
| 2228 |
fi
|
2228 |
fi
|
| 2229 |
rm -f /tmp/alcasar-conf*
|
2229 |
rm -f /tmp/alcasar-conf*
|
| 2230 |
chown -R root:apache $DIR_DEST_ETC/*
|
2230 |
chown -R root:apache $DIR_DEST_ETC/*
|
| Line 2247... |
Line 2247... |
| 2247 |
echo "- Lisez attentivement la documentation d'exploitation"
|
2247 |
echo "- Lisez attentivement la documentation d'exploitation"
|
| 2248 |
echo
|
2248 |
echo
|
| 2249 |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
|
2249 |
echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
|
| 2250 |
echo
|
2250 |
echo
|
| 2251 |
echo " Appuyez sur 'Entrée' pour continuer"
|
2251 |
echo " Appuyez sur 'Entrée' pour continuer"
|
| 2252 |
else
|
2252 |
else
|
| 2253 |
echo "# End of ALCASAR install process #"
|
2253 |
echo "# End of ALCASAR install process #"
|
| 2254 |
echo "# #"
|
2254 |
echo "# #"
|
| 2255 |
echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
|
2255 |
echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
|
| 2256 |
echo "# des Accès au Réseau ( ALCASAR ) #"
|
2256 |
echo "# des Accès au Réseau ( ALCASAR ) #"
|
| 2257 |
echo "# #"
|
2257 |
echo "# #"
|
| Line 2319... |
Line 2319... |
| 2319 |
if [ -e $CONF_FILE ]
|
2319 |
if [ -e $CONF_FILE ]
|
| 2320 |
then
|
2320 |
then
|
| 2321 |
# Uninstall the running version
|
2321 |
# Uninstall the running version
|
| 2322 |
$DIR_SCRIPTS/alcasar-uninstall.sh -update
|
2322 |
$DIR_SCRIPTS/alcasar-uninstall.sh -update
|
| 2323 |
fi
|
2323 |
fi
|
| 2324 |
# Test if manual update
|
2324 |
# Test if manual update
|
| 2325 |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
|
2325 |
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
|
| 2326 |
then
|
2326 |
then
|
| 2327 |
header_install
|
2327 |
header_install
|
| 2328 |
if [ $Lang == "fr" ]
|
2328 |
if [ $Lang == "fr" ]
|
| 2329 |
then echo "Le fichier de configuration d'une ancienne version a été trouvé";
|
2329 |
then echo "Le fichier de configuration d'une ancienne version a été trouvé";
|
| Line 2336... |
Line 2336... |
| 2336 |
if [ $Lang == "fr" ]
|
2336 |
if [ $Lang == "fr" ]
|
| 2337 |
then echo -n "Voulez-vous l'utiliser (O/n)? ";
|
2337 |
then echo -n "Voulez-vous l'utiliser (O/n)? ";
|
| 2338 |
else echo -n "Do you want to use it (Y/n)?";
|
2338 |
else echo -n "Do you want to use it (Y/n)?";
|
| 2339 |
fi
|
2339 |
fi
|
| 2340 |
read response
|
2340 |
read response
|
| 2341 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
2341 |
if [ "$response" = "n" ] || [ "$response" = "N" ]
|
| 2342 |
then rm -f /tmp/alcasar-conf*
|
2342 |
then rm -f /tmp/alcasar-conf*
|
| 2343 |
fi
|
2343 |
fi
|
| 2344 |
done
|
2344 |
done
|
| 2345 |
fi
|
2345 |
fi
|
| 2346 |
# Test if update
|
2346 |
# Test if update
|
| 2347 |
if [ -e /tmp/alcasar-conf* ]
|
2347 |
if [ -e /tmp/alcasar-conf* ]
|
| 2348 |
then
|
2348 |
then
|
| 2349 |
if [ $Lang == "fr" ]
|
2349 |
if [ $Lang == "fr" ]
|
| 2350 |
then echo "#### Installation avec mise à jour ####";
|
2350 |
then echo "#### Installation avec mise à jour ####";
|
| 2351 |
else echo "#### Installation with update ####";
|
2351 |
else echo "#### Installation with update ####";
|
| 2352 |
fi
|
2352 |
fi
|
| 2353 |
# Extract the central configuration file
|
2353 |
# Extract the central configuration file
|
| 2354 |
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
|
2354 |
tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
|
| 2355 |
ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
|
2355 |
ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
|
| 2356 |
PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
|
2356 |
PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
|
| 2357 |
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
|
2357 |
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
|
| 2358 |
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
|
2358 |
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
|
| 2359 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
|
2359 |
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
|
| Line 2385... |
Line 2385... |
| 2385 |
read response
|
2385 |
read response
|
| 2386 |
done
|
2386 |
done
|
| 2387 |
if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
|
2387 |
if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
|
| 2388 |
then
|
2388 |
then
|
| 2389 |
$DIR_SCRIPTS/alcasar-conf.sh --create
|
2389 |
$DIR_SCRIPTS/alcasar-conf.sh --create
|
| 2390 |
else
|
2390 |
else
|
| 2391 |
rm -f /tmp/alcasar-conf*
|
2391 |
rm -f /tmp/alcasar-conf*
|
| 2392 |
fi
|
2392 |
fi
|
| 2393 |
# Uninstall the running version
|
2393 |
# Uninstall the running version
|
| 2394 |
$DIR_SCRIPTS/alcasar-uninstall.sh -full
|
2394 |
$DIR_SCRIPTS/alcasar-uninstall.sh -full
|
| 2395 |
;;
|
2395 |
;;
|