Subversion Repositories ALCASAR

Rev

Rev 2681 | Rev 2689 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 2681 Rev 2688
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2681 2019-01-02 14:58:43Z tom.houdayer $
2
#  $Id: alcasar.sh 2688 2019-01-18 23:15:49Z lucas.echard $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 16... Line 16...
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
Line 37... Line 37...
37
#       e2guardian              : E2Guardian filtering HTTP proxy configuration
37
#       e2guardian              : E2Guardian filtering HTTP proxy configuration
38
#       antivirus               : HAVP + libclamav configuration
38
#       antivirus               : HAVP + libclamav configuration
39
#       tinyproxy               : little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#       tinyproxy               : little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#       ulogd                   : log system in userland (match NFLOG target of iptables)
40
#       ulogd                   : log system in userland (match NFLOG target of iptables)
41
#       nfsen                   : Configuration of Nfsen Netflow grapher
41
#       nfsen                   : Configuration of Nfsen Netflow grapher
42
#       dnsmasq                 : Name server configuration
42
#       unbound                 : Name server configuration
-
 
43
#       dnsmasq                 : Name server configuration (for whitelist ipset support)
43
#       vnstat                  : little network stat daemon
44
#       vnstat                  : little network stat daemon
44
#       BL                              : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
45
#       BL                              : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
45
#       cron                    : Logs export + watchdog + connexion statistics
46
#       cron                    : Logs export + watchdog + connexion statistics
46
#       fail2ban                : Fail2ban IDS installation and configuration
47
#       fail2ban                : Fail2ban IDS installation and configuration
47
#       gammu_smsd              : Autoregister addon via SMS (gammu-smsd)
48
#       gammu_smsd              : Autoregister addon via SMS (gammu-smsd)
48
#       msec                    : Mandriva security package configuration
49
#       msec                    : Mandriva security package configuration
49
#       letsencrypt             : Let's Encrypt client
50
#       letsencrypt             : Let's Encrypt client
Line 63... Line 64...
63
DIR_WEB="/var/www/html"                                 # directory of Lighttpd
64
DIR_WEB="/var/www/html"                                 # directory of Lighttpd
64
DIR_DG="/etc/e2guardian"                                # directory of E2Guardian
65
DIR_DG="/etc/e2guardian"                                # directory of E2Guardian
65
DIR_ACC="$DIR_WEB/acc"                                  # directory of the 'ALCASAR Control Center'
66
DIR_ACC="$DIR_WEB/acc"                                  # directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"                   # directory of ALCASAR scripts
67
DIR_DEST_BIN="/usr/local/bin"                   # directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"                   # directory of ALCASAR conf files
68
DIR_DEST_ETC="/usr/local/etc"                   # directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"               # directory of share files used by ALCASAR (dnsmasq for instance)
69
DIR_DEST_SHARE="/usr/local/share"               # directory of share files used by ALCASAR (unbound for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"  # central ALCASAR conf file
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"  # central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"       # text file with the passwords and shared secrets
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"       # text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
72
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"                                              # database name used by FreeRadius server
73
DB_RADIUS="radius"                                              # database name used by FreeRadius server
73
DB_USER="radius"                                                # user name allows to request the users database
74
DB_USER="radius"                                                # user name allows to request the users database
Line 130... Line 131...
130
        fic=`cat /etc/product.id`
131
        fic=`cat /etc/product.id`
131
        unknown_os=0
132
        unknown_os=0
132
        old="$IFS"
133
        old="$IFS"
133
        IFS=","
134
        IFS=","
134
        set $fic
135
        set $fic
135
        for i in $*
136
        for i in "$@"
136
        do
137
        do
137
                if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
                if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
                        then
139
                        then
139
                        DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
                        DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
                        unknown_os=`expr $unknown_os + 1`
141
                        unknown_os=`expr $unknown_os + 1`
Line 185... Line 186...
185
                echo
186
                echo
186
                if [ $Lang == "fr" ]
187
                if [ $Lang == "fr" ]
187
                        then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
188
                        then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
188
                        else echo "The OS must be replaced (Mageia6-64bits)"
189
                        else echo "The OS must be replaced (Mageia6-64bits)"
189
                fi
190
                fi
190
                exit 0
191
                exit 1
191
        fi
192
        fi
192
 
193
 
193
# Test if ALCASAR is already installed
194
# Test if ALCASAR is already installed
194
        if [ -e $CONF_FILE ]
195
        if [ -e $CONF_FILE ]
195
        then
196
        then
Line 213... Line 214...
213
                        rm -f /var/tmp/alcasar-conf*
214
                        rm -f /var/tmp/alcasar-conf*
214
                else
215
                else
215
# Retrieve former NICname
216
# Retrieve former NICname
216
                        EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`  # EXTernal InterFace
217
                        EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`  # EXTernal InterFace
217
                        INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`  # INTernal InterFace
218
                        INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`  # INTernal InterFace
218
                        [ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
                        [ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
                        [ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
                        [ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
# Create the current conf file
221
# Create the current conf file
221
                        $DIR_SCRIPTS/alcasar-conf.sh --create
222
                        $DIR_SCRIPTS/alcasar-conf.sh --create
222
                        mode="update"
223
                        mode="update"
223
                fi
224
                fi
224
        fi
225
        fi
225
# Test free space on /var
226
# Test free space on /var
226
        if [ ! -d /var/log/netflow/porttracker ]
227
        if [ ! -d /var/log/netflow/porttracker ]
227
                then
228
                then
228
                free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
229
                free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
229
                if [ $free_space -lt 10 ]
230
                if [ $free_space -lt 10 ]
230
                        then
231
                        then
231
                        if [ $Lang == "fr" ]
232
                        if [ $Lang == "fr" ]
232
                                then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
                                then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
                                else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
                                else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
Line 281... Line 282...
281
                                read response
282
                                read response
282
 
283
 
283
                                [ -z "$response" ] && response="$interfacePreferred"
284
                                [ -z "$response" ] && response="$interfacePreferred"
284
 
285
 
285
                                # Check if interface exist
286
                                # Check if interface exist
286
                                if [ $(echo "$interfacesList" | grep -c "^$response\$") -eq 1 ]; then
287
                                if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
                                        INTIF="$response"
288
                                        INTIF="$response"
288
                                        break
289
                                        break
289
                                else
290
                                else
290
                                        if [ "$Lang" == 'fr' ]
291
                                        if [ "$Lang" == 'fr' ]
291
                                                then echo "Interface \"$response\" introuvable"
292
                                                then echo "Interface \"$response\" introuvable"
Line 303... Line 304...
303
        if [ $Lang == "fr" ]
304
        if [ $Lang == "fr" ]
304
                then echo -n "Tests des paramètres réseau : "
305
                then echo -n "Tests des paramètres réseau : "
305
                else echo -n "Network parameters tests: "
306
                else echo -n "Network parameters tests: "
306
        fi
307
        fi
307
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
        cd /etc/sysconfig/network-scripts/
309
        cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
        IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
        IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
        for i in $IF_INTERFACES
311
        for i in $IF_INTERFACES
311
        do
312
        do
312
                if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
313
                if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
                        rm -f ifcfg-$i
314
                        rm -f ifcfg-$i
314
 
315
 
315
                        if [ $Lang == "fr" ]
316
                        if [ $Lang == "fr" ]
316
                                then echo "Suppression : ifcfg-$i"
317
                                then echo "Suppression : ifcfg-$i"
317
                                else echo "Deleting: ifcfg-$i"
318
                                else echo "Deleting: ifcfg-$i"
318
                        fi
319
                        fi
319
                fi
320
                fi
320
        done
321
        done
321
        cd $DIR_INSTALL
322
        cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
        echo -n "."
323
        echo -n "."
323
# Test Ethernet NIC links state
324
# Test Ethernet NIC links state
324
        interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
        interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
        if [ ! -z "$interfacesDown" ]; then
326
        if [ ! -z "$interfacesDown" ]; then
326
                for i in $interfacesDown; do
327
                for i in $interfacesDown; do
Line 340... Line 341...
340
        echo -n "."
341
        echo -n "."
341
# Test EXTIF config files
342
# Test EXTIF config files
342
        PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
        PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
        PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
        PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
        PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
        PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
        if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
346
        if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
        then
347
        then
347
                if [ $Lang == "fr" ]
348
                if [ $Lang == "fr" ]
348
                then
349
                then
349
                        echo -e "\nÉchec"
350
                        echo -e "\nÉchec"
350
                        echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
                        echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
Line 365... Line 366...
365
                echo "ONBOOT=yes"
366
                echo "ONBOOT=yes"
366
                exit 1
367
                exit 1
367
        fi
368
        fi
368
        echo -n "."
369
        echo -n "."
369
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
        if [ `/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default '` -ne 1 ] ; then
371
        if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
                if [ $Lang == "fr" ]
372
                if [ $Lang == "fr" ]
372
                then
373
                then
373
                        echo -e "\nÉchec"
374
                        echo -e "\nÉchec"
374
                        echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
                        echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
                        echo "Réglez ce problème puis relancez ce script."
376
                        echo "Réglez ce problème puis relancez ce script."
Line 381... Line 382...
381
                exit 1
382
                exit 1
382
        fi
383
        fi
383
        echo -n "."
384
        echo -n "."
384
# Test if default GW is alive
385
# Test if default GW is alive
385
        arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
        arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
        if [ $(expr $arp_reply) -eq 0 ]
387
        if [ "$(expr $arp_reply)" -eq 0 ]
387
                then
388
                then
388
                if [ $Lang == "fr" ]
389
                if [ $Lang == "fr" ]
389
                then
390
                then
390
                        echo -e "\nÉchec"
391
                        echo -e "\nÉchec"
391
                        echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
                        echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
Line 445... Line 446...
445
        fi
446
        fi
446
# On crée aléatoirement les mots de passe et les secrets partagés
447
# On crée aléatoirement les mots de passe et les secrets partagés
447
# We create random passwords and shared secrets
448
# We create random passwords and shared secrets
448
        rm -f $PASSWD_FILE
449
        rm -f $PASSWD_FILE
449
        echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
        echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
        grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
451
        grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
        pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
        pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
                LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
                LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
                grep -v '[eE]nter password:' | \
454
                grep -v '[eE]nter password:' | \
454
                sed -e "s/PBKDF2 hash of your password is //"`
455
                sed -e "s/PBKDF2 hash of your password is //"`
455
        echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
        echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
Line 457... Line 458...
457
        cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
        cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
        chmod 0600 /boot/grub2/user.cfg
459
        chmod 0600 /boot/grub2/user.cfg
459
        echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
        echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
        echo "GRUB2_user=root" >> $PASSWD_FILE
461
        echo "GRUB2_user=root" >> $PASSWD_FILE
461
        echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
        echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
        mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
463
        mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
        echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
        echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
        echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
        echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
        radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
466
        radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
        echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
        echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
        echo "db_user=$DB_USER" >> $PASSWD_FILE
468
        echo "db_user=$DB_USER" >> $PASSWD_FILE
468
        echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
        echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
        secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
470
        secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
        echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
        echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
        echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
        echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
        secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
473
        secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
        echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
        echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
        echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
        echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
        chmod 640 $PASSWD_FILE
476
        chmod 640 $PASSWD_FILE
476
#  copy scripts in in /usr/local/bin
477
#  copy scripts in in /usr/local/bin
477
        cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
        cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
Line 556... Line 557...
556
        private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`                                            # last octet of LAN address
557
        private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`                                            # last octet of LAN address
557
        PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`          # second network address (ex.: 192.168.182.2)
558
        PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`          # second network address (ex.: 192.168.182.2)
558
        PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX                                           # ie.: 192.168.182.0/24
559
        PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX                                           # ie.: 192.168.182.0/24
559
        classe=$((PRIVATE_PREFIX/8))                                                                    # ie.: 2=classe B, 3=classe C
560
        classe=$((PRIVATE_PREFIX/8))                                                                    # ie.: 2=classe B, 3=classe C
560
        PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.                          # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
561
        PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.                          # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
561
        PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`                        # private network broadcast (ie.: 192.168.182.255)
-
 
562
        private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`                              # last octet of LAN broadcast
-
 
563
        PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
-
 
564
        PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`      # last network address (ex.: 192.168.182.254)
-
 
565
        PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`      # MAC address of INTIF
562
        PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`      # MAC address of INTIF
566
# Define Internet parameters
563
# Define Internet parameters
567
        if [ "$mode" != "update" ]
564
        if [ "$mode" != "update" ]
568
        then
565
        then
569
                DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`   # 1st DNS server
566
                DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`   # 1st DNS server
Line 821... Line 818...
821
        $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
818
        $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
822
# Configuring & securing Lighttpd
819
# Configuring & securing Lighttpd
823
        rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
820
        rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
824
        [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
821
        [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
825
        $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
822
        $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
826
        $SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
823
        $SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
827
        $SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
824
        $SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
828
        $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
825
        $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
829
        echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
826
        echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
830
 
827
 
831
        [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
828
        [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
832
        $SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
829
        $SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
Line 843... Line 840...
843
 
840
 
844
        cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
841
        cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
845
 
842
 
846
        [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
843
        [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
847
        cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
844
        cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
848
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
849
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
850
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
847
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
851
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
848
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
852
        ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
849
        ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
853
 
850
 
854
        [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
851
        [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
855
        [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
852
        [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
856
        [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
853
        [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
-
 
854
 
857
        chown -R apache:apache /var/log/lighttpd
855
        chown -R apache:apache /var/log/lighttpd
858
        /usr/bin/systemctl start lighttpd
856
        /usr/bin/systemctl start lighttpd
859
        /usr/bin/systemctl start php-fpm
857
        /usr/bin/systemctl start php-fpm
860
 
858
 
861
# Creation of the first account (in 'admin' profile)
859
# Creation of the first account (in 'admin' profile)
Line 917... Line 915...
917
logfile /var/log/ntp.log
915
logfile /var/log/ntp.log
918
disable monitor
916
disable monitor
919
EOF
917
EOF
920
        chown -R ntp:ntp /var/lib/ntp
918
        chown -R ntp:ntp /var/lib/ntp
921
# Synchronize now
919
# Synchronize now
922
        ntpd -q -g &
920
        ntpd -4 -q -g &
923
} # End of time_server ()
921
} # End of time_server ()
924
 
922
 
925
#####################################################################
923
#####################################################################
926
##                     Function "init_db"                          ##
924
##                     Function "init_db"                          ##
927
## - Mysql initialization                                          ##
925
## - Mysql initialization                                          ##
Line 930... Line 928...
930
## - Radius database creation                                      ##
928
## - Radius database creation                                      ##
931
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
929
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
932
#####################################################################
930
#####################################################################
933
init_db ()
931
init_db ()
934
{
932
{
935
        if [ `systemctl is-active mysqld` == "active" ]
933
        if [ "`systemctl is-active mysqld`" == "active" ]
936
        then
934
        then
937
                systemctl stop mysqld
935
                systemctl stop mysqld
938
        fi
936
        fi
939
        rm -rf /var/lib/mysql # to be sure that there is no former installation
937
        rm -rf /var/lib/mysql # to be sure that there is no former installation
940
        [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
938
        [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
Line 955... Line 953...
955
        if [ ! -S /var/lib/mysql/mysql.sock ]
953
        if [ ! -S /var/lib/mysql/mysql.sock ]
956
        then
954
        then
957
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
955
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
958
                exit
956
                exit
959
        fi
957
        fi
960
        MYSQL="/usr/bin/mysql --execute"
-
 
961
# Secure the server
958
# Secure the server
962
        $MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
959
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
-
 
960
 
963
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
961
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
964
        $MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
962
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
965
        $MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
963
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
966
# Create 'radius' database
964
# Create 'radius' database
967
        $MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
965
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
968
# Add an empty radius database structure
966
# Add an empty radius database structure
969
        mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
967
        /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
970
# modify the start script in order to close accounting connexion when the system is comming down or up
968
# modify the start script in order to close accounting connexion when the system is comming down or up
971
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
969
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
972
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
970
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
973
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
971
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
974
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
972
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
Line 1049... Line 1047...
1049
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1047
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1050
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1048
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1051
        /usr/bin/systemctl daemon-reload
1049
        /usr/bin/systemctl daemon-reload
1052
# Allow apache to change some conf files (ie : ldap on/off)
1050
# Allow apache to change some conf files (ie : ldap on/off)
1053
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1054
 
-
 
1055
} # End freeradius ()
1052
} # End freeradius ()
1056
 
1053
 
1057
#############################################################################
1054
#############################################################################
1058
##                           Function "chilli"                             ##
1055
##                           Function "chilli"                             ##
1059
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1056
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
Line 1184... Line 1181...
1184
                #   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1181
                #   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1185
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1182
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1186
                #
1183
                #
1187
                #Code : 42 => 2a
1184
                #Code : 42 => 2a
1188
                #Len : 4 => 04
1185
                #Len : 4 => 04
1189
        PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1186
        PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1190
        cat <<EOF > /etc/chilli.conf
1187
        cat <<EOF > /etc/chilli.conf
1191
# coova config for ALCASAR
1188
# coova config for ALCASAR
1192
cmdsocket       /var/run/chilli.sock
1189
cmdsocket       /var/run/chilli.sock
1193
unixipc         chilli.$INTIF.ipc
1190
unixipc         chilli.$INTIF.ipc
1194
pidfile         /var/run/chilli.pid
1191
pidfile         /var/run/chilli.pid
Line 1466... Line 1463...
1466
        $SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1463
        $SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1467
# use of our conf file and init unit
1464
# use of our conf file and init unit
1468
        cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1465
        cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1469
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1466
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1470
        DirTmp=$(pwd)
1467
        DirTmp=$(pwd)
1471
        cd /tmp/nfsen-*/
1468
        cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1472
        /usr/bin/perl install.pl etc/nfsen.conf
1469
        /usr/bin/perl install.pl etc/nfsen.conf
1473
        /usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1470
        /usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1474
# Create RRD DB for porttracker (only in it still doesn't exist)
1471
# Create RRD DB for porttracker (only in it still doesn't exist)
1475
        cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1472
        cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1476
        cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1473
        cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
Line 1503... Line 1500...
1503
 
1500
 
1504
[Install]
1501
[Install]
1505
WantedBy=multi-user.target
1502
WantedBy=multi-user.target
1506
EOF
1503
EOF
1507
# Add the listen port to collect netflow packet (nfcapd)
1504
# Add the listen port to collect netflow packet (nfcapd)
1508
        $SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1505
        $SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1509
# expire delay for the profile "live"
1506
# expire delay for the profile "live"
1510
        /usr/bin/systemctl start nfsen
1507
        /usr/bin/systemctl start nfsen
1511
        /bin/nfsen -m live -e 62d 2>/dev/null
1508
        /bin/nfsen -m live -e 62d 2>/dev/null
1512
# add SURFmap plugin (waiting for new technical solution)
1509
# add SURFmap plugin (waiting for new technical solution)
1513
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1510
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
Line 1517... Line 1514...
1517
#       cd /tmp/
1514
#       cd /tmp/
1518
#       /usr/bin/sh SURFmap/install.sh 
1515
#       /usr/bin/sh SURFmap/install.sh
1519
# clear the installation
1516
# clear the installation
1520
#       rm -rf /tmp/SURFmap*
1517
#       rm -rf /tmp/SURFmap*
1521
        rm -rf /tmp/nfsen-*
1518
        rm -rf /tmp/nfsen-*
1522
        cd $DirTmp
1519
        cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1523
        chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1520
        chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1524
} # End of nfsen ()
1521
} # End of nfsen ()
1525
 
1522
 
1526
###########################################################
1523
###########################################################
1527
##                     Function "vnstat"                 ##
1524
##                     Function "vnstat"                 ##
Line 1544... Line 1541...
1544
## - creation of the file managing domain name (local & remote) ##
1541
## - creation of the file managing domain name (local & remote) ##
1545
##################################################################
1542
##################################################################
1546
dnsmasq ()
1543
dnsmasq ()
1547
{
1544
{
1548
        [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1545
        [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1549
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
-
 
1550
        [ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1546
        [ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1551
        cat << EOF > /etc/dnsmasq.conf
-
 
1552
# Configuration file for "dnsmasq in forward mode"
-
 
1553
conf-file=$DIR_DEST_ETC/alcasar-dns-name        # local & remote DNS domain name resolutions
-
 
1554
listen-address=$PRIVATE_IP
-
 
1555
pid-file=/var/run/dnsmasq.pid
-
 
1556
listen-address=127.0.0.1
-
 
1557
no-dhcp-interface=$INTIF
-
 
1558
no-dhcp-interface=tun0
-
 
1559
no-dhcp-interface=lo
-
 
1560
bind-interfaces
-
 
1561
cache-size=2048
-
 
1562
domain-needed
-
 
1563
expand-hosts
-
 
1564
bogus-priv
-
 
1565
filterwin2k
-
 
1566
server=$DNS1
-
 
1567
server=$DNS2
-
 
1568
# DHCP service is configured. It will be enabled in "bypass" mode
-
 
1569
#dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
-
 
1570
#dhcp-option=option:router,$PRIVATE_IP
-
 
1571
#dhcp-option=option:ntp-server,$PRIVATE_IP
-
 
1572
 
-
 
1573
# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
-
 
1574
#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
-
 
1575
EOF
-
 
1576
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
-
 
1577
        cat << EOF > /etc/dnsmasq-blacklist.conf
-
 
1578
# Configuration file for "dnsmasq with blacklist"
-
 
1579
# Add Toulouse University blacklist domains
-
 
1580
conf-file=$DIR_DEST_ETC/alcasar-dns-name        # local & remote DNS domain name resolutions
-
 
1581
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
-
 
1582
pid-file=/var/run/dnsmasq-blacklist.pid
-
 
1583
listen-address=$PRIVATE_IP
-
 
1584
port=54
-
 
1585
no-dhcp-interface=$INTIF
-
 
1586
no-dhcp-interface=tun0
-
 
1587
no-dhcp-interface=lo
-
 
1588
bind-interfaces
-
 
1589
cache-size=2048
-
 
1590
domain-needed
-
 
1591
expand-hosts
-
 
1592
bogus-priv
-
 
1593
filterwin2k
-
 
1594
log-queries
-
 
1595
log-facility=/var/log/dnsmasq/dnsmasq-blacklist.log
-
 
1596
server=$DNS1
-
 
1597
server=$DNS2
-
 
1598
EOF
-
 
1599
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1547
        # 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1600
        cat << EOF > /etc/dnsmasq-whitelist.conf
1548
        cat << EOF > /etc/dnsmasq-whitelist.conf
1601
# Configuration file for "dnsmasq with whitelist"
1549
# Configuration file for "dnsmasq with whitelist"
1602
# ADD Toulouse university whitelist domains
1550
# ADD Toulouse university whitelist domains
1603
conf-file=$DIR_DEST_ETC/alcasar-dns-name        # local & remote DNS domain name resolutions
-
 
1604
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
-
 
1605
pid-file=/var/run/dnsmasq-whitelist.pid
1551
pid-file=/var/run/dnsmasq-whitelist.pid
1606
listen-address=$PRIVATE_IP
1552
listen-address=127.0.0.1
1607
port=55
1553
port=55
1608
no-dhcp-interface=$INTIF
-
 
1609
no-dhcp-interface=tun0
-
 
1610
no-dhcp-interface=lo
1554
no-dhcp-interface=lo
1611
bind-interfaces
1555
bind-interfaces
1612
cache-size=1024
1556
cache-size=1024
1613
domain-needed
1557
domain-needed
1614
expand-hosts
1558
expand-hosts
1615
bogus-priv
1559
bogus-priv
1616
filterwin2k
1560
filterwin2k
1617
ipset=/#/wl_ip_allowed                  # dynamicly add the resolv IP address in the Firewall rules
1561
ipset=/#/wl_ip_allowed  # dynamically add the resolv IP address in the Firewall rules
-
 
1562
server=$DNS1
1618
address=/#/$PRIVATE_IP                          # for Domain name without local resolution (WL)
1563
server=$DNS2
1619
EOF
1564
EOF
1620
# 4th dnsmasq listen on udp 56 ("blackhole")
-
 
1621
        cat << EOF > /etc/dnsmasq-blackhole.conf
-
 
1622
# Configuration file for "dnsmasq as a blackhole"
-
 
1623
conf-file=$DIR_DEST_ETC/alcasar-dns-name        # local & remote DNS domain name resolutions
-
 
1624
address=/#/$PRIVATE_IP                          # redirect all on ALCASAR IP address
-
 
1625
pid-file=/var/run/dnsmasq-blackhole.pid
-
 
1626
listen-address=$PRIVATE_IP
-
 
1627
port=56
-
 
1628
no-dhcp-interface=$INTIF
-
 
1629
no-dhcp-interface=tun0
-
 
1630
no-dhcp-interface=lo
-
 
1631
bind-interfaces
-
 
1632
cache-size=256
-
 
1633
domain-needed
-
 
1634
expand-hosts
-
 
1635
bogus-priv
-
 
1636
filterwin2k
-
 
1637
EOF
-
 
1638
# file managing domain name resolution (local & remote)
-
 
1639
        cat << EOF > $DIR_DEST_ETC/alcasar-dns-name
-
 
1640
# Vous pouvez définir ici votre nom de domain local ('localdomain' par défaut)
-
 
1641
# Here you can define your local domain name ('localdomain' by default)
-
 
1642
local=/localdomain/
-
 
1643
domain=localdomain
-
 
1644
 
1565
 
1645
## Ajouter une ligne pour chaque nom de domaine géré par un autre seveur DNS
1566
        # Create dnsmasq-whitelist unit
1646
## Add one line for each domain name managed by an other DNS server
1567
        mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1647
## server=/<your_domain>/<@IP_domain_server>
1568
        cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1648
## Exemple for an A.D. domain :  server=/Your.Domain.AD/110.120.100.100
1569
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1649
## Exemple for an other domain : server=/an_other_domain/10.20.30.40
1570
        $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
-
 
1571
} # End dnsmasq
1650
 
1572
 
-
 
1573
##################################################
-
 
1574
##              Function "unbound"              ##
-
 
1575
##################################################
-
 
1576
unbound ()
-
 
1577
{
-
 
1578
        [ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
-
 
1579
        [ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
-
 
1580
        [ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
-
 
1581
        [ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
-
 
1582
        [ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
-
 
1583
        [ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
-
 
1584
        [ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
-
 
1585
        [ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
-
 
1586
        [ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
-
 
1587
        [ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
-
 
1588
 
-
 
1589
        # Local static DNS configuration
-
 
1590
        [ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
-
 
1591
 
-
 
1592
        # Forward zone configuration file for all unbound dns servers
-
 
1593
        cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
-
 
1594
forward-zone:
-
 
1595
        name: "."
-
 
1596
        forward-addr: $DNS1
-
 
1597
        forward-addr: $DNS2
-
 
1598
EOF
-
 
1599
 
-
 
1600
        # Custom configuration file for manual DNS configuration
-
 
1601
        cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
-
 
1602
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
-
 
1603
## Add one block for each domain name managed by an other DNS server
-
 
1604
##
-
 
1605
## Example:
-
 
1606
##
-
 
1607
## server:
-
 
1608
##     local-zone: "<your_domain>." transparent
-
 
1609
## forward-zone:
-
 
1610
##     name: "<your_domain>."
-
 
1611
##     forward-addr: <@IP_domain_server>
-
 
1612
##
1651
## INFO : local hostnames are resolved in /etc/hosts file
1613
## INFO : local hostnames are resolved in /etc/hosts file
1652
EOF
1614
EOF
1653
 
1615
 
-
 
1616
        # Configuration file of ALCASAR main domains for $INTIF
-
 
1617
        cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
-
 
1618
server:
-
 
1619
        local-zone: "$HOSTNAME.$DOMAIN" static
-
 
1620
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
-
 
1621
        local-zone: "$HOSTNAME" static
-
 
1622
        local-data: "$HOSTNAME A $PRIVATE_IP"
-
 
1623
        local-zone: "$DOMAIN." static
-
 
1624
        local-data: "$DOMAIN. A"
-
 
1625
EOF
-
 
1626
 
-
 
1627
        # Configuration file for lo of forward unbound
-
 
1628
        cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
-
 
1629
server:
-
 
1630
        interface: 127.0.0.1@53
-
 
1631
        access-control-view: 127.0.0.1/8 lo
-
 
1632
 
-
 
1633
view:
-
 
1634
        name: "lo"
-
 
1635
        local-zone: "$HOSTNAME.$DOMAIN" static
-
 
1636
        local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
-
 
1637
        local-zone: "$HOSTNAME" static
-
 
1638
        local-data: "$HOSTNAME A 127.0.0.1"
-
 
1639
        local-zone: "$DOMAIN." static
-
 
1640
        local-data: "$DOMAIN. A"
-
 
1641
        view-first: yes
-
 
1642
EOF
-
 
1643
 
-
 
1644
        # Configuration file for $INTIF of forward unbound
-
 
1645
        cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
-
 
1646
server:
-
 
1647
        interface: ${PRIVATE_IP}@53
-
 
1648
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
-
 
1649
 
-
 
1650
view:
-
 
1651
        name: "$INTIF"
-
 
1652
        local-zone: "$HOSTNAME.$DOMAIN" static
-
 
1653
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
-
 
1654
        local-zone: "$HOSTNAME" static
-
 
1655
        local-data: "$HOSTNAME A $PRIVATE_IP"
-
 
1656
        view-first: yes
-
 
1657
EOF
-
 
1658
 
-
 
1659
        # Configuration file for forward unbound
-
 
1660
        cat << EOF > /etc/unbound/unbound.conf
-
 
1661
server:
-
 
1662
        verbosity: 1
-
 
1663
        hide-version: yes
-
 
1664
        hide-identity: yes
-
 
1665
        do-ip6: no
-
 
1666
 
-
 
1667
        include: /etc/unbound/conf.d/common/forward-zone.conf
-
 
1668
        include: /etc/unbound/conf.d/common/local-forward/*
-
 
1669
        include: /etc/unbound/conf.d/common/local-dns/*
-
 
1670
        include: /etc/unbound/conf.d/forward/*
-
 
1671
EOF
-
 
1672
 
-
 
1673
        # Configuration file for $INTIF of blacklist unbound
-
 
1674
        cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
-
 
1675
server:
-
 
1676
        interface: ${PRIVATE_IP}@54
-
 
1677
        access-control: $PRIVATE_IP_MASK allow
-
 
1678
        access-control-tag: $PRIVATE_IP_MASK "blacklist"
-
 
1679
        access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
-
 
1680
        access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
-
 
1681
EOF
-
 
1682
 
-
 
1683
        # Configuration file for blacklist unbound
-
 
1684
        cat << EOF > /etc/unbound/unbound-blacklist.conf
-
 
1685
server:
-
 
1686
        verbosity: 1
-
 
1687
        hide-version: yes
-
 
1688
        hide-identity: yes
-
 
1689
        do-ip6: no
-
 
1690
        logfile: "/var/log/unbound/unbound-blacklist.log"
-
 
1691
        chroot: ""
-
 
1692
        define-tag: "blacklist"
-
 
1693
        log-local-actions: yes
-
 
1694
 
-
 
1695
        include: /etc/unbound/conf.d/common/forward-zone.conf
-
 
1696
        include: /etc/unbound/conf.d/common/local-forward/*
-
 
1697
        include: /etc/unbound/conf.d/common/local-dns/*
-
 
1698
        include: /etc/unbound/conf.d/blacklist/*
-
 
1699
 
-
 
1700
        include: /usr/local/share/unbound-bl-enabled/*
-
 
1701
EOF
-
 
1702
 
-
 
1703
        # Configuration file for $INTIF of whitelist unbound
-
 
1704
        cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
-
 
1705
server:
-
 
1706
        interface: ${PRIVATE_IP}@55
-
 
1707
        access-control: $PRIVATE_IP_MASK allow
-
 
1708
        access-control-tag: $PRIVATE_IP_MASK "whitelist"
-
 
1709
        access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1654
# the main instance should start after network and chilli (which create tun0)
1710
        access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
-
 
1711
EOF
-
 
1712
 
-
 
1713
        # Configuration file for whitelist unbound
-
 
1714
        cat << EOF > /etc/unbound/unbound-whitelist.conf
-
 
1715
server:
-
 
1716
        verbosity: 1
-
 
1717
        hide-version: yes
-
 
1718
        hide-identity: yes
-
 
1719
        do-ip6: no
-
 
1720
        do-not-query-localhost: no
-
 
1721
        define-tag: "whitelist"
-
 
1722
 
-
 
1723
        local-zone: "." transparent
-
 
1724
        local-zone-tag: "." "whitelist"
-
 
1725
 
-
 
1726
        include: /usr/local/share/unbound-wl-enabled/*
-
 
1727
        include: /etc/unbound/conf.d/whitelist/*
-
 
1728
        include: /etc/unbound/conf.d/common/local-dns/*
-
 
1729
        include: /etc/unbound/conf.d/common/local-forward/*
-
 
1730
 
-
 
1731
forward-zone:
-
 
1732
        name: "."
-
 
1733
        forward-addr: 127.0.0.1@55
-
 
1734
EOF
-
 
1735
 
-
 
1736
        # Configuration file for $INTIF of blackhole unbound
-
 
1737
        cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
-
 
1738
server:
-
 
1739
        interface: ${PRIVATE_IP}@56
-
 
1740
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
-
 
1741
 
-
 
1742
view:
-
 
1743
        name: "$INTIF"
-
 
1744
        local-zone: "." redirect
-
 
1745
        local-data: ". A $PRIVATE_IP"
-
 
1746
EOF
-
 
1747
 
-
 
1748
        # Configuration file for blackhole unbound
-
 
1749
        cat << EOF > /etc/unbound/unbound-blackhole.conf
-
 
1750
server:
-
 
1751
        verbosity: 1
-
 
1752
        hide-version: yes
-
 
1753
        hide-identity: yes
-
 
1754
        do-ip6: no
-
 
1755
 
-
 
1756
        include: /etc/unbound/conf.d/blackhole/*
-
 
1757
        include: /etc/unbound/conf.d/common/local-dns/*
-
 
1758
        include: /etc/unbound/conf.d/common/local-forward/*
-
 
1759
EOF
-
 
1760
 
-
 
1761
        if [ ! -e /lib/systemd/system/unbound.service.default ]
-
 
1762
        then
1655
        [ -e /lib/systemd/system/dnsmasq.service.default ] || cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1763
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
-
 
1764
        fi
1656
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1765
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1657
# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
1766
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
-
 
1767
 
1658
        for list in blacklist whitelist blackhole
1768
        for list in blacklist blackhole whitelist
1659
        do
1769
        do
1660
                cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
1770
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1661
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
1771
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1662
                $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
1772
                $SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1663
        done
1773
        done
-
 
1774
 
-
 
1775
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1664
} # End dnsmasq
1776
} # End unbound
1665
 
1777
 
1666
##########################################################
1778
##########################################################
1667
##                      Function "BL"                   ##
1779
##                      Function "BL"                   ##
1668
## - copy Toulouse BL                                   ##
1780
## - copy Toulouse BL                                   ##
1669
## - adapt this BL to ALCASAR architecture              ##
1781
## - adapt this BL to ALCASAR architecture              ##
1670
##     - domain names for dnsmasq-bl & dnasmasq-wl      ##
1782
##     - domain names for unbound-bl & unbound-wl       ##
1671
##     - URLs for E²guardian                            ##
1783
##     - URLs for E²guardian                            ##
1672
##     - IPs for NetFilter                              ##
1784
##     - IPs for NetFilter                              ##
1673
##########################################################
1785
##########################################################
1674
BL ()
1786
BL ()
1675
{
1787
{
Line 1843... Line 1955...
1843
        useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1955
        useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1844
        usermod -a -G dialout gammu_smsd
1956
        usermod -a -G dialout gammu_smsd
1845
 
1957
 
1846
# Create 'gammu' database
1958
# Create 'gammu' database
1847
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1959
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1848
        $MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1960
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1849
# Add a gammu database structure
1961
# Add a gammu database structure
1850
        mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1962
        /usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1851
 
1963
 
1852
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1964
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1853
        cat << EOF > /etc/gammurc
1965
        cat << EOF > /etc/gammurc
1854
[gammu]
1966
[gammu]
1855
device = /dev/ttyUSB0
1967
device = /dev/ttyUSB0
Line 1970... Line 2082...
1970
 
2082
 
1971
        # Extract acme.sh
2083
        # Extract acme.sh
1972
        tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2084
        tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
1973
 
2085
 
1974
        pwdInstall=$(pwd)
2086
        pwdInstall=$(pwd)
1975
        cd /tmp/acme.sh-*
2087
        cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
1976
 
2088
 
1977
        acmesh_installDir="/opt/acme.sh"
2089
        acmesh_installDir="/opt/acme.sh"
1978
        acmesh_confDir="/usr/local/etc/letsencrypt"
2090
        acmesh_confDir="/usr/local/etc/letsencrypt"
1979
        acmesh_userAgent="ALCASAR"
2091
        acmesh_userAgent="ALCASAR"
1980
 
2092
 
Line 2002... Line 2114...
2002
dateIssued=
2114
dateIssued=
2003
dnsapi=
2115
dnsapi=
2004
dateNextRenewal=
2116
dateNextRenewal=
2005
EOF
2117
EOF
2006
 
2118
 
2007
        cd $pwdInstall
2119
        cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2008
        rm -rf /tmp/acme.sh-*
2120
        rm -rf /tmp/acme.sh-*
2009
 
2121
 
2010
} # END letsencrypt()
2122
} # END letsencrypt()
2011
 
2123
 
2012
##################################################################
2124
##################################################################
Line 2025... Line 2137...
2025
        chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2137
        chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2026
        [ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2138
        [ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2027
        $SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2139
        $SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2028
        $SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2140
        $SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2029
# postfix banner anonymisation
2141
# postfix banner anonymisation
2030
        $SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
2142
        $SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2031
        chown -R postfix:postfix /var/lib/postfix
2143
        chown -R postfix:postfix /var/lib/postfix
2032
# sshd liste on EXTIF & INTIF
2144
# sshd liste on EXTIF & INTIF
2033
        $SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2145
        $SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2034
# sshd authorized certificate for root login
2146
# sshd authorized certificate for root login
2035
        $SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2147
        $SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
Line 2050... Line 2162...
2050
        echo "MULTIWAN=off" >> $CONF_FILE
2162
        echo "MULTIWAN=off" >> $CONF_FILE
2051
        echo "FAILOVER=30" >> $CONF_FILE
2163
        echo "FAILOVER=30" >> $CONF_FILE
2052
        echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2164
        echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2053
        echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2165
        echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2054
        echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2166
        echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
-
 
2167
        echo "BL_PUREIP=on" >> $CONF_FILE
-
 
2168
        echo "BL_SAFESEARCH=off" >> $CONF_FILE
-
 
2169
        echo "WL_SAFESEARCH=off" >> $CONF_FILE
2055
# Prompt customisation (colors)
2170
# Prompt customisation (colors)
2056
        [ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2171
        [ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2057
        cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2172
        cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2058
        $SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2173
        $SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2059
# sudoers configuration for "apache" & "sysadmin"
2174
# sudoers configuration for "apache" & "sysadmin"
Line 2066... Line 2181...
2066
# Log compression
2181
# Log compression
2067
        $SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2182
        $SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2068
# actualisation des fichiers logs compressés
2183
# actualisation des fichiers logs compressés
2069
        for dir in firewall e2guardian lighttpd
2184
        for dir in firewall e2guardian lighttpd
2070
        do
2185
        do
2071
                find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
2186
                find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2072
        done
2187
        done
2073
# create the alcasar-load_balancing unit
2188
# create the alcasar-load_balancing unit
2074
        cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2189
        cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2075
#  This file is part of systemd.
2190
#  This file is part of systemd.
2076
#
2191
#
Line 2095... Line 2210...
2095
[Install]
2210
[Install]
2096
WantedBy=multi-user.target
2211
WantedBy=multi-user.target
2097
EOF
2212
EOF
2098
        /usr/bin/systemctl daemon-reload
2213
        /usr/bin/systemctl daemon-reload
2099
# processes launched at boot time (Systemctl)
2214
# processes launched at boot time (Systemctl)
2100
        for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2215
        for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2101
        do
2216
        do
2102
                /usr/bin/systemctl -q enable $i.service
2217
                /usr/bin/systemctl -q enable $i.service
2103
        done
2218
        done
2104
 
2219
 
2105
# disable processes at boot time (Systemctl)
2220
# disable processes at boot time (Systemctl)
2106
        for i in ulogd gpm
2221
        for i in ulogd gpm dhcpd
2107
        do
2222
        do
2108
                /usr/bin/systemctl -q disable $i.service
2223
                /usr/bin/systemctl -q disable $i.service
2109
        done
2224
        done
2110
 
2225
 
2111
# Apply French Security Agency (ANSSI) rules
2226
# Apply French Security Agency (ANSSI) rules
Line 2150... Line 2265...
2150
                $SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2265
                $SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2151
        fi
2266
        fi
2152
        if [ $Lang == "fr" ]
2267
        if [ $Lang == "fr" ]
2153
        then
2268
        then
2154
                echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2269
                echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2155
                echo "Connectez-vous à l'URL 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2270
                echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2156
        else
2271
        else
2157
                echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2272
                echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2158
                echo "Connect to 'https://alcasar.localdomain/acc'" >> /etc/mageia-release
2273
                echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2159
        fi
2274
        fi
2160
        /usr/bin/update-grub2
2275
        /usr/bin/update-grub2
2161
# Load and apply the previous conf file
2276
# Load and apply the previous conf file
2162
        if [ "$mode" = "update" ]
2277
        if [ "$mode" = "update" ]
2163
        then
2278
        then
Line 2172... Line 2287...
2172
        fi
2287
        fi
2173
        rm -f /var/tmp/alcasar-conf*
2288
        rm -f /var/tmp/alcasar-conf*
2174
        chown -R root:apache $DIR_DEST_ETC/*
2289
        chown -R root:apache $DIR_DEST_ETC/*
2175
        chmod -R 660 $DIR_DEST_ETC/*
2290
        chmod -R 660 $DIR_DEST_ETC/*
2176
        chmod ug+x $DIR_DEST_ETC/digest
2291
        chmod ug+x $DIR_DEST_ETC/digest
2177
        cd $DIR_INSTALL
2292
        cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2178
        echo ""
2293
        echo ""
2179
        echo "#############################################################################"
2294
        echo "#############################################################################"
2180
        if [ $Lang == "fr" ]
2295
        if [ $Lang == "fr" ]
2181
                then
2296
                then
2182
                echo "#                        Fin d'installation d'ALCASAR                       #"
2297
                echo "#                        Fin d'installation d'ALCASAR                       #"
Line 2188... Line 2303...
2188
                echo
2303
                echo
2189
                echo "- ALCASAR sera fonctionnel après redémarrage du système"
2304
                echo "- ALCASAR sera fonctionnel après redémarrage du système"
2190
                echo
2305
                echo
2191
                echo "- Lisez attentivement la documentation d'exploitation"
2306
                echo "- Lisez attentivement la documentation d'exploitation"
2192
                echo
2307
                echo
2193
                echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar.localdomain"
2308
                echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2194
                echo
2309
                echo
2195
                echo "                   Appuyez sur 'Entrée' pour continuer"
2310
                echo "                   Appuyez sur 'Entrée' pour continuer"
2196
        else
2311
        else
2197
                echo "#                        End of ALCASAR install process                     #"
2312
                echo "#                        End of ALCASAR install process                     #"
2198
                echo "#                                                                           #"
2313
                echo "#                                                                           #"
Line 2203... Line 2318...
2203
                echo
2318
                echo
2204
                echo "- The system will be rebooted in order to operate ALCASAR"
2319
                echo "- The system will be rebooted in order to operate ALCASAR"
2205
                echo
2320
                echo
2206
                echo "- Read the exploitation documentation"
2321
                echo "- Read the exploitation documentation"
2207
                echo
2322
                echo
2208
                echo "- The ALCASAR Control Center (ACC) is at http://alcasar.localdomain"
2323
                echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2209
                echo
2324
                echo
2210
                echo "                   Hit 'Enter' to continue"
2325
                echo "                   Hit 'Enter' to continue"
2211
        fi
2326
        fi
2212
        sleep 2
2327
        sleep 2
2213
        if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2328
        if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2214
        then
2329
        then
2215
                read a
2330
                read
2216
        fi
2331
        fi
2217
        clear
2332
        clear
2218
        reboot
2333
        reboot
2219
} # End post_install ()
2334
} # End post_install ()
2220
 
2335
 
Line 2226... Line 2341...
2226
then
2341
then
2227
        echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2342
        echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2228
        echo "Launch this program from the ALCASAR archive directory"
2343
        echo "Launch this program from the ALCASAR archive directory"
2229
        exit 0
2344
        exit 0
2230
fi
2345
fi
2231
if [[ $EUID > 0 ]]
2346
if [ $EUID -gt 0 ]
2232
then
2347
then
2233
        echo "Vous devez être "root" pour installer ALCASAR (commande 'su')"
2348
        echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2234
        echo "You must be "root" to install ALCASAR ('su' command)"
2349
        echo "You must be \"root\" to install ALCASAR ('su' command)"
2235
        exit 0
2350
        exit 0
2236
fi
2351
fi
2237
VERSION=`cat $DIR_INSTALL/VERSION`
2352
VERSION=`cat $DIR_INSTALL/VERSION`
2238
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2353
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2239
nb_args=$#
2354
nb_args=$#
Line 2271... Line 2386...
2271
                        fi
2386
                        fi
2272
                fi
2387
                fi
2273
        if [ $DEBUG_ALCASAR == "on" ]
2388
        if [ $DEBUG_ALCASAR == "on" ]
2274
        then
2389
        then
2275
                echo "*** 'debug' : end of cleaning ***"
2390
                echo "*** 'debug' : end of cleaning ***"
2276
                read a
2391
                read
2277
        fi
2392
        fi
2278
# Test if manual update
2393
# Test if manual update
2279
                if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2394
                if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2280
                then
2395
                then
2281
                        header_install
2396
                        header_install
Line 2311... Line 2426...
2311
                        MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2426
                        MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2312
                        MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2427
                        MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2313
                        UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2428
                        UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2314
                        mode="update"
2429
                        mode="update"
2315
                fi
2430
                fi
2316
                for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd msec letsencrypt post_install
2431
                for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound BL cron fail2ban gammu_smsd msec letsencrypt post_install
2317
                do
2432
                do
2318
                        $func
2433
                        $func
2319
                        if [ $DEBUG_ALCASAR == "on" ]
2434
                        if [ $DEBUG_ALCASAR == "on" ]
2320
                                then
2435
                        then
2321
                                echo "*** 'debug' : end of install '$func' ***"
2436
                                echo "*** 'debug' : end of install '$func' ***"
2322
                                read a
2437
                                read
2323
                        fi
2438
                        fi
2324
                done
2439
                done
2325
                ;;
2440
                ;;
2326
        -u | --uninstall)
2441
        -u | --uninstall)
2327
                if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2442
                if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
Line 2357... Line 2472...
2357
                echo "$usage"
2472
                echo "$usage"
2358
                exit 1
2473
                exit 1
2359
                ;;
2474
                ;;
2360
esac
2475
esac
2361
# end of script
2476
# end of script
2362
 
-