Subversion Repositories ALCASAR

Rev

Rev 2709 | Rev 2724 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2709 Rev 2711
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2709 2019-03-05 23:20:31Z tom.houdayer $
2
#  $Id: alcasar.sh 2711 2019-03-10 23:23:31Z tom.houdayer $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#	testing			: connectivity tests, free space test and mageia version test
28
#	testing			: connectivity tests, free space test and mageia version test
29
#	init			: Installation of RPM and scripts
29
#	init			: Installation of RPM and scripts
30
#	network			: Network parameters
30
#	network			: Network parameters
31
#	ACC				: ALCASAR Control Center installation
31
#	ACC				: ALCASAR Control Center installation
32
#	CA				: Certification Authority initialization
32
#	CA				: Certification Authority initialization
33
#	time_server		: NTPd configuration
33
#	time_server		: NTPd configuration
34
#	init_db			: Initilization of radius database managed with MariaDB
34
#	init_db			: Initilization of radius database managed with MariaDB
35
#	freeradius		: FreeRadius initialisation
35
#	freeradius		: FreeRadius initialisation
36
#	chilli			: coovachilli initialisation (+authentication page)
36
#	chilli			: coovachilli initialisation (+authentication page)
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
37
#	e2guardian		: E2Guardian filtering HTTP proxy configuration
38
#	antivirus		: HAVP + libclamav configuration
38
#	antivirus		: HAVP + libclamav configuration
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#	tinyproxy		: little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
40
#	ulogd			: log system in userland (match NFLOG target of iptables)
41
#	nfsen			: Configuration of Nfsen Netflow grapher
41
#	nfsen			: Configuration of Nfsen Netflow grapher
42
#	unbound			: Name server configuration
42
#	unbound			: Name server configuration
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
43
#	dnsmasq			: Name server configuration (for whitelist ipset support)
44
#	vnstat			: little network stat daemon
44
#	vnstat			: little network stat daemon
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
45
#	BL				: Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
46
#	cron			: Logs export + watchdog + connexion statistics
46
#	cron			: Logs export + watchdog + connexion statistics
47
#	fail2ban		: Fail2ban IDS installation and configuration
47
#	fail2ban		: Fail2ban IDS installation and configuration
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
48
#	gammu_smsd		: Autoregister addon via SMS (gammu-smsd)
49
#	msec			: Mandriva security package configuration
49
#	msec			: Mandriva security package configuration
50
#	letsencrypt		: Let's Encrypt client
50
#	letsencrypt		: Let's Encrypt client
51
#	post_install	: Security, log rotation, etc.
51
#	post_install	: Security, log rotation, etc.
52
 
52
 
53
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
53
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR	# Debug mode = wait (hit key) after each function
54
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE=`date '+%d %B %Y - %Hh%M'`
55
DATE_SHORT=`date '+%d/%m/%Y'`
55
DATE_SHORT=`date '+%d/%m/%Y'`
56
Lang=`echo $LANG|cut -c 1-2`
56
Lang=`echo $LANG|cut -c 1-2`
57
mode="install"
57
mode="install"
58
# ******* Files parameters - paramètres fichiers *********
58
# ******* Files parameters - paramètres fichiers *********
59
DIR_INSTALL=`pwd`						# current directory
59
DIR_INSTALL=`pwd`						# current directory
60
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
60
DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)
61
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
61
DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)
62
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
62
DIR_BLACKLIST="$DIR_INSTALL/blacklist"	# install directory (with blacklist files)
63
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
63
DIR_SAVE="/var/Save"					# backup directory (traceability_log, user_db, security_log)
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
64
DIR_WEB="/var/www/html"					# directory of Lighttpd
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
65
DIR_DG="/etc/e2guardian"				# directory of E2Guardian
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
66
DIR_ACC="$DIR_WEB/acc"					# directory of the 'ALCASAR Control Center'
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
67
DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
68
DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
69
DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (unbound for instance)
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
70
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"	# central ALCASAR conf file
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
71
PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets
72
# ******* DBMS parameters - paramètres SGBD ********
72
# ******* DBMS parameters - paramètres SGBD ********
73
DB_RADIUS="radius"						# database name used by FreeRadius server
73
DB_RADIUS="radius"						# database name used by FreeRadius server
74
DB_USER="radius"						# user name allows to request the users database
74
DB_USER="radius"						# user name allows to request the users database
75
DB_GAMMU="gammu"						# database name used by Gammu-smsd
75
DB_GAMMU="gammu"						# database name used by Gammu-smsd
76
# ******* Network parameters - paramètres réseau *******
76
# ******* Network parameters - paramètres réseau *******
77
HOSTNAME="alcasar"						# default hostname
77
HOSTNAME="alcasar"						# default hostname
78
DOMAIN="localdomain"					# default local domain
78
DOMAIN="localdomain"					# default local domain
79
EXTIF=''					# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
EXTIF=''					# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
80
INTIF=''					# INTIF is connected to the consultation network
80
INTIF=''					# INTIF is connected to the consultation network
81
MTU="1500"
81
MTU="1500"
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address
83
# ****** Paths - chemin des commandes *******
83
# ****** Paths - chemin des commandes *******
84
SED="/bin/sed -i"
84
SED="/bin/sed -i"
85
# ****************** End of global parameters *********************
85
# ****************** End of global parameters *********************
86
 
86
 
87
license ()
87
license ()
88
{
88
{
89
	if [ $Lang == "fr" ]
89
	if [ $Lang == "fr" ]
90
	then
90
	then
91
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
		cat $DIR_INSTALL/gpl-warning.fr.txt | more
92
	else
92
	else
93
		cat $DIR_INSTALL/gpl-warning.txt | more
93
		cat $DIR_INSTALL/gpl-warning.txt | more
94
	fi
94
	fi
95
	response=0
95
	response=0
96
	PTN='^[oOyYnN]$'
96
	PTN='^[oOyYnN]$'
97
	until [[ $(expr $response : $PTN) -gt 0 ]]
97
	until [[ $(expr $response : $PTN) -gt 0 ]]
98
	do
98
	do
99
		if [ $Lang == "fr" ]
99
		if [ $Lang == "fr" ]
100
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
			then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
101
			else echo -n "Do you accept the terms of this license (Y/n)? : "
101
			else echo -n "Do you accept the terms of this license (Y/n)? : "
102
		fi
102
		fi
103
		read response
103
		read response
104
	done
104
	done
105
	if [ "$response" = "n" ] || [ "$response" = "N" ]
105
	if [ "$response" = "n" ] || [ "$response" = "N" ]
106
	then
106
	then
107
		exit 1
107
		exit 1
108
	fi
108
	fi
109
}
109
}
110
 
110
 
111
header_install ()
111
header_install ()
112
{
112
{
113
	clear
113
	clear
114
	echo "-----------------------------------------------------------------------------"
114
	echo "-----------------------------------------------------------------------------"
115
	echo "                     ALCASAR V$VERSION Installation"
115
	echo "                     ALCASAR V$VERSION Installation"
116
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
117
	echo "-----------------------------------------------------------------------------"
117
	echo "-----------------------------------------------------------------------------"
118
}
118
}
119
 
119
 
120
########################################################
120
########################################################
121
##                  Function "testing"                ##
121
##                  Function "testing"                ##
122
## - Test Mageia version                              ##
122
## - Test Mageia version                              ##
123
## - Test ALCASAR version (if already installed)      ##
123
## - Test ALCASAR version (if already installed)      ##
124
## - Test free space on /var  (>10G)                  ##
124
## - Test free space on /var  (>10G)                  ##
125
## - Test Internet access                             ##
125
## - Test Internet access                             ##
126
########################################################
126
########################################################
127
testing ()
127
testing ()
128
{
128
{
129
# Test of Mageia version
129
# Test of Mageia version
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
131
	fic=`cat /etc/product.id`
131
	fic=`cat /etc/product.id`
132
	unknown_os=0
132
	unknown_os=0
133
	old="$IFS"
133
	old="$IFS"
134
	IFS=","
134
	IFS=","
135
	set $fic
135
	set $fic
136
	for i in "$@"
136
	for i in "$@"
137
	do
137
	do
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
		if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
139
			then
139
			then
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
			DISTRIBUTION=`echo $i|cut -d"=" -f2`
141
			unknown_os=`expr $unknown_os + 1`
141
			unknown_os=`expr $unknown_os + 1`
142
		fi
142
		fi
143
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
		if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
144
			then
144
			then
145
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
			CURRENT_VERSION=`echo $i|cut -d"=" -f2`
146
			unknown_os=`expr $unknown_os + 1`
146
			unknown_os=`expr $unknown_os + 1`
147
		fi
147
		fi
148
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
		if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
149
			then
149
			then
150
			ARCH=`echo $i|cut -d"=" -f2`
150
			ARCH=`echo $i|cut -d"=" -f2`
151
			unknown_os=`expr $unknown_os + 1`
151
			unknown_os=`expr $unknown_os + 1`
152
		fi
152
		fi
153
	done
153
	done
154
	if [ "$ARCH" != "x86_64" ]
154
	if [ "$ARCH" != "x86_64" ]
155
		then
155
		then
156
		if [ $Lang == "fr" ]
156
		if [ $Lang == "fr" ]
157
			then echo "Votre architecture matérielle doit être en 64bits"
157
			then echo "Votre architecture matérielle doit être en 64bits"
158
			else echo "You hardware architecture must be 64bits"
158
			else echo "You hardware architecture must be 64bits"
159
		fi
159
		fi
160
		exit 1
160
		exit 1
161
	fi
161
	fi
162
	IFS="$old"
162
	IFS="$old"
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
163
	if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
164
	then
164
	then
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
165
		if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
166
			then
166
			then
167
			echo
167
			echo
168
			if [ $Lang == "fr" ]
168
			if [ $Lang == "fr" ]
169
				then
169
				then
170
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
170
				echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
171
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
171
				echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
172
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
172
				echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
173
				echo "3 - Importez votre base des usagers"
173
				echo "3 - Importez votre base des usagers"
174
			else
174
			else
175
				echo "The automatic update of ALCASAR can't be performed."
175
				echo "The automatic update of ALCASAR can't be performed."
176
				echo "1 - Save your traceability files and the user database"
176
				echo "1 - Save your traceability files and the user database"
177
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
177
				echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
178
				echo "3 - Import your users database"
178
				echo "3 - Import your users database"
179
			fi
179
			fi
180
		else
180
		else
181
			if [ $Lang == "fr" ]
181
			if [ $Lang == "fr" ]
182
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
182
				then echo "L'installation d'ALCASAR ne peut pas être réalisée."
183
				else echo "The installation of ALCASAR can't be performed."
183
				else echo "The installation of ALCASAR can't be performed."
184
			fi
184
			fi
185
		fi
185
		fi
186
		echo
186
		echo
187
		if [ $Lang == "fr" ]
187
		if [ $Lang == "fr" ]
188
			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
188
			then echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
189
			else echo "The OS must be replaced (Mageia6-64bits)"
189
			else echo "The OS must be replaced (Mageia6-64bits)"
190
		fi
190
		fi
191
		exit 1
191
		exit 1
192
	fi
192
	fi
193
 
193
 
194
# Test if ALCASAR is already installed
194
# Test if ALCASAR is already installed
195
	if [ -e $CONF_FILE ]
195
	if [ -e $CONF_FILE ]
196
	then
196
	then
197
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
197
		current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
198
		if [ $Lang == "fr" ]
198
		if [ $Lang == "fr" ]
199
			then echo "La version $current_version d'ALCASAR est déjà installée"
199
			then echo "La version $current_version d'ALCASAR est déjà installée"
200
			else echo "ALCASAR version $current_version is already installed"
200
			else echo "ALCASAR version $current_version is already installed"
201
		fi
201
		fi
202
		response=0
202
		response=0
203
		PTN='^[12]$'
203
		PTN='^[12]$'
204
		until [[ $(expr $response : $PTN) -gt 0 ]]
204
		until [[ $(expr $response : $PTN) -gt 0 ]]
205
		do
205
		do
206
			if [ $Lang == "fr" ]
206
			if [ $Lang == "fr" ]
207
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
207
				then echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
208
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
208
				else echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
209
			fi
209
			fi
210
			read response
210
			read response
211
		done
211
		done
212
		if [ "$response" = "2" ]
212
		if [ "$response" = "2" ]
213
		then
213
		then
214
			rm -f /var/tmp/alcasar-conf*
214
			rm -f /var/tmp/alcasar-conf*
215
		else
215
		else
216
# Retrieve former NICname
216
# Retrieve former NICname
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
217
			EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`	# EXTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
218
			INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`	# INTernal InterFace
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
219
			[ "$(/usr/sbin/ip link | grep -c " $EXTIF_saved:")" -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
220
			[ "$(/usr/sbin/ip link | grep -c " $INTIF_saved:")" -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
221
# Create the current conf file
221
# Create the current conf file
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
222
			$DIR_SCRIPTS/alcasar-conf.sh --create
223
			mode="update"
223
			mode="update"
224
		fi
224
		fi
225
	fi
225
	fi
226
# Test free space on /var
226
# Test free space on /var
227
	if [ ! -d /var/log/netflow/porttracker ]
227
	if [ ! -d /var/log/netflow/porttracker ]
228
		then
228
		then
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
229
		free_space=`df -BG --output=avail /var|tail -1|tr -d '[:space:]G'`
230
		if [ $free_space -lt 10 ]
230
		if [ $free_space -lt 10 ]
231
			then
231
			then
232
			if [ $Lang == "fr" ]
232
			if [ $Lang == "fr" ]
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
233
				then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
234
				else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
235
			fi
235
			fi
236
		exit 0
236
		exit 0
237
		fi
237
		fi
238
	fi
238
	fi
239
 
239
 
240
# Detect external/internal interfaces
240
# Detect external/internal interfaces
241
	if [ -z "$EXTIF" ]; then
241
	if [ -z "$EXTIF" ]; then
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
242
		EXTIF=$(/usr/sbin/ip route list | awk '/^default / {print $5}')
243
		if [ -z "$EXTIF" ]; then
243
		if [ -z "$EXTIF" ]; then
244
			if [ "$Lang" == 'fr' ]
244
			if [ "$Lang" == 'fr' ]
245
				then echo -n "Aucune passerelle par défaut configurée"
245
				then echo -n "Aucune passerelle par défaut configurée"
246
				else echo -n "No default gateway configured"
246
				else echo -n "No default gateway configured"
247
			fi
247
			fi
248
			exit 1
248
			exit 1
249
		fi
249
		fi
250
	fi
250
	fi
251
	if [ "$Lang" == 'fr' ]
251
	if [ "$Lang" == 'fr' ]
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
252
		then echo "Interface externe (Internet) utilisée : $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
253
		else echo "External interface (Internet) used: $EXTIF"
254
	fi
254
	fi
255
 
255
 
256
	if [ -z "$INTIF" ]; then
256
	if [ -z "$INTIF" ]; then
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
		interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
		interfacesCount=$(echo "$interfacesList" | wc -l)
258
		interfacesCount=$(echo "$interfacesList" | wc -l)
259
		if [ $interfacesCount -eq 0 ]; then
259
		if [ $interfacesCount -eq 0 ]; then
260
			if [ "$Lang" == 'fr' ]
260
			if [ "$Lang" == 'fr' ]
261
				then echo "Aucune interface de disponible pour le réseau interne"
261
				then echo "Aucune interface de disponible pour le réseau interne"
262
				else echo "No interface available for the internal network"
262
				else echo "No interface available for the internal network"
263
			fi
263
			fi
264
			exit 1
264
			exit 1
265
		elif [ $interfacesCount -eq 1 ]; then
265
		elif [ $interfacesCount -eq 1 ]; then
266
			INTIF="$interfacesList"
266
			INTIF="$interfacesList"
267
		else
267
		else
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
			interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
			interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
 
270
 
271
			if [ "$Lang" == 'fr' ]
271
			if [ "$Lang" == 'fr' ]
272
				then echo 'Liste des interfaces disponible :'
272
				then echo 'Liste des interfaces disponible :'
273
				else echo 'List of available interfaces:'
273
				else echo 'List of available interfaces:'
274
			fi
274
			fi
275
			echo "$interfacesSorted"
275
			echo "$interfacesSorted"
276
			response=''
276
			response=''
277
			while true; do
277
			while true; do
278
				if [ "$Lang" == 'fr' ]
278
				if [ "$Lang" == 'fr' ]
279
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
279
					then echo -n "Choix de l'interface interne ? [$interfacePreferred] "
280
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
280
					else echo -n "Choice of internal interface ? [$interfacePreferred] "
281
				fi
281
				fi
282
				read response
282
				read response
283
 
283
 
284
				[ -z "$response" ] && response="$interfacePreferred"
284
				[ -z "$response" ] && response="$interfacePreferred"
285
 
285
 
286
				# Check if interface exist
286
				# Check if interface exist
287
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
287
				if [ "$(echo "$interfacesList" | grep -c "^$response\$")" -eq 1 ]; then
288
					INTIF="$response"
288
					INTIF="$response"
289
					break
289
					break
290
				else
290
				else
291
					if [ "$Lang" == 'fr' ]
291
					if [ "$Lang" == 'fr' ]
292
						then echo "Interface \"$response\" introuvable"
292
						then echo "Interface \"$response\" introuvable"
293
						else echo "Interface \"$response\" not found"
293
						else echo "Interface \"$response\" not found"
294
					fi
294
					fi
295
				fi
295
				fi
296
			done
296
			done
297
		fi
297
		fi
298
	fi
298
	fi
299
	if [ "$Lang" == 'fr' ]
299
	if [ "$Lang" == 'fr' ]
300
		then echo "Interface interne utilisée : $INTIF"
300
		then echo "Interface interne utilisée : $INTIF"
301
		else echo "Internal interface used: $INTIF"
301
		else echo "Internal interface used: $INTIF"
302
	fi
302
	fi
303
 
303
 
304
	if [ $Lang == "fr" ]
304
	if [ $Lang == "fr" ]
305
		then echo -n "Tests des paramètres réseau : "
305
		then echo -n "Tests des paramètres réseau : "
306
		else echo -n "Network parameters tests: "
306
		else echo -n "Network parameters tests: "
307
	fi
307
	fi
308
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
308
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
309
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
309
	cd /etc/sysconfig/network-scripts/ || { echo "Unable to find /etc/sysconfig/network-scripts directory"; exit 1; }
310
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
310
	IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
311
	for i in $IF_INTERFACES
311
	for i in $IF_INTERFACES
312
	do
312
	do
313
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
313
		if [ "$(/usr/sbin/ip link | grep -c " $i:")" -eq 0 ]; then
314
			rm -f ifcfg-$i
314
			rm -f ifcfg-$i
315
 
315
 
316
			if [ $Lang == "fr" ]
316
			if [ $Lang == "fr" ]
317
				then echo "Suppression : ifcfg-$i"
317
				then echo "Suppression : ifcfg-$i"
318
				else echo "Deleting: ifcfg-$i"
318
				else echo "Deleting: ifcfg-$i"
319
			fi
319
			fi
320
		fi
320
		fi
321
	done
321
	done
322
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
322
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
323
	echo -n "."
323
	echo -n "."
324
# Test Ethernet NIC links state
324
# Test Ethernet NIC links state
325
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
325
	interfacesDown=$(/usr/sbin/ip -br link | grep "^\($EXTIF\|$INTIF\) " | grep 'NO-CARRIER' | cut -d' ' -f1)
326
	if [ ! -z "$interfacesDown" ]; then
326
	if [ ! -z "$interfacesDown" ]; then
327
		for i in $interfacesDown; do
327
		for i in $interfacesDown; do
328
			if [ $Lang == "fr" ]
328
			if [ $Lang == "fr" ]
329
			then
329
			then
330
				echo -e "\nÉchec"
330
				echo -e "\nÉchec"
331
				echo "Le lien réseau de la carte $i n'est pas actif."
331
				echo "Le lien réseau de la carte $i n'est pas actif."
332
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
332
				echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
333
			else
333
			else
334
				echo -e "\nFailed"
334
				echo -e "\nFailed"
335
				echo "The link state of $i interface is down."
335
				echo "The link state of $i interface is down."
336
				echo "Make sure that this network card is connected to a switch or an A.P."
336
				echo "Make sure that this network card is connected to a switch or an A.P."
337
			fi
337
			fi
338
		done
338
		done
339
		exit 1
339
		exit 1
340
	fi
340
	fi
341
	echo -n "."
341
	echo -n "."
342
# Test EXTIF config files
342
# Test EXTIF config files
343
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
343
	PUBLIC_IP_MASK=`/usr/sbin/ip addr show $EXTIF | grep '^\s*inet\s' | awk '{ print $2 }'`
344
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
344
	PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d'/' -f1`
345
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
345
	PUBLIC_GATEWAY=`/usr/sbin/ip route list | awk -v EXTIF="$EXTIF" '(/^default / && $5 == EXTIF) {print $3}'`
346
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
346
	if [ "$(echo $PUBLIC_IP|wc -c)" -lt 7 ] || [ "$(echo $PUBLIC_GATEWAY|wc -c)" -lt 7 ]
347
	then
347
	then
348
		if [ $Lang == "fr" ]
348
		if [ $Lang == "fr" ]
349
		then
349
		then
350
			echo -e "\nÉchec"
350
			echo -e "\nÉchec"
351
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
351
			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
352
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
352
			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
353
			echo "Appliquez les changements : 'systemctl restart network'"
353
			echo "Appliquez les changements : 'systemctl restart network'"
354
		else
354
		else
355
			echo -e "\nFailed"
355
			echo -e "\nFailed"
356
			echo "The Internet connected network card ($EXTIF) isn't well configured."
356
			echo "The Internet connected network card ($EXTIF) isn't well configured."
357
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
357
			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
358
			echo "Apply the new configuration: 'systemctl restart network'"
358
			echo "Apply the new configuration: 'systemctl restart network'"
359
		fi
359
		fi
360
		echo "DEVICE=$EXTIF"
360
		echo "DEVICE=$EXTIF"
361
		echo "IPADDR="
361
		echo "IPADDR="
362
		echo "NETMASK="
362
		echo "NETMASK="
363
		echo "GATEWAY="
363
		echo "GATEWAY="
364
		echo "DNS1="
364
		echo "DNS1="
365
		echo "DNS2="
365
		echo "DNS2="
366
		echo "ONBOOT=yes"
366
		echo "ONBOOT=yes"
367
		exit 1
367
		exit 1
368
	fi
368
	fi
369
	echo -n "."
369
	echo -n "."
370
# Test if default GW is set on EXTIF (router or ISP provider equipment)
370
# Test if default GW is set on EXTIF (router or ISP provider equipment)
371
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
371
	if [ "$(/usr/sbin/ip route list|grep " $EXTIF "|grep -c '^default ')" -ne 1 ] ; then
372
		if [ $Lang == "fr" ]
372
		if [ $Lang == "fr" ]
373
		then
373
		then
374
			echo -e "\nÉchec"
374
			echo -e "\nÉchec"
375
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
375
			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
376
			echo "Réglez ce problème puis relancez ce script."
376
			echo "Réglez ce problème puis relancez ce script."
377
		else
377
		else
378
			echo -e "\nFailed"
378
			echo -e "\nFailed"
379
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
379
			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
380
			echo "Resolv this problem, then restart this script."
380
			echo "Resolv this problem, then restart this script."
381
		fi
381
		fi
382
		exit 1
382
		exit 1
383
	fi
383
	fi
384
	echo -n "."
384
	echo -n "."
385
# Test if default GW is alive
385
# Test if default GW is alive
386
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
386
	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
387
	if [ "$(expr $arp_reply)" -eq 0 ]
387
	if [ "$(expr $arp_reply)" -eq 0 ]
388
		then
388
		then
389
		if [ $Lang == "fr" ]
389
		if [ $Lang == "fr" ]
390
		then
390
		then
391
			echo -e "\nÉchec"
391
			echo -e "\nÉchec"
392
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
392
			echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
393
			echo "Réglez ce problème puis relancez ce script."
393
			echo "Réglez ce problème puis relancez ce script."
394
		else
394
		else
395
			echo -e "\nFailed"
395
			echo -e "\nFailed"
396
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
396
			echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
397
			echo "Resolv this problem, then restart this script."
397
			echo "Resolv this problem, then restart this script."
398
		fi
398
		fi
399
		exit 1
399
		exit 1
400
	fi
400
	fi
401
	echo -n "."
401
	echo -n "."
402
# Test Internet connectivity
402
# Test Internet connectivity
403
	domainTested='www.google.com'
403
	domainTested='www.google.com'
404
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
404
	/usr/bin/curl -s --head "$domainTested" &>/dev/null
405
	if [ $? -ne 0 ]; then
405
	if [ $? -ne 0 ]; then
406
		if [ $Lang == "fr" ]
406
		if [ $Lang == "fr" ]
407
		then
407
		then
408
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
408
			echo -e "\nLa tentative de connexion vers Internet a échoué ($domainTested)."
409
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
409
			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
410
			echo "Vérifiez la validité des adresses IP des DNS."
410
			echo "Vérifiez la validité des adresses IP des DNS."
411
		else
411
		else
412
			echo -e "\nThe Internet connection try failed ($domainTested)."
412
			echo -e "\nThe Internet connection try failed ($domainTested)."
413
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
413
			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
414
			echo "Verify the DNS IP addresses"
414
			echo "Verify the DNS IP addresses"
415
		fi
415
		fi
416
		exit 1
416
		exit 1
417
	fi
417
	fi
418
	echo ". : ok"
418
	echo ". : ok"
419
} # end of testing ()
419
} # end of testing ()
420
 
420
 
421
#######################################################################
421
#######################################################################
422
##                    Function "init"                                ##
422
##                    Function "init"                                ##
423
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
423
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
424
## - Creation of random password for GRUB, mariadb (admin and user)  ##
424
## - Creation of random password for GRUB, mariadb (admin and user)  ##
425
#######################################################################
425
#######################################################################
426
init ()
426
init ()
427
{
427
{
428
	if [ "$mode" != "update" ]
428
	if [ "$mode" != "update" ]
429
	then
429
	then
430
# On affecte le nom d'organisme
430
# On affecte le nom d'organisme
431
		header_install
431
		header_install
432
		ORGANISME=!
432
		ORGANISME=!
433
		PTN='^[a-zA-Z0-9-]*$'
433
		PTN='^[a-zA-Z0-9-]*$'
434
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
434
		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
435
		do
435
		do
436
			if [ $Lang == "fr" ]
436
			if [ $Lang == "fr" ]
437
				then echo -n "Entrez le nom de votre organisme : "
437
				then echo -n "Entrez le nom de votre organisme : "
438
				else echo -n "Enter the name of your organism : "
438
				else echo -n "Enter the name of your organism : "
439
			fi
439
			fi
440
			read ORGANISME
440
			read ORGANISME
441
			if [ "$ORGANISME" == "" ]
441
			if [ "$ORGANISME" == "" ]
442
			then
442
			then
443
				ORGANISME=!
443
				ORGANISME=!
444
			fi
444
			fi
445
		done
445
		done
446
	fi
446
	fi
447
# On crée aléatoirement les mots de passe et les secrets partagés
447
# On crée aléatoirement les mots de passe et les secrets partagés
448
# We create random passwords and shared secrets
448
# We create random passwords and shared secrets
449
	rm -f $PASSWD_FILE
449
	rm -f $PASSWD_FILE
450
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
450
	echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
451
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
451
	grub2pwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c8`
452
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
452
	pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
453
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
453
		LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
454
		grep -v '[eE]nter password:' | \
454
		grep -v '[eE]nter password:' | \
455
		sed -e "s/PBKDF2 hash of your password is //"`
455
		sed -e "s/PBKDF2 hash of your password is //"`
456
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
456
	echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
457
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
457
	[ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
458
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
458
	cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
459
	chmod 0600 /boot/grub2/user.cfg
459
	chmod 0600 /boot/grub2/user.cfg
460
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
460
	echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
461
	echo "GRUB2_user=root" >> $PASSWD_FILE
461
	echo "GRUB2_user=root" >> $PASSWD_FILE
462
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
462
	echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
463
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
463
	mysqlpwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
464
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
464
	echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
465
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
465
	echo "db_root=$mysqlpwd" >> $PASSWD_FILE
466
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
466
	radiuspwd=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
467
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
467
	echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
468
	echo "db_user=$DB_USER" >> $PASSWD_FILE
468
	echo "db_user=$DB_USER" >> $PASSWD_FILE
469
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
469
	echo "db_password=$radiuspwd" >> $PASSWD_FILE
470
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
470
	secretuam=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
471
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
471
	echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
472
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
472
	echo "secret_uam=$secretuam" >> $PASSWD_FILE
473
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
473
	secretradius=`cat /dev/urandom | tr -dc '[:alnum:]' | head -c16`
474
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
474
	echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
475
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
475
	echo "secret_radius=$secretradius" >> $PASSWD_FILE
476
	chmod 640 $PASSWD_FILE
476
	chmod 640 $PASSWD_FILE
477
#  copy scripts in in /usr/local/bin
477
#  copy scripts in in /usr/local/bin
478
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
478
	cp -fr $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown -R root:root $DIR_DEST_BIN/alcasar* ; chmod -R 740 $DIR_DEST_BIN/alcasar*
479
#  copy conf files in /usr/local/etc
479
#  copy conf files in /usr/local/etc
480
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
480
	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
481
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
481
	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
482
# generate central conf file
482
# generate central conf file
483
	cat <<EOF > $CONF_FILE
483
	cat <<EOF > $CONF_FILE
484
##########################################
484
##########################################
485
##                                      ##
485
##                                      ##
486
##          ALCASAR Parameters          ##
486
##          ALCASAR Parameters          ##
487
##                                      ##
487
##                                      ##
488
##########################################
488
##########################################
489
 
489
 
490
INSTALL_DATE=$DATE
490
INSTALL_DATE=$DATE
491
VERSION=$VERSION
491
VERSION=$VERSION
492
ORGANISM=$ORGANISME
492
ORGANISM=$ORGANISME
493
HOSTNAME=$HOSTNAME
493
HOSTNAME=$HOSTNAME
494
DOMAIN=$DOMAIN
494
DOMAIN=$DOMAIN
495
EOF
495
EOF
496
	chmod o-rwx $CONF_FILE
496
	chmod o-rwx $CONF_FILE
497
} # End of init ()
497
} # End of init ()
498
 
498
 
499
#########################################################
499
#########################################################
500
##                    Function "network"               ##
500
##                    Function "network"               ##
501
## - Define the several network address                ##
501
## - Define the several network address                ##
502
## - Define the DNS naming                             ##
502
## - Define the DNS naming                             ##
503
## - INTIF parameters (consultation network)           ##
503
## - INTIF parameters (consultation network)           ##
504
## - Write "/etc/hosts" file                           ##
504
## - Write "/etc/hosts" file                           ##
505
## - write "hosts.allow" & "hosts.deny" files          ##
505
## - write "hosts.allow" & "hosts.deny" files          ##
506
#########################################################
506
#########################################################
507
network ()
507
network ()
508
{
508
{
509
	header_install
509
	header_install
510
	if [ "$mode" != "update" ]
510
	if [ "$mode" != "update" ]
511
		then
511
		then
512
		if [ $Lang == "fr" ]
512
		if [ $Lang == "fr" ]
513
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
513
			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
514
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
514
			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
515
		fi
515
		fi
516
		response=0
516
		response=0
517
		PTN='^[oOyYnN]$'
517
		PTN='^[oOyYnN]$'
518
		until [[ $(expr $response : $PTN) -gt 0 ]]
518
		until [[ $(expr $response : $PTN) -gt 0 ]]
519
		do
519
		do
520
			if [ $Lang == "fr" ]
520
			if [ $Lang == "fr" ]
521
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
521
				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
522
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
522
				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
523
			fi
523
			fi
524
			read response
524
			read response
525
		done
525
		done
526
		if [ "$response" = "n" ] || [ "$response" = "N" ]
526
		if [ "$response" = "n" ] || [ "$response" = "N" ]
527
		then
527
		then
528
			PRIVATE_IP_MASK="0"
528
			PRIVATE_IP_MASK="0"
529
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
529
			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
530
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
530
			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
531
			do
531
			do
532
				if [ $Lang == "fr" ]
532
				if [ $Lang == "fr" ]
533
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
533
					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
534
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
534
					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
535
				fi
535
				fi
536
				read PRIVATE_IP_MASK
536
				read PRIVATE_IP_MASK
537
			done
537
			done
538
		else
538
		else
539
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
539
			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
540
		fi
540
		fi
541
	else
541
	else
542
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
542
		PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
543
		rm -rf conf/etc/alcasar.conf
543
		rm -rf conf/etc/alcasar.conf
544
	fi
544
	fi
545
# Define LAN side global parameters
545
# Define LAN side global parameters
546
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
546
	hostnamectl set-hostname $HOSTNAME.$DOMAIN
547
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
547
	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)
548
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
548
	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`					# last octet of LAN address
549
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
549
	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)
550
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
550
	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)
551
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
551
	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)
552
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
552
	if [ $PRIVATE_IP == $PRIVATE_NETWORK ]								# when entering network address instead of ip address
553
	then
553
	then
554
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
554
		PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
555
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
555
		PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
556
	fi
556
	fi
557
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
557
	private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`						# last octet of LAN address
558
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
558
	PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`		# second network address (ex.: 192.168.182.2)
559
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
559
	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24
560
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
560
	classe=$((PRIVATE_PREFIX/8))									# ie.: 2=classe B, 3=classe C
561
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
561
	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
562
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
562
	PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` 	# MAC address of INTIF
563
# Define Internet parameters
563
# Define Internet parameters
564
	if [ "$mode" != "update" ]
564
	if [ "$mode" != "update" ]
565
	then
565
	then
566
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
566
		DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`	# 1st DNS server
567
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
567
		DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
568
	else
568
	else
569
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
569
		DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`	# 1st DNS server
570
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
570
		DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`	# 2nd DNS server
571
	fi
571
	fi
572
    DNS1=${DNS1:=208.67.220.220}
572
    DNS1=${DNS1:=208.67.220.220}
573
	DNS2=${DNS2:=208.67.222.222}
573
	DNS2=${DNS2:=208.67.222.222}
574
#	if [ "$DNS1" == "" ]
574
#	if [ "$DNS1" == "" ]
575
#	then
575
#	then
576
#		if [ $Lang == "fr" ]
576
#		if [ $Lang == "fr" ]
577
#		then
577
#		then
578
#			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
578
#			echo "L'adresse IP des serveurs DNS ne sont pas corrects"
579
#			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
579
#			echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
580
#		else
580
#		else
581
#			echo "The IP address of DNS servers are not set correctly"
581
#			echo "The IP address of DNS servers are not set correctly"
582
#			echo "Check the extern network card configuration ($EXTIF)"
582
#			echo "Check the extern network card configuration ($EXTIF)"
583
#		fi
583
#		fi
584
#		exit 0
584
#		exit 0
585
#	fi
585
#	fi
586
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
586
	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
587
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
587
	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
588
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
588
	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
589
# Write network parameters in the conf file
589
# Write network parameters in the conf file
590
	echo "EXTIF=$EXTIF" >> $CONF_FILE
590
	echo "EXTIF=$EXTIF" >> $CONF_FILE
591
	echo "INTIF=$INTIF" >> $CONF_FILE
591
	echo "INTIF=$INTIF" >> $CONF_FILE
592
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
592
	######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
593
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
593
	INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
594
	for i in $INTERFACES
594
	for i in $INTERFACES
595
	do
595
	do
596
		SUB=`echo ${i:0:2}`
596
		SUB=`echo ${i:0:2}`
597
		if [ $SUB = "wl" ]
597
		if [ $SUB = "wl" ]
598
			then WIFIF=$i
598
			then WIFIF=$i
599
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
599
		elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
600
			then LANIF=$i
600
			then LANIF=$i
601
		fi
601
		fi
602
	done
602
	done
603
	if [ -n "$WIFIF" ]
603
	if [ -n "$WIFIF" ]
604
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
604
		then echo "WIFIF=$WIFIF" >> $CONF_FILE
605
	elif [ -n "$LANIF" ]
605
	elif [ -n "$LANIF" ]
606
		then echo "LANIF=$LANIF" >> $CONF_FILE
606
		then echo "LANIF=$LANIF" >> $CONF_FILE
607
	fi
607
	fi
608
	#########################################################################################################
608
	#########################################################################################################
609
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
609
	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
610
	if [ $IP_SETTING == "dhcp" ]
610
	if [ $IP_SETTING == "dhcp" ]
611
	then
611
	then
612
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
612
		echo "PUBLIC_IP=dhcp" >> $CONF_FILE
613
		echo "GW=dhcp" >> $CONF_FILE
613
		echo "GW=dhcp" >> $CONF_FILE
614
	else
614
	else
615
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
615
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
616
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
616
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
617
	fi
617
	fi
618
	echo "DNS1=$DNS1" >> $CONF_FILE
618
	echo "DNS1=$DNS1" >> $CONF_FILE
619
	echo "DNS2=$DNS2" >> $CONF_FILE
619
	echo "DNS2=$DNS2" >> $CONF_FILE
620
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
620
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
621
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
621
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
622
	echo "DHCP=on" >> $CONF_FILE
622
	echo "DHCP=on" >> $CONF_FILE
623
	echo "EXT_DHCP_IP=" >> $CONF_FILE
623
	echo "EXT_DHCP_IP=" >> $CONF_FILE
624
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
624
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
625
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
625
	echo "RELAY_DHCP_PORT=" >> $CONF_FILE
626
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
626
	echo "INT_DNS_DOMAIN=" >> $CONF_FILE
627
	echo "INT_DNS_IP=" >> $CONF_FILE
627
	echo "INT_DNS_IP=" >> $CONF_FILE
628
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
628
	echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
629
# network default
629
# network default
630
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
630
	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
631
	cat <<EOF > /etc/sysconfig/network
631
	cat <<EOF > /etc/sysconfig/network
632
NETWORKING=yes
632
NETWORKING=yes
633
FORWARD_IPV4=true
633
FORWARD_IPV4=true
634
EOF
634
EOF
635
# write "/etc/hosts"
635
# write "/etc/hosts"
636
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
636
	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
637
	cat <<EOF > /etc/hosts
637
	cat <<EOF > /etc/hosts
638
127.0.0.1	localhost
638
127.0.0.1	localhost
639
$PRIVATE_IP	$HOSTNAME
639
$PRIVATE_IP	$HOSTNAME
640
EOF
640
EOF
641
# write EXTIF (Internet) config
641
# write EXTIF (Internet) config
642
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
642
	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
643
	if [ $IP_SETTING == "dhcp" ]
643
	if [ $IP_SETTING == "dhcp" ]
644
	then
644
	then
645
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
645
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
646
DEVICE=$EXTIF
646
DEVICE=$EXTIF
647
BOOTPROTO=dhcp
647
BOOTPROTO=dhcp
648
DNS1=127.0.0.1
648
DNS1=127.0.0.1
649
PEERDNS=no
649
PEERDNS=no
650
RESOLV_MODS=yes
650
RESOLV_MODS=yes
651
ONBOOT=yes
651
ONBOOT=yes
652
NOZEROCONF=yes
652
NOZEROCONF=yes
653
METRIC=10
653
METRIC=10
654
MII_NOT_SUPPORTED=yes
654
MII_NOT_SUPPORTED=yes
655
IPV6INIT=no
655
IPV6INIT=no
656
IPV6TO4INIT=no
656
IPV6TO4INIT=no
657
ACCOUNTING=no
657
ACCOUNTING=no
658
USERCTL=no
658
USERCTL=no
659
MTU=$MTU
659
MTU=$MTU
660
EOF
660
EOF
661
	else
661
	else
662
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
662
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
663
DEVICE=$EXTIF
663
DEVICE=$EXTIF
664
BOOTPROTO=static
664
BOOTPROTO=static
665
IPADDR=$PUBLIC_IP
665
IPADDR=$PUBLIC_IP
666
NETMASK=$PUBLIC_NETMASK
666
NETMASK=$PUBLIC_NETMASK
667
GATEWAY=$PUBLIC_GATEWAY
667
GATEWAY=$PUBLIC_GATEWAY
668
DNS1=127.0.0.1
668
DNS1=127.0.0.1
669
RESOLV_MODS=yes
669
RESOLV_MODS=yes
670
ONBOOT=yes
670
ONBOOT=yes
671
METRIC=10
671
METRIC=10
672
NOZEROCONF=yes
672
NOZEROCONF=yes
673
MII_NOT_SUPPORTED=yes
673
MII_NOT_SUPPORTED=yes
674
IPV6INIT=no
674
IPV6INIT=no
675
IPV6TO4INIT=no
675
IPV6TO4INIT=no
676
ACCOUNTING=no
676
ACCOUNTING=no
677
USERCTL=no
677
USERCTL=no
678
MTU=$MTU
678
MTU=$MTU
679
EOF
679
EOF
680
	fi
680
	fi
681
# write INTIF (consultation LAN) in normal mode
681
# write INTIF (consultation LAN) in normal mode
682
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
682
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
683
DEVICE=$INTIF
683
DEVICE=$INTIF
684
BOOTPROTO=static
684
BOOTPROTO=static
685
ONBOOT=yes
685
ONBOOT=yes
686
NOZEROCONF=yes
686
NOZEROCONF=yes
687
MII_NOT_SUPPORTED=yes
687
MII_NOT_SUPPORTED=yes
688
IPV6INIT=no
688
IPV6INIT=no
689
IPV6TO4INIT=no
689
IPV6TO4INIT=no
690
ACCOUNTING=no
690
ACCOUNTING=no
691
USERCTL=no
691
USERCTL=no
692
EOF
692
EOF
693
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
693
	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
694
# write INTIF in bypass mode (see "alcasar-bypass.sh")
694
# write INTIF in bypass mode (see "alcasar-bypass.sh")
695
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
695
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
696
DEVICE=$INTIF
696
DEVICE=$INTIF
697
BOOTPROTO=static
697
BOOTPROTO=static
698
IPADDR=$PRIVATE_IP
698
IPADDR=$PRIVATE_IP
699
NETMASK=$PRIVATE_NETMASK
699
NETMASK=$PRIVATE_NETMASK
700
ONBOOT=yes
700
ONBOOT=yes
701
METRIC=10
701
METRIC=10
702
NOZEROCONF=yes
702
NOZEROCONF=yes
703
MII_NOT_SUPPORTED=yes
703
MII_NOT_SUPPORTED=yes
704
IPV6INIT=no
704
IPV6INIT=no
705
IPV6TO4INIT=no
705
IPV6TO4INIT=no
706
ACCOUNTING=no
706
ACCOUNTING=no
707
USERCTL=no
707
USERCTL=no
708
EOF
708
EOF
709
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
709
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
710
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
710
	if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
711
	then
711
	then
712
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
712
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
713
DEVICE=$WIFIF
713
DEVICE=$WIFIF
714
BOOTPROTO=static
714
BOOTPROTO=static
715
ONBOOT=yes
715
ONBOOT=yes
716
NOZEROCONF=yes
716
NOZEROCONF=yes
717
MII_NOT_SUPPORTED=yes
717
MII_NOT_SUPPORTED=yes
718
IPV6INIT=no
718
IPV6INIT=no
719
IPV6TO4INIT=no
719
IPV6TO4INIT=no
720
ACCOUNTING=no
720
ACCOUNTING=no
721
USERCTL=no
721
USERCTL=no
722
EOF
722
EOF
723
	elif [ -n "$LANIF" ]
723
	elif [ -n "$LANIF" ]
724
	then
724
	then
725
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
725
		cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
726
DEVICE=$LANIF
726
DEVICE=$LANIF
727
BOOTPROTO=static
727
BOOTPROTO=static
728
ONBOOT=yes
728
ONBOOT=yes
729
NOZEROCONF=yes
729
NOZEROCONF=yes
730
MII_NOT_SUPPORTED=yes
730
MII_NOT_SUPPORTED=yes
731
IPV6INIT=no
731
IPV6INIT=no
732
IPV6TO4INIT=no
732
IPV6TO4INIT=no
733
ACCOUNTING=no
733
ACCOUNTING=no
734
USERCTL=no
734
USERCTL=no
735
EOF
735
EOF
736
	fi
736
	fi
737
	#########################################################################################################
737
	#########################################################################################################
738
# write hosts.allow & hosts.deny
738
# write hosts.allow & hosts.deny
739
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
739
	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
740
	cat <<EOF > /etc/hosts.allow
740
	cat <<EOF > /etc/hosts.allow
741
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
741
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
742
sshd: ALL
742
sshd: ALL
743
ntpd: $PRIVATE_NETWORK_SHORT
743
ntpd: $PRIVATE_NETWORK_SHORT
744
EOF
744
EOF
745
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
745
	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
746
	cat <<EOF > /etc/hosts.deny
746
	cat <<EOF > /etc/hosts.deny
747
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
747
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
748
EOF
748
EOF
749
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
749
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
750
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
750
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
751
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
751
	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
752
# load conntrack ftp module
752
# load conntrack ftp module
753
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
753
	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
754
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
754
	echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
755
# load ipt_NETFLOW module
755
# load ipt_NETFLOW module
756
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
756
	echo "ipt_NETFLOW" >>  /etc/modprobe.preload
757
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
757
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
758
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
758
	[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
759
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
759
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
760
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
760
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
761
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
761
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
762
#
762
#
763
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
763
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
764
} # End of network ()
764
} # End of network ()
765
 
765
 
766
###################################################
766
###################################################
767
##                  Function "ACC"               ##
767
##                  Function "ACC"               ##
768
## - copy ALCASAR Control Center (ACC) files     ##
768
## - copy ALCASAR Control Center (ACC) files     ##
769
## - configuration of the web server (Lighttpd)  ##
769
## - configuration of the web server (Lighttpd)  ##
770
## - creation of the first ACC admin account     ##
770
## - creation of the first ACC admin account     ##
771
## - secure the ACC access                       ##
771
## - secure the ACC access                       ##
772
###################################################
772
###################################################
773
ACC ()
773
ACC ()
774
{
774
{
775
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
775
	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
776
	mkdir $DIR_WEB
776
	mkdir $DIR_WEB
777
# Copy & adapt ACC files
777
# Copy & adapt ACC files
778
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
778
	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
779
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
779
	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
780
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
780
	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
781
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
781
	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
782
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
782
	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
783
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
783
	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
784
	chown -R apache:apache $DIR_WEB/*
784
	chown -R apache:apache $DIR_WEB/*
785
# copy & adapt "freeradius-web" files
785
# copy & adapt "freeradius-web" files
786
	cp -rf $DIR_CONF/freeradius-web/ /etc/
786
	cp -rf $DIR_CONF/freeradius-web/ /etc/
787
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
787
	[ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
788
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
788
	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
789
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
789
	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
790
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
790
	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
791
	cat <<EOF > /etc/freeradius-web/naslist.conf
791
	cat <<EOF > /etc/freeradius-web/naslist.conf
792
nas1_name: alcasar-$ORGANISME
792
nas1_name: alcasar-$ORGANISME
793
nas1_model: Network Access Controler
793
nas1_model: Network Access Controler
794
nas1_ip: $PRIVATE_IP
794
nas1_ip: $PRIVATE_IP
795
nas1_port_num: 0
795
nas1_port_num: 0
796
nas1_community: public
796
nas1_community: public
797
EOF
797
EOF
798
	chown -R apache:apache /etc/freeradius-web/
798
	chown -R apache:apache /etc/freeradius-web/
799
# create the log & backup structure :
799
# create the log & backup structure :
800
# - base = users database
800
# - base = users database
801
# - archive = tarball of "base + http firewall + netflow"
801
# - archive = tarball of "base + http firewall + netflow"
802
# - security = watchdog log
802
# - security = watchdog log
803
	for i in base archive security activity_report;
803
	for i in base archive security activity_report;
804
	do
804
	do
805
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
805
		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
806
	done
806
	done
807
	chown -R root:apache $DIR_SAVE
807
	chown -R root:apache $DIR_SAVE
808
# Configuring & securing php
808
# Configuring & securing php
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
809
	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
810
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
810
	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
811
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
811
	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
812
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
812
	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
813
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
813
	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
814
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
814
	$SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
815
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
815
	$SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
816
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
816
	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
817
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
817
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
818
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
818
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
819
# Configuring & securing Lighttpd
819
# Configuring & securing Lighttpd
820
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
820
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
821
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
821
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
822
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
822
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
823
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
823
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
824
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
824
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
825
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
825
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
826
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
826
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
827
 
827
 
828
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
828
	[ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
829
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
829
	$SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
830
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
830
	$SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
831
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
831
	$SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
832
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
832
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
833
 
833
 
834
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
834
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
835
 
835
 
836
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
836
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
837
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
837
	$SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
838
	$SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
839
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
839
	$SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
840
 
840
 
841
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
841
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
842
 
842
 
843
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
843
	[ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
844
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
844
	cp $DIR_CONF/lighttpd/vhosts.d/* /etc/lighttpd/vhosts.d/
845
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
845
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
846
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
846
	$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
847
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
847
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf
848
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
848
	$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar-without-ssl.conf
849
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
849
	ln -s /etc/lighttpd/vhosts.d/alcasar-with-ssl.conf /etc/lighttpd/vhosts.d/alcasar.conf
850
 
850
 
851
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
851
	[ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
852
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
852
	[ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
853
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
853
	[ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
854
 
854
 
855
	chown -R apache:apache /var/log/lighttpd
855
	chown -R apache:apache /var/log/lighttpd
856
	/usr/bin/systemctl start lighttpd
856
	/usr/bin/systemctl start lighttpd
857
	/usr/bin/systemctl start php-fpm
857
	/usr/bin/systemctl start php-fpm
858
 
858
 
859
# Creation of the first account (in 'admin' profile)
859
# Creation of the first account (in 'admin' profile)
860
	if [ "$mode" = "install" ]
860
	if [ "$mode" = "install" ]
861
	then
861
	then
862
		header_install
862
		header_install
863
# Creation of keys file for the admin account ("admin")
863
# Creation of keys file for the admin account ("admin")
864
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
864
		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
865
		mkdir -p $DIR_DEST_ETC/digest
865
		mkdir -p $DIR_DEST_ETC/digest
866
		chmod 755 $DIR_DEST_ETC/digest
866
		chmod 755 $DIR_DEST_ETC/digest
867
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
867
		until [ -s $DIR_DEST_ETC/digest/key_admin ]
868
		do
868
		do
869
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
869
			$DIR_DEST_BIN/alcasar-profil.sh --add admin
870
		done
870
		done
871
	fi
871
	fi
872
 
872
 
873
	# Run after coova (in order to wait tun0 to be up)
873
	# Run after coova (in order to wait tun0 to be up)
874
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
874
	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
875
	# Log file for ACC access imputability
875
	# Log file for ACC access imputability
876
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
876
	[ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
877
	chown root:apache /var/Save/security/acc_access.log
877
	chown root:apache /var/Save/security/acc_access.log
878
	chmod 664 /var/Save/security/acc_access.log
878
	chmod 664 /var/Save/security/acc_access.log
879
} # End of ACC ()
879
} # End of ACC ()
880
 
880
 
881
##################################################################
881
##################################################################
882
##                               Fonction "CA"                  ##
882
##                               Fonction "CA"                  ##
883
## - Creating the CA and the server certificate (lighttpd)      ##
883
## - Creating the CA and the server certificate (lighttpd)      ##
884
##################################################################
884
##################################################################
885
CA ()
885
CA ()
886
{
886
{
887
	$DIR_DEST_BIN/alcasar-CA.sh
887
	$DIR_DEST_BIN/alcasar-CA.sh
888
	chown -R root:apache /etc/pki
888
	chown -R root:apache /etc/pki
889
	chmod -R 750 /etc/pki
889
	chmod -R 750 /etc/pki
890
} # End of CA ()
890
} # End of CA ()
891
 
891
 
892
#############################################################
892
#############################################################
893
##               Function "time_server"                    ##
893
##               Function "time_server"                    ##
894
## - Configuring NTP server                                ##
894
## - Configuring NTP server                                ##
895
#############################################################
895
#############################################################
896
time_server ()
896
time_server ()
897
{
897
{
898
# Set the Internet time server
898
# Set the Internet time server
899
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
899
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
900
	cat <<EOF > /etc/ntp/step-tickers
900
	cat <<EOF > /etc/ntp/step-tickers
901
0.fr.pool.ntp.org	# adapt to your country
901
0.fr.pool.ntp.org	# adapt to your country
902
1.fr.pool.ntp.org
902
1.fr.pool.ntp.org
903
2.fr.pool.ntp.org
903
2.fr.pool.ntp.org
904
EOF
904
EOF
905
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
905
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
906
	cat <<EOF > /etc/ntp.conf
906
	cat <<EOF > /etc/ntp.conf
907
server 0.fr.pool.ntp.org	# adapt to your country
907
server 0.fr.pool.ntp.org	# adapt to your country
908
server 1.fr.pool.ntp.org
908
server 1.fr.pool.ntp.org
909
server 2.fr.pool.ntp.org
909
server 2.fr.pool.ntp.org
910
server 127.127.1.0   		# local clock si NTP internet indisponible ...
910
server 127.127.1.0   		# local clock si NTP internet indisponible ...
911
fudge 127.127.1.0 stratum 10
911
fudge 127.127.1.0 stratum 10
912
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
912
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
913
restrict 127.0.0.1
913
restrict 127.0.0.1
914
driftfile /var/lib/ntp/drift
914
driftfile /var/lib/ntp/drift
915
logfile /var/log/ntp.log
915
logfile /var/log/ntp.log
916
disable monitor
916
disable monitor
917
EOF
917
EOF
918
	chown -R ntp:ntp /var/lib/ntp
918
	chown -R ntp:ntp /var/lib/ntp
919
# Synchronize now
919
# Synchronize now
920
	ntpd -4 -q -g &
920
	ntpd -4 -q -g &
921
} # End of time_server ()
921
} # End of time_server ()
922
 
922
 
923
#####################################################################
923
#####################################################################
924
##                     Function "init_db"                          ##
924
##                     Function "init_db"                          ##
925
## - Mysql initialization                                          ##
925
## - Mysql initialization                                          ##
926
## - Set admin (root) password                                     ##
926
## - Set admin (root) password                                     ##
927
## - Remove unused users & databases                               ##
927
## - Remove unused users & databases                               ##
928
## - Radius database creation                                      ##
928
## - Radius database creation                                      ##
929
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
929
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
930
#####################################################################
930
#####################################################################
931
init_db ()
931
init_db ()
932
{
932
{
933
	if [ "`systemctl is-active mysqld`" == "active" ]
933
	if [ "`systemctl is-active mysqld`" == "active" ]
934
	then
934
	then
935
		systemctl stop mysqld
935
		systemctl stop mysqld
936
	fi
936
	fi
937
	rm -rf /var/lib/mysql # to be sure that there is no former installation
937
	rm -rf /var/lib/mysql # to be sure that there is no former installation
938
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
938
	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
939
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
939
	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
940
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
940
	$SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
941
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
941
	$SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
942
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
942
	$SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
943
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
943
	[ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
944
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
944
	/usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
945
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
945
	/usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
946
	/usr/bin/systemctl start mysqld
946
	/usr/bin/systemctl start mysqld
947
	nb_round=1
947
	nb_round=1
948
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
948
	while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
949
	do
949
	do
950
		nb_round=`expr $nb_round + 1`
950
		nb_round=`expr $nb_round + 1`
951
		sleep 2
951
		sleep 2
952
	done
952
	done
953
	if [ ! -S /var/lib/mysql/mysql.sock ]
953
	if [ ! -S /var/lib/mysql/mysql.sock ]
954
	then
954
	then
955
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
955
		echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
956
		exit
956
		exit
957
	fi
957
	fi
958
# Secure the server
958
# Secure the server
959
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
959
	/usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
960
 
960
 
961
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
961
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
962
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
962
	$MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
963
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
963
	$MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
964
# Create 'radius' database
964
# Create 'radius' database
965
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
965
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
966
# Add an empty radius database structure
966
# Add an empty radius database structure
967
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
967
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
968
# modify the start script in order to close accounting connexion when the system is comming down or up
968
# modify the start script in order to close accounting connexion when the system is comming down or up
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
969
	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
970
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
970
	$SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
971
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
971
	$SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
972
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
972
	/usr/bin/systemctl unset-environment MYSQLD_OPTS
973
	/usr/bin/systemctl daemon-reload
973
	/usr/bin/systemctl daemon-reload
974
} # End of init_db ()
974
} # End of init_db ()
975
 
975
 
976
###################################################################
976
###################################################################
977
##                       Function "freeradius"                   ##
977
##                       Function "freeradius"                   ##
978
## - Set the configuration files                                 ##
978
## - Set the configuration files                                 ##
979
## - Set the shared secret between coova-chilli and freeradius   ##
979
## - Set the shared secret between coova-chilli and freeradius   ##
980
## - Adapt the Mysql conf file and counters                      ##
980
## - Adapt the Mysql conf file and counters                      ##
981
###################################################################
981
###################################################################
982
freeradius ()
982
freeradius ()
983
{
983
{
984
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
984
	cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
985
	chown -R radius:radius /etc/raddb
985
	chown -R radius:radius /etc/raddb
986
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
986
	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
987
# Set radius global parameters (radius.conf)
987
# Set radius global parameters (radius.conf)
988
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
988
	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
989
	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
990
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
990
	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
991
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
991
	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
992
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
992
	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
993
 
993
 
994
# Add ALCASAR dictionary
994
# Add ALCASAR dictionary
995
	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
995
	cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
996
	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
996
	echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
997
# Add CoovaChilli dictionary
997
# Add CoovaChilli dictionary
998
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
998
	cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
999
	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
999
	echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
1000
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1000
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
1001
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1001
	[ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
1002
	cat << EOF > /etc/raddb/clients.conf
1002
	cat << EOF > /etc/raddb/clients.conf
1003
client localhost {
1003
client localhost {
1004
	ipaddr = 127.0.0.1
1004
	ipaddr = 127.0.0.1
1005
	secret = $secretradius
1005
	secret = $secretradius
1006
	shortname = chilli
1006
	shortname = chilli
1007
	nas_type = other
1007
	nas_type = other
1008
}
1008
}
1009
EOF
1009
EOF
1010
# Set Virtual server (remvove all except "alcasar virtual site")
1010
# Set Virtual server (remvove all except "alcasar virtual site")
1011
	rm -f /etc/raddb/sites-enabled/*
1011
	rm -f /etc/raddb/sites-enabled/*
1012
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1012
	cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
1013
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1013
	cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
1014
	chown radius:apache /etc/raddb/sites-available/alcasar*
1014
	chown radius:apache /etc/raddb/sites-available/alcasar*
1015
	chmod 660 /etc/raddb/sites-available/alcasar*
1015
	chmod 660 /etc/raddb/sites-available/alcasar*
1016
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1016
	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
1017
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
1017
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
1018
 
1018
 
1019
# Set modules
1019
# Set modules
1020
# Add custom LDAP "available module"
1020
# Add custom LDAP "available module"
1021
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1021
	cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
1022
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1022
	chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
1023
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
1023
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
1024
	rm -rf  /etc/raddb/mods-enabled/*
1024
	rm -rf  /etc/raddb/mods-enabled/*
1025
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1025
	for mods in sql sqlcounter attr_filter expiration logintime pap expr always
1026
	do
1026
	do
1027
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1027
		ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
1028
	done
1028
	done
1029
# Configure SQL mod
1029
# Configure SQL mod
1030
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1030
	[ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
1031
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1031
	$SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1032
	$SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1033
	$SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1034
	$SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
1035
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1035
	$SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
1036
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1036
	$SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
1037
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1037
	$SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
1038
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1038
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
1039
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1039
	[ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
1040
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1040
	cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
1041
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1041
	chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
1042
# sqlcounter modifications
1042
# sqlcounter modifications
1043
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1043
	[ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
1044
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1044
	cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
1045
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1045
	chown -R radius:radius /etc/raddb/mods-available/sqlcounter
1046
# make certain that mysql is up before freeradius start
1046
# make certain that mysql is up before freeradius start
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1047
	[ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1048
	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1049
	/usr/bin/systemctl daemon-reload
1049
	/usr/bin/systemctl daemon-reload
1050
# Allow apache to change some conf files (ie : ldap on/off)
1050
# Allow apache to change some conf files (ie : ldap on/off)
1051
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1051
	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
} # End freeradius ()
1052
} # End freeradius ()
1053
 
1053
 
1054
#############################################################################
1054
#############################################################################
1055
##                           Function "chilli"                             ##
1055
##                           Function "chilli"                             ##
1056
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1056
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1057
## - Adapt the authentication web page (intercept.php)                     ##
1057
## - Adapt the authentication web page (intercept.php)                     ##
1058
#############################################################################
1058
#############################################################################
1059
chilli ()
1059
chilli ()
1060
{
1060
{
1061
# chilli unit for systemd
1061
# chilli unit for systemd
1062
	cat << EOF > /lib/systemd/system/chilli.service
1062
	cat << EOF > /lib/systemd/system/chilli.service
1063
#  This file is part of systemd.
1063
#  This file is part of systemd.
1064
#
1064
#
1065
#  systemd is free software; you can redistribute it and/or modify it
1065
#  systemd is free software; you can redistribute it and/or modify it
1066
#  under the terms of the GNU General Public License as published by
1066
#  under the terms of the GNU General Public License as published by
1067
#  the Free Software Foundation; either version 2 of the License, or
1067
#  the Free Software Foundation; either version 2 of the License, or
1068
#  (at your option) any later version.
1068
#  (at your option) any later version.
1069
[Unit]
1069
[Unit]
1070
Description=chilli is a captive portal daemon
1070
Description=chilli is a captive portal daemon
1071
After=network.target
1071
After=network.target
1072
 
1072
 
1073
[Service]
1073
[Service]
1074
Type=forking
1074
Type=forking
1075
ExecStart=/usr/libexec/chilli start
1075
ExecStart=/usr/libexec/chilli start
1076
ExecStop=/usr/libexec/chilli stop
1076
ExecStop=/usr/libexec/chilli stop
1077
ExecReload=/usr/libexec/chilli reload
1077
ExecReload=/usr/libexec/chilli reload
1078
PIDFile=/var/run/chilli.pid
1078
PIDFile=/var/run/chilli.pid
1079
 
1079
 
1080
[Install]
1080
[Install]
1081
WantedBy=multi-user.target
1081
WantedBy=multi-user.target
1082
EOF
1082
EOF
1083
# init file creation
1083
# init file creation
1084
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1084
	[ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1085
	cat <<EOF > /etc/init.d/chilli
1085
	cat <<EOF > /etc/init.d/chilli
1086
#!/bin/sh
1086
#!/bin/sh
1087
#
1087
#
1088
# chilli CoovaChilli init
1088
# chilli CoovaChilli init
1089
#
1089
#
1090
# chkconfig: 2345 65 35
1090
# chkconfig: 2345 65 35
1091
# description: CoovaChilli
1091
# description: CoovaChilli
1092
### BEGIN INIT INFO
1092
### BEGIN INIT INFO
1093
# Provides:       chilli
1093
# Provides:       chilli
1094
# Required-Start: network
1094
# Required-Start: network
1095
# Should-Start:
1095
# Should-Start:
1096
# Required-Stop:  network
1096
# Required-Stop:  network
1097
# Should-Stop:
1097
# Should-Stop:
1098
# Default-Start:  2 3 5
1098
# Default-Start:  2 3 5
1099
# Default-Stop:
1099
# Default-Stop:
1100
# Description:    CoovaChilli access controller
1100
# Description:    CoovaChilli access controller
1101
### END INIT INFO
1101
### END INIT INFO
1102
 
1102
 
1103
[ -f /usr/sbin/chilli ] || exit 0
1103
[ -f /usr/sbin/chilli ] || exit 0
1104
. /etc/init.d/functions
1104
. /etc/init.d/functions
1105
CONFIG=/etc/chilli.conf
1105
CONFIG=/etc/chilli.conf
1106
pidfile=/var/run/chilli.pid
1106
pidfile=/var/run/chilli.pid
1107
[ -f \$CONFIG ] || {
1107
[ -f \$CONFIG ] || {
1108
	echo "\$CONFIG Not found"
1108
	echo "\$CONFIG Not found"
1109
	exit 0
1109
	exit 0
1110
}
1110
}
1111
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1111
current_users_file="/var/tmp/havp/current_users.txt"	# file containing active users
1112
RETVAL=0
1112
RETVAL=0
1113
prog="chilli"
1113
prog="chilli"
1114
case \$1 in
1114
case \$1 in
1115
	start)
1115
	start)
1116
		if [ -f \$pidfile ] ; then
1116
		if [ -f \$pidfile ] ; then
1117
			gprintf "chilli is already running"
1117
			gprintf "chilli is already running"
1118
		else
1118
		else
1119
			gprintf "Starting \$prog: "
1119
			gprintf "Starting \$prog: "
1120
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1120
			echo '' > \$current_users_file && chown apache:apache \$current_users_file
1121
			rm -f /var/run/chilli* # cleaning
1121
			rm -f /var/run/chilli* # cleaning
1122
			/usr/sbin/modprobe tun >/dev/null 2>&1
1122
			/usr/sbin/modprobe tun >/dev/null 2>&1
1123
			echo 1 > /proc/sys/net/ipv4/ip_forward
1123
			echo 1 > /proc/sys/net/ipv4/ip_forward
1124
			[ -e /dev/net/tun ] || {
1124
			[ -e /dev/net/tun ] || {
1125
				(cd /dev;
1125
				(cd /dev;
1126
				mkdir net;
1126
				mkdir net;
1127
				cd net;
1127
				cd net;
1128
				mknod tun c 10 200)
1128
				mknod tun c 10 200)
1129
			}
1129
			}
1130
			ifconfig $INTIF 0.0.0.0
1130
			ifconfig $INTIF 0.0.0.0
1131
			/usr/sbin/ethtool -K $INTIF gro off
1131
			/usr/sbin/ethtool -K $INTIF gro off
1132
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1132
			daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1133
			RETVAL=\$?
1133
			RETVAL=\$?
1134
		fi
1134
		fi
1135
		;;
1135
		;;
1136
 
1136
 
1137
	reload)
1137
	reload)
1138
		killall -HUP chilli
1138
		killall -HUP chilli
1139
		;;
1139
		;;
1140
 
1140
 
1141
	restart)
1141
	restart)
1142
		\$0 stop
1142
		\$0 stop
1143
		sleep 2
1143
		sleep 2
1144
		\$0 start
1144
		\$0 start
1145
		;;
1145
		;;
1146
 
1146
 
1147
	status)
1147
	status)
1148
		status chilli
1148
		status chilli
1149
		RETVAL=0
1149
		RETVAL=0
1150
		;;
1150
		;;
1151
 
1151
 
1152
	stop)
1152
	stop)
1153
		if [ -f \$pidfile ] ; then
1153
		if [ -f \$pidfile ] ; then
1154
			gprintf "Shutting down \$prog: "
1154
			gprintf "Shutting down \$prog: "
1155
			killproc /usr/sbin/chilli
1155
			killproc /usr/sbin/chilli
1156
			RETVAL=\$?
1156
			RETVAL=\$?
1157
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1157
			[ \$RETVAL = 0 ] && rm -f \$pidfile
1158
			[ -e \$current_users_file ] && rm -f \$current_users_file
1158
			[ -e \$current_users_file ] && rm -f \$current_users_file
1159
		else
1159
		else
1160
			gprintf "chilli is not running"
1160
			gprintf "chilli is not running"
1161
		fi
1161
		fi
1162
		;;
1162
		;;
1163
 
1163
 
1164
	*)
1164
	*)
1165
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1165
		echo "Usage: \$0 {start|stop|restart|reload|status}"
1166
		exit 1
1166
		exit 1
1167
esac
1167
esac
1168
echo
1168
echo
1169
EOF
1169
EOF
1170
	chmod a+x /etc/init.d/chilli
1170
	chmod a+x /etc/init.d/chilli
1171
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1171
	ln -s /etc/init.d/chilli /usr/libexec/chilli
1172
# conf file creation
1172
# conf file creation
1173
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1173
	[ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1174
	#NTP Option configuration for DHCP
1174
	#NTP Option configuration for DHCP
1175
	#DHCP Options : rfc2132
1175
	#DHCP Options : rfc2132
1176
		#dhcp option value will be convert in hexa.
1176
		#dhcp option value will be convert in hexa.
1177
		#NTP option (or 'option 42') is like :
1177
		#NTP option (or 'option 42') is like :
1178
		#
1178
		#
1179
		#    Code   Len         Address 1               Address 2
1179
		#    Code   Len         Address 1               Address 2
1180
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1180
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1181
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1181
		#   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1182
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1182
		#   +-----+-----+-----+-----+-----+-----+-----+-----+--
1183
		#
1183
		#
1184
		#Code : 42 => 2a
1184
		#Code : 42 => 2a
1185
		#Len : 4 => 04
1185
		#Len : 4 => 04
1186
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1186
	PRIVATE_IP_HEXA=$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f1)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f2)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f3)")$(printf "%02x\n" "$(echo $PRIVATE_IP | cut -d'.' -f4)")
1187
	cat <<EOF > /etc/chilli.conf
1187
	cat <<EOF > /etc/chilli.conf
1188
# coova config for ALCASAR
1188
# coova config for ALCASAR
1189
cmdsocket	/var/run/chilli.sock
1189
cmdsocket	/var/run/chilli.sock
1190
unixipc		chilli.$INTIF.ipc
1190
unixipc		chilli.$INTIF.ipc
1191
pidfile		/var/run/chilli.pid
1191
pidfile		/var/run/chilli.pid
1192
net		$PRIVATE_NETWORK_MASK
1192
net		$PRIVATE_NETWORK_MASK
1193
dhcpif		$INTIF
1193
dhcpif		$INTIF
1194
ethers		$DIR_DEST_ETC/alcasar-ethers
1194
ethers		$DIR_DEST_ETC/alcasar-ethers
1195
#nodynip
1195
#nodynip
1196
#statip
1196
#statip
1197
dynip		$PRIVATE_NETWORK_MASK
1197
dynip		$PRIVATE_NETWORK_MASK
1198
domain		$DOMAIN
1198
domain		$DOMAIN
1199
dns1		$PRIVATE_IP
1199
dns1		$PRIVATE_IP
1200
dns2		$PRIVATE_IP
1200
dns2		$PRIVATE_IP
1201
uamlisten	$PRIVATE_IP
1201
uamlisten	$PRIVATE_IP
1202
uamport		3990
1202
uamport		3990
1203
uamuiport	3991
1203
uamuiport	3991
1204
macauth
1204
macauth
1205
macpasswd	password
1205
macpasswd	password
1206
strictmacauth
1206
strictmacauth
1207
locationname	$HOSTNAME.$DOMAIN
1207
locationname	$HOSTNAME.$DOMAIN
1208
radiusserver1	127.0.0.1
1208
radiusserver1	127.0.0.1
1209
radiusserver2	127.0.0.1
1209
radiusserver2	127.0.0.1
1210
radiussecret	$secretradius
1210
radiussecret	$secretradius
1211
radiusauthport	1812
1211
radiusauthport	1812
1212
radiusacctport	1813
1212
radiusacctport	1813
1213
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1213
uamserver	https://$HOSTNAME.$DOMAIN/intercept.php
1214
redirurl
1214
redirurl
1215
radiusnasid	$HOSTNAME.$DOMAIN
1215
radiusnasid	$HOSTNAME.$DOMAIN
1216
uamsecret	$secretuam
1216
uamsecret	$secretuam
1217
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1217
uamallowed	$HOSTNAME,$HOSTNAME.$DOMAIN
1218
coaport		3799
1218
coaport		3799
1219
conup		$DIR_DEST_BIN/alcasar-conup.sh
1219
conup		$DIR_DEST_BIN/alcasar-conup.sh
1220
condown		$DIR_DEST_BIN/alcasar-condown.sh
1220
condown		$DIR_DEST_BIN/alcasar-condown.sh
1221
macup		$DIR_DEST_BIN/alcasar-macup.sh
1221
macup		$DIR_DEST_BIN/alcasar-macup.sh
1222
include		$DIR_DEST_ETC/alcasar-uamallowed
1222
include		$DIR_DEST_ETC/alcasar-uamallowed
1223
include		$DIR_DEST_ETC/alcasar-uamdomain
1223
include		$DIR_DEST_ETC/alcasar-uamdomain
1224
dhcpopt		2a04$PRIVATE_IP_HEXA
1224
dhcpopt		2a04$PRIVATE_IP_HEXA
1225
#dhcpgateway		none
1225
#dhcpgateway		none
1226
#dhcprelayagent		none
1226
#dhcprelayagent		none
1227
#dhcpgatewayport	none
1227
#dhcpgatewayport	none
1228
sslkeyfile	/etc/pki/tls/private/alcasar.key
1228
sslkeyfile	/etc/pki/tls/private/alcasar.key
1229
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1229
sslcertfile	/etc/pki/tls/certs/alcasar.crt
1230
redirssl
1230
redirssl
1231
uamuissl
1231
uamuissl
1232
EOF
1232
EOF
1233
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1233
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1234
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1234
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1235
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1235
	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1236
# create files for trusted domains and urls
1236
# create files for trusted domains and urls
1237
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1237
	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1238
	chown root:apache $DIR_DEST_ETC/alcasar-*
1238
	chown root:apache $DIR_DEST_ETC/alcasar-*
1239
	chmod 660 $DIR_DEST_ETC/alcasar-*
1239
	chmod 660 $DIR_DEST_ETC/alcasar-*
1240
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1240
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1241
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1241
	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1242
# user 'chilli' creation (in order to run conup/off and up/down scripts
1242
# user 'chilli' creation (in order to run conup/off and up/down scripts
1243
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1243
	chilli_exist=`grep -c ^chilli: /etc/passwd`
1244
	if [ "$chilli_exist" == "1" ]
1244
	if [ "$chilli_exist" == "1" ]
1245
	then
1245
	then
1246
		userdel -r chilli 2>/dev/null
1246
		userdel -r chilli 2>/dev/null
1247
	fi
1247
	fi
1248
	groupadd -f chilli
1248
	groupadd -f chilli
1249
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1249
	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1250
}  # End of chilli ()
1250
}  # End of chilli ()
1251
 
1251
 
1252
################################################################
1252
################################################################
1253
##                   Function "e2guardian"                    ##
1253
##                   Function "e2guardian"                    ##
1254
## - Set the parameters of this HTML proxy (as controler)     ##
1254
## - Set the parameters of this HTML proxy (as controler)     ##
1255
################################################################
1255
################################################################
1256
e2guardian ()
1256
e2guardian ()
1257
{
1257
{
1258
	mkdir -p /var/e2guardian /var/log/e2guardian
1258
	mkdir -p /var/e2guardian /var/log/e2guardian
1259
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1259
	chown -R e2guardian /var/e2guardian /var/log/e2guardian
1260
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1260
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1261
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1261
	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1262
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1262
	[ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1263
# By default the filter is off
1263
# By default the filter is off
1264
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1264
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1265
# French deny HTML page
1265
# French deny HTML page
1266
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1266
	$SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1267
# Listen only on LAN side
1267
# Listen only on LAN side
1268
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1268
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1269
# DG send its flow to HAVP
1269
# DG send its flow to HAVP
1270
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1270
	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1271
# replace the default deny HTML page
1271
# replace the default deny HTML page
1272
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1272
	cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1273
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1273
	cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1274
# Don't log
1274
# Don't log
1275
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1275
	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1276
# # Change the default report page
1276
# # Change the default report page
1277
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1277
	$SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1278
# Disable HTML content control
1278
# Disable HTML content control
1279
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1279
	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1280
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1280
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1281
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1281
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1282
# Disable URL control with regex
1282
# Disable URL control with regex
1283
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1283
	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1284
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1284
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1285
# Configure E2guardian for large site
1285
# Configure E2guardian for large site
1286
# Minimum number of processus to handle connections
1286
# Minimum number of processus to handle connections
1287
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1287
	$SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1288
# Maximum number of processus to handle connections
1288
# Maximum number of processus to handle connections
1289
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1289
	$SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1290
# Run at least 8 daemons
1290
# Run at least 8 daemons
1291
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1291
	$SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1292
# minimum number of processes to spawn
1292
# minimum number of processes to spawn
1293
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1293
	$SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1294
# maximum age of a child process before it croaks it
1294
# maximum age of a child process before it croaks it
1295
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1295
	$SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1296
# Disable download files control
1296
# Disable download files control
1297
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1297
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1298
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1298
	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1299
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1299
	[ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1300
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1300
	[ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1301
	touch $DIR_DG/lists/bannedextensionlist
1301
	touch $DIR_DG/lists/bannedextensionlist
1302
	touch $DIR_DG/lists/bannedmimetypelist
1302
	touch $DIR_DG/lists/bannedmimetypelist
1303
# 'Safesearch' regex actualisation
1303
# 'Safesearch' regex actualisation
1304
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1304
	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1305
# empty LAN IP list that won't be WEB filtered
1305
# empty LAN IP list that won't be WEB filtered
1306
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1306
	[ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1307
	touch $DIR_DG/lists/exceptioniplist
1307
	touch $DIR_DG/lists/exceptioniplist
1308
# Keep a copy of URL & domain filter configuration files
1308
# Keep a copy of URL & domain filter configuration files
1309
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1309
	[ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1310
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1310
	[ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1311
} # End of e2guardian ()
1311
} # End of e2guardian ()
1312
 
1312
 
1313
##################################################################
1313
##################################################################
1314
##                     Function "antivirus"                     ##
1314
##                     Function "antivirus"                     ##
1315
## - Set the parameters of havp, libclamav and freshclam        ##
1315
## - Set the parameters of havp, libclamav and freshclam        ##
1316
##################################################################
1316
##################################################################
1317
antivirus ()
1317
antivirus ()
1318
{
1318
{
1319
# create 'havp' user
1319
# create 'havp' user
1320
	havp_exist=`grep -c ^havp: /etc/passwd`
1320
	havp_exist=`grep -c ^havp: /etc/passwd`
1321
	if [ "$havp_exist" == "1" ]
1321
	if [ "$havp_exist" == "1" ]
1322
	then
1322
	then
1323
		userdel -r havp 2>/dev/null
1323
		userdel -r havp 2>/dev/null
1324
		groupdel havp 2>/dev/null
1324
		groupdel havp 2>/dev/null
1325
	fi
1325
	fi
1326
	groupadd -f havp
1326
	groupadd -f havp
1327
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1327
	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1328
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1328
	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1329
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1329
	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1330
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1330
	chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1331
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1331
	[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1332
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1332
	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1333
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1333
	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config	# pidfile
1334
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1334
	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config		# transparent mode
1335
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1335
	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config	# we listen only on loopback
1336
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1336
	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config				# datas come on port 8090 (on loopback)
1337
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1337
	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config	# Log format
1338
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1338
	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config		# active libclamav AV
1339
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1339
	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config			# log only when malware matches
1340
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1340
	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config		# 10 daemons are started simultaneously
1341
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1341
	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config		# doesn't scan image files
1342
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1342
	$SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1343
# skip checking of youtube flow (too heavy load / risk too low)
1343
# skip checking of youtube flow (too heavy load / risk too low)
1344
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1344
	[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1345
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1345
	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1346
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1346
	echo "*.youtube.com/*" >> /etc/havp/whitelist
1347
# adapt init script and systemd unit
1347
# adapt init script and systemd unit
1348
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1348
	[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1349
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1349
	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1350
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1350
	[ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1351
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1351
	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1352
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1352
	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1353
# replace of the intercept page (template)
1353
# replace of the intercept page (template)
1354
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1354
	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1355
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1355
	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1356
# update virus database every 4 hours (24h/6)
1356
# update virus database every 4 hours (24h/6)
1357
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1357
	[ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1358
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1358
	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1359
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1359
	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1360
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1360
	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1361
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1361
	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1362
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1362
	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1363
# update now
1363
# update now
1364
	/usr/bin/freshclam --no-warnings
1364
	/usr/bin/freshclam --no-warnings
1365
} # End of antivirus ()
1365
} # End of antivirus ()
1366
 
1366
 
1367
################################################################################
1367
################################################################################
1368
##                           Function "tinyproxy"                             ##
1368
##                           Function "tinyproxy"                             ##
1369
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1369
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1370
################################################################################
1370
################################################################################
1371
tinyproxy ()
1371
tinyproxy ()
1372
{
1372
{
1373
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1373
	tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1374
	if [ "$tinyproxy_exist" == "1" ]
1374
	if [ "$tinyproxy_exist" == "1" ]
1375
	then
1375
	then
1376
		userdel -r tinyproxy 2>/dev/null
1376
		userdel -r tinyproxy 2>/dev/null
1377
		groupdel tinyproxy 2>/dev/null
1377
		groupdel tinyproxy 2>/dev/null
1378
	fi
1378
	fi
1379
	groupadd -f tinyproxy
1379
	groupadd -f tinyproxy
1380
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1380
	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1381
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1381
	mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1382
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1382
	chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1383
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1383
	[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1384
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1384
	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1385
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1385
	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1386
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1386
	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf			# Listen Port
1387
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1387
	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf		# Listen NIC (only intif)
1388
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1388
	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1389
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1389
	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1390
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1390
	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf		# Only errors are logged
1391
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1391
	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf	# forward to HAVP
1392
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1392
	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf	# Stealth mode
1393
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1393
	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf	# Allow from LAN
1394
# Create the systemd unit
1394
# Create the systemd unit
1395
cat << EOF > /lib/systemd/system/tinyproxy.service
1395
cat << EOF > /lib/systemd/system/tinyproxy.service
1396
#  This file is part of systemd.
1396
#  This file is part of systemd.
1397
#
1397
#
1398
#  systemd is free software; you can redistribute it and/or modify it
1398
#  systemd is free software; you can redistribute it and/or modify it
1399
#  under the terms of the GNU General Public License as published by
1399
#  under the terms of the GNU General Public License as published by
1400
#  the Free Software Foundation; either version 2 of the License, or
1400
#  the Free Software Foundation; either version 2 of the License, or
1401
#  (at your option) any later version.
1401
#  (at your option) any later version.
1402
 
1402
 
1403
# This unit launches tinyproxy (a very light proxy).
1403
# This unit launches tinyproxy (a very light proxy).
1404
# The "sleep 2" is needed because the pid file isn't ready for systemd
1404
# The "sleep 2" is needed because the pid file isn't ready for systemd
1405
[Unit]
1405
[Unit]
1406
Description=Tinyproxy Web Proxy Server
1406
Description=Tinyproxy Web Proxy Server
1407
After=network.target iptables.service
1407
After=network.target iptables.service
1408
 
1408
 
1409
[Service]
1409
[Service]
1410
Type=forking
1410
Type=forking
1411
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1411
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1412
ExecStartPre=/bin/sleep 2
1412
ExecStartPre=/bin/sleep 2
1413
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1413
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1414
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1414
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1415
 
1415
 
1416
[Install]
1416
[Install]
1417
WantedBy=multi-user.target
1417
WantedBy=multi-user.target
1418
EOF
1418
EOF
1419
 
1419
 
1420
} # end of tinyproxy
1420
} # end of tinyproxy
1421
##############################################################################
1421
##############################################################################
1422
##                            function "ulogd"                              ##
1422
##                            function "ulogd"                              ##
1423
## - Ulog config for multi-log files                                        ##
1423
## - Ulog config for multi-log files                                        ##
1424
##############################################################################
1424
##############################################################################
1425
ulogd ()
1425
ulogd ()
1426
{
1426
{
1427
# Three instances of ulogd (three different logfiles)
1427
# Three instances of ulogd (three different logfiles)
1428
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1428
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1429
	nl=1
1429
	nl=1
1430
	for log_type in traceability ssh ext-access
1430
	for log_type in traceability ssh ext-access
1431
	do
1431
	do
1432
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1432
		[ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1433
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1433
		[ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1434
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1434
		cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1435
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1435
		$SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1436
		cat << EOF >> /etc/ulogd-$log_type.conf
1436
		cat << EOF >> /etc/ulogd-$log_type.conf
1437
[emu1]
1437
[emu1]
1438
file="/var/log/firewall/$log_type.log"
1438
file="/var/log/firewall/$log_type.log"
1439
sync=1
1439
sync=1
1440
EOF
1440
EOF
1441
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1441
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
1442
		nl=`expr $nl + 1`
1442
		nl=`expr $nl + 1`
1443
	done
1443
	done
1444
	chown -R root:apache /var/log/firewall
1444
	chown -R root:apache /var/log/firewall
1445
	chmod 750 /var/log/firewall
1445
	chmod 750 /var/log/firewall
1446
	chmod 640 /var/log/firewall/*
1446
	chmod 640 /var/log/firewall/*
1447
}  # End of ulogd ()
1447
}  # End of ulogd ()
1448
 
1448
 
1449
 
1449
 
1450
##########################################################
1450
##########################################################
1451
##                    Function "nfsen"                  ##
1451
##                    Function "nfsen"                  ##
1452
## - install the nfsen grapher                          ##
1452
## - install the nfsen grapher                          ##
1453
## - install the two plugins porttracker & surfmap      ##
1453
## - install the two plugins porttracker & surfmap      ##
1454
##########################################################
1454
##########################################################
1455
nfsen()
1455
nfsen()
1456
{
1456
{
1457
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1457
	tar xzf ./conf/nfsen/nfsen-*.tar.gz -C /tmp/
1458
# Add PortTracker plugin
1458
# Add PortTracker plugin
1459
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1459
	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1460
	do
1460
	do
1461
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1461
		[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1462
	done
1462
	done
1463
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1463
	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-*/contrib/PortTracker/PortTracker.pm
1464
# use of our conf file and init unit
1464
# use of our conf file and init unit
1465
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1465
	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-*/etc/
1466
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1466
# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1467
	DirTmp=$(pwd)
1467
	DirTmp=$(pwd)
1468
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1468
	cd /tmp/nfsen-*/ || { echo "Unable to find nfsen directory"; exit 1; }
1469
	/usr/bin/perl install.pl etc/nfsen.conf
1469
	/usr/bin/perl install.pl etc/nfsen.conf
1470
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1470
	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1471
# Create RRD DB for porttracker (only in it still doesn't exist)
1471
# Create RRD DB for porttracker (only in it still doesn't exist)
1472
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1472
	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1473
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1473
	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1474
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1474
	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
1475
	chmod -R 770 /var/log/netflow/porttracker
1475
	chmod -R 770 /var/log/netflow/porttracker
1476
# nfsen unit for systemd
1476
# nfsen unit for systemd
1477
	cat << EOF > /lib/systemd/system/nfsen.service
1477
	cat << EOF > /lib/systemd/system/nfsen.service
1478
#  This file is part of systemd.
1478
#  This file is part of systemd.
1479
#
1479
#
1480
#  systemd is free software; you can redistribute it and/or modify it
1480
#  systemd is free software; you can redistribute it and/or modify it
1481
#  under the terms of the GNU General Public License as published by
1481
#  under the terms of the GNU General Public License as published by
1482
#  the Free Software Foundation; either version 2 of the License, or
1482
#  the Free Software Foundation; either version 2 of the License, or
1483
#  (at your option) any later version.
1483
#  (at your option) any later version.
1484
 
1484
 
1485
# This unit launches nfsen (a Netflow grapher).
1485
# This unit launches nfsen (a Netflow grapher).
1486
[Unit]
1486
[Unit]
1487
Description= NfSen init script
1487
Description= NfSen init script
1488
After=network.target iptables.service
1488
After=network.target iptables.service
1489
 
1489
 
1490
[Service]
1490
[Service]
1491
Type=oneshot
1491
Type=oneshot
1492
RemainAfterExit=yes
1492
RemainAfterExit=yes
1493
PIDFile=/var/run/nfsen/nfsen.pid
1493
PIDFile=/var/run/nfsen/nfsen.pid
1494
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1494
ExecStartPre=/bin/mkdir -p /var/run/nfsen
1495
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1495
ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1496
ExecStart=/usr/bin/nfsen start
1496
ExecStart=/usr/bin/nfsen start
1497
ExecStop=/usr/bin/nfsen stop
1497
ExecStop=/usr/bin/nfsen stop
1498
ExecReload=/usr/bin/nfsen restart
1498
ExecReload=/usr/bin/nfsen restart
1499
TimeoutSec=0
1499
TimeoutSec=0
1500
 
1500
 
1501
[Install]
1501
[Install]
1502
WantedBy=multi-user.target
1502
WantedBy=multi-user.target
1503
EOF
1503
EOF
1504
# Add the listen port to collect netflow packet (nfcapd)
1504
# Add the listen port to collect netflow packet (nfcapd)
1505
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1505
	$SED 's?$ziparg $extensions.*?$ziparg $extensions -b 127.0.0.1";?g' /usr/libexec/NfSenRC.pm
1506
# expire delay for the profile "live"
1506
# expire delay for the profile "live"
1507
	/usr/bin/systemctl start nfsen
1507
	/usr/bin/systemctl start nfsen
1508
	/bin/nfsen -m live -e 62d 2>/dev/null
1508
	/bin/nfsen -m live -e 62d 2>/dev/null
1509
# add SURFmap plugin (waiting for new technical solution)
1509
# add SURFmap plugin (waiting for new technical solution)
1510
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1510
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1511
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1511
#	cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1512
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1512
#	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1513
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1513
#	tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1514
#	cd /tmp/
1514
#	cd /tmp/
1515
#	/usr/bin/sh SURFmap/install.sh
1515
#	/usr/bin/sh SURFmap/install.sh
1516
# clear the installation
1516
# clear the installation
1517
#	rm -rf /tmp/SURFmap*
1517
#	rm -rf /tmp/SURFmap*
1518
	rm -rf /tmp/nfsen-*
1518
	rm -rf /tmp/nfsen-*
1519
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1519
	cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1520
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1520
	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1521
} # End of nfsen ()
1521
} # End of nfsen ()
1522
 
1522
 
1523
###########################################################
1523
###########################################################
1524
##                     Function "vnstat"                 ##
1524
##                     Function "vnstat"                 ##
1525
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1525
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1526
###########################################################
1526
###########################################################
1527
vnstat ()
1527
vnstat ()
1528
{
1528
{
1529
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1529
	[ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1530
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1530
	$SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1531
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1531
	$SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1532
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1532
	[ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1533
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1533
	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1534
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1534
	$SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1535
	/usr/bin/vnstat -i $EXTIF -u --force
1535
	/usr/bin/vnstat -i $EXTIF -u --force
1536
} # End of vnstat
1536
} # End of vnstat
1537
 
1537
 
1538
##################################################################
1538
##################################################################
1539
##                     Function "dnsmasq"                       ##
1539
##                     Function "dnsmasq"                       ##
1540
## - creation of the conf files of the 4 intances of dnsmasq    ##
1540
## - creation of the conf files of the 4 intances of dnsmasq    ##
1541
## - creation of the file managing domain name (local & remote) ##
1541
## - creation of the file managing domain name (local & remote) ##
1542
##################################################################
1542
##################################################################
1543
dnsmasq ()
1543
dnsmasq ()
1544
{
1544
{
1545
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1545
	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1546
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1546
	[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1547
	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1547
	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1548
	cat << EOF > /etc/dnsmasq-whitelist.conf
1548
	cat << EOF > /etc/dnsmasq-whitelist.conf
1549
# Configuration file for "dnsmasq with whitelist"
1549
# Configuration file for "dnsmasq with whitelist"
1550
# ADD Toulouse university whitelist domains
1550
# ADD Toulouse university whitelist domains
1551
pid-file=/var/run/dnsmasq-whitelist.pid
1551
pid-file=/var/run/dnsmasq-whitelist.pid
1552
listen-address=127.0.0.1
1552
listen-address=127.0.0.1
1553
port=55
1553
port=55
1554
no-dhcp-interface=lo
1554
no-dhcp-interface=lo
1555
bind-interfaces
1555
bind-interfaces
1556
cache-size=1024
1556
cache-size=1024
1557
domain-needed
1557
domain-needed
1558
expand-hosts
1558
expand-hosts
1559
bogus-priv
1559
bogus-priv
1560
filterwin2k
1560
filterwin2k
1561
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1561
ipset=/#/wl_ip_allowed	# dynamically add the resolv IP address in the Firewall rules
1562
server=$DNS1
1562
server=$DNS1
1563
server=$DNS2
1563
server=$DNS2
1564
EOF
1564
EOF
1565
 
1565
 
1566
	# Create dnsmasq-whitelist unit
1566
	# Create dnsmasq-whitelist unit
1567
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1567
	mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1568
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1568
	cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1569
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1569
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1570
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1570
	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1571
} # End dnsmasq
1571
} # End dnsmasq
1572
 
1572
 
1573
##################################################
1573
##################################################
1574
##              Function "unbound"              ##
1574
##              Function "unbound"              ##
1575
##################################################
1575
##################################################
1576
unbound ()
1576
unbound ()
1577
{
1577
{
1578
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1578
	[ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1579
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1579
	[ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1580
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1580
	[ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1581
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1581
	[ -d /etc/unbound/conf.d/common/local-dns ] || mkdir /etc/unbound/conf.d/common/local-dns
1582
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1582
	[ -d /etc/unbound/conf.d/forward ] || mkdir /etc/unbound/conf.d/forward
1583
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1583
	[ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1584
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1584
	[ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1585
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1585
	[ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1586
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1586
	[ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1587
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1587
	[ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1588
 
1588
 
1589
	# Local static DNS configuration
1589
	# Local static DNS configuration
1590
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1590
	[ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1591
 
1591
 
1592
	# Forward zone configuration file for all unbound dns servers
1592
	# Forward zone configuration file for all unbound dns servers
1593
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1593
	cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1594
forward-zone:
1594
forward-zone:
1595
	name: "."
1595
	name: "."
1596
	forward-addr: $DNS1
1596
	forward-addr: $DNS1
1597
	forward-addr: $DNS2
1597
	forward-addr: $DNS2
1598
EOF
1598
EOF
1599
 
1599
 
1600
	# Custom configuration file for manual DNS configuration
1600
	# Custom configuration file for manual DNS configuration
1601
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1601
	cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1602
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1602
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1603
## Add one block for each domain name managed by an other DNS server
1603
## Add one block for each domain name managed by an other DNS server
1604
##
1604
##
1605
## Example:
1605
## Example:
1606
##
1606
##
1607
## server:
1607
## server:
1608
##     local-zone: "<your_domain>." transparent
1608
##     local-zone: "<your_domain>." transparent
1609
## forward-zone:
1609
## forward-zone:
1610
##     name: "<your_domain>."
1610
##     name: "<your_domain>."
1611
##     forward-addr: <@IP_domain_server>
1611
##     forward-addr: <@IP_domain_server>
1612
##
1612
##
1613
## INFO : local hostnames are resolved in /etc/hosts file
1613
## INFO : local hostnames are resolved in /etc/hosts file
1614
EOF
1614
EOF
1615
 
1615
 
1616
	# Configuration file of ALCASAR main domains for $INTIF
1616
	# Configuration file of ALCASAR main domains for $INTIF
1617
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1617
	cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1618
server:
1618
server:
1619
	local-zone: "$HOSTNAME.$DOMAIN" static
1619
	local-zone: "$HOSTNAME.$DOMAIN" static
1620
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1620
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1621
	local-zone: "$HOSTNAME" static
1621
	local-zone: "$HOSTNAME" static
1622
	local-data: "$HOSTNAME A $PRIVATE_IP"
1622
	local-data: "$HOSTNAME A $PRIVATE_IP"
1623
	local-zone: "$DOMAIN." static
1623
	local-zone: "$DOMAIN." static
1624
	local-data: "$DOMAIN. A"
1624
	local-data: "$DOMAIN. A"
1625
EOF
1625
EOF
1626
 
1626
 
1627
	# Configuration file for lo of forward unbound
1627
	# Configuration file for lo of forward unbound
1628
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1628
	cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1629
server:
1629
server:
1630
	interface: 127.0.0.1@53
1630
	interface: 127.0.0.1@53
1631
	access-control-view: 127.0.0.1/8 lo
1631
	access-control-view: 127.0.0.1/8 lo
1632
 
1632
 
1633
view:
1633
view:
1634
	name: "lo"
1634
	name: "lo"
1635
	local-zone: "$HOSTNAME.$DOMAIN" static
1635
	local-zone: "$HOSTNAME.$DOMAIN" static
1636
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1636
	local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1"
1637
	local-zone: "$HOSTNAME" static
1637
	local-zone: "$HOSTNAME" static
1638
	local-data: "$HOSTNAME A 127.0.0.1"
1638
	local-data: "$HOSTNAME A 127.0.0.1"
1639
	local-zone: "$DOMAIN." static
-
 
1640
	local-data: "$DOMAIN. A"
-
 
1641
	view-first: yes
1639
	view-first: yes
1642
EOF
1640
EOF
1643
 
1641
 
1644
	# Configuration file for $INTIF of forward unbound
1642
	# Configuration file for $INTIF of forward unbound
1645
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1643
	cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1646
server:
1644
server:
1647
	interface: ${PRIVATE_IP}@53
1645
	interface: ${PRIVATE_IP}@53
1648
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1646
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1649
 
1647
 
1650
view:
1648
view:
1651
	name: "$INTIF"
1649
	name: "$INTIF"
1652
	local-zone: "$HOSTNAME.$DOMAIN" static
1650
	local-zone: "$HOSTNAME.$DOMAIN" static
1653
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1651
	local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1654
	local-zone: "$HOSTNAME" static
1652
	local-zone: "$HOSTNAME" static
1655
	local-data: "$HOSTNAME A $PRIVATE_IP"
1653
	local-data: "$HOSTNAME A $PRIVATE_IP"
1656
	view-first: yes
1654
	view-first: yes
1657
EOF
1655
EOF
1658
 
1656
 
1659
	# Configuration file for forward unbound
1657
	# Configuration file for forward unbound
1660
	cat << EOF > /etc/unbound/unbound.conf
1658
	cat << EOF > /etc/unbound/unbound.conf
1661
server:
1659
server:
1662
	verbosity: 1
1660
	verbosity: 1
1663
	hide-version: yes
1661
	hide-version: yes
1664
	hide-identity: yes
1662
	hide-identity: yes
1665
	do-ip6: no
1663
	do-ip6: no
1666
 
1664
 
1667
	include: /etc/unbound/conf.d/common/forward-zone.conf
1665
	include: /etc/unbound/conf.d/common/forward-zone.conf
1668
	include: /etc/unbound/conf.d/common/local-forward/*
1666
	include: /etc/unbound/conf.d/common/local-forward/*
1669
	include: /etc/unbound/conf.d/common/local-dns/*
1667
	include: /etc/unbound/conf.d/common/local-dns/*
1670
	include: /etc/unbound/conf.d/forward/*
1668
	include: /etc/unbound/conf.d/forward/*
1671
EOF
1669
EOF
1672
 
1670
 
1673
	# Configuration file for $INTIF of blacklist unbound
1671
	# Configuration file for $INTIF of blacklist unbound
1674
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1672
	cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1675
server:
1673
server:
1676
	interface: ${PRIVATE_IP}@54
1674
	interface: ${PRIVATE_IP}@54
1677
	access-control: $PRIVATE_IP_MASK allow
1675
	access-control: $PRIVATE_IP_MASK allow
1678
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1676
	access-control-tag: $PRIVATE_IP_MASK "blacklist"
1679
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1677
	access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1680
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1678
	access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1681
EOF
1679
EOF
1682
 
1680
 
1683
	# Configuration file for blacklist unbound
1681
	# Configuration file for blacklist unbound
1684
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1682
	cat << EOF > /etc/unbound/unbound-blacklist.conf
1685
server:
1683
server:
1686
	verbosity: 1
1684
	verbosity: 1
1687
	hide-version: yes
1685
	hide-version: yes
1688
	hide-identity: yes
1686
	hide-identity: yes
1689
	do-ip6: no
1687
	do-ip6: no
1690
	logfile: "/var/log/unbound/unbound-blacklist.log"
1688
	logfile: "/var/log/unbound/unbound-blacklist.log"
1691
	chroot: ""
1689
	chroot: ""
1692
	define-tag: "blacklist"
1690
	define-tag: "blacklist"
1693
	log-local-actions: yes
1691
	log-local-actions: yes
1694
 
1692
 
1695
	include: /etc/unbound/conf.d/common/forward-zone.conf
1693
	include: /etc/unbound/conf.d/common/forward-zone.conf
1696
	include: /etc/unbound/conf.d/common/local-forward/*
1694
	include: /etc/unbound/conf.d/common/local-forward/*
1697
	include: /etc/unbound/conf.d/common/local-dns/*
1695
	include: /etc/unbound/conf.d/common/local-dns/*
1698
	include: /etc/unbound/conf.d/blacklist/*
1696
	include: /etc/unbound/conf.d/blacklist/*
1699
 
1697
 
1700
	include: /usr/local/share/unbound-bl-enabled/*
1698
	include: /usr/local/share/unbound-bl-enabled/*
1701
EOF
1699
EOF
1702
 
1700
 
1703
	# Configuration file for $INTIF of whitelist unbound
1701
	# Configuration file for $INTIF of whitelist unbound
1704
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1702
	cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1705
server:
1703
server:
1706
	interface: ${PRIVATE_IP}@55
1704
	interface: ${PRIVATE_IP}@55
1707
	access-control: $PRIVATE_IP_MASK allow
1705
	access-control: $PRIVATE_IP_MASK allow
1708
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1706
	access-control-tag: $PRIVATE_IP_MASK "whitelist"
1709
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1707
	access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1710
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1708
	access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1711
EOF
1709
EOF
1712
 
1710
 
1713
	# Configuration file for whitelist unbound
1711
	# Configuration file for whitelist unbound
1714
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1712
	cat << EOF > /etc/unbound/unbound-whitelist.conf
1715
server:
1713
server:
1716
	verbosity: 1
1714
	verbosity: 1
1717
	hide-version: yes
1715
	hide-version: yes
1718
	hide-identity: yes
1716
	hide-identity: yes
1719
	do-ip6: no
1717
	do-ip6: no
1720
	do-not-query-localhost: no
1718
	do-not-query-localhost: no
1721
	define-tag: "whitelist"
1719
	define-tag: "whitelist"
1722
 
1720
 
1723
	local-zone: "." transparent
1721
	local-zone: "." transparent
1724
	local-zone-tag: "." "whitelist"
1722
	local-zone-tag: "." "whitelist"
1725
 
1723
 
1726
	include: /usr/local/share/unbound-wl-enabled/*
1724
	include: /usr/local/share/unbound-wl-enabled/*
1727
	include: /etc/unbound/conf.d/whitelist/*
1725
	include: /etc/unbound/conf.d/whitelist/*
1728
	include: /etc/unbound/conf.d/common/local-dns/*
1726
	include: /etc/unbound/conf.d/common/local-dns/*
1729
	include: /etc/unbound/conf.d/common/local-forward/*
1727
	include: /etc/unbound/conf.d/common/local-forward/*
1730
 
1728
 
1731
forward-zone:
1729
forward-zone:
1732
	name: "."
1730
	name: "."
1733
	forward-addr: 127.0.0.1@55
1731
	forward-addr: 127.0.0.1@55
1734
EOF
1732
EOF
1735
 
1733
 
1736
	# Configuration file for $INTIF of blackhole unbound
1734
	# Configuration file for $INTIF of blackhole unbound
1737
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1735
	cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1738
server:
1736
server:
1739
	interface: ${PRIVATE_IP}@56
1737
	interface: ${PRIVATE_IP}@56
1740
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1738
	access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1741
 
1739
 
1742
view:
1740
view:
1743
	name: "$INTIF"
1741
	name: "$INTIF"
1744
	local-zone: "." redirect
1742
	local-zone: "." redirect
1745
	local-data: ". A $PRIVATE_IP"
1743
	local-data: ". A $PRIVATE_IP"
1746
EOF
1744
EOF
1747
 
1745
 
1748
	# Configuration file for blackhole unbound
1746
	# Configuration file for blackhole unbound
1749
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1747
	cat << EOF > /etc/unbound/unbound-blackhole.conf
1750
server:
1748
server:
1751
	verbosity: 1
1749
	verbosity: 1
1752
	hide-version: yes
1750
	hide-version: yes
1753
	hide-identity: yes
1751
	hide-identity: yes
1754
	do-ip6: no
1752
	do-ip6: no
1755
 
1753
 
1756
	include: /etc/unbound/conf.d/blackhole/*
1754
	include: /etc/unbound/conf.d/blackhole/*
1757
	include: /etc/unbound/conf.d/common/local-dns/*
1755
	include: /etc/unbound/conf.d/common/local-dns/*
1758
	include: /etc/unbound/conf.d/common/local-forward/*
1756
	include: /etc/unbound/conf.d/common/local-forward/*
1759
EOF
1757
EOF
1760
 
1758
 
1761
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1759
	if [ ! -e /lib/systemd/system/unbound.service.default ]
1762
	then
1760
	then
1763
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1761
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1764
	fi
1762
	fi
1765
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1763
	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1766
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1764
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1767
 
1765
 
1768
	for list in blacklist blackhole whitelist
1766
	for list in blacklist blackhole whitelist
1769
	do
1767
	do
1770
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1768
		cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1771
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1769
		$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1772
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1770
		$SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1773
	done
1771
	done
1774
 
1772
 
1775
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1773
	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1776
} # End unbound
1774
} # End unbound
1777
 
1775
 
1778
##################################################
1776
##################################################
1779
##              Function "dhcpd"                ##
1777
##              Function "dhcpd"                ##
1780
##################################################
1778
##################################################
1781
dhcpd ()
1779
dhcpd ()
1782
{
1780
{
1783
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1781
	[ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1784
 
1782
 
1785
	cat <<EOF > /etc/dhcpd.conf
1783
	cat <<EOF > /etc/dhcpd.conf
1786
ddns-update-style none;
1784
ddns-update-style none;
1787
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1785
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1788
	option routers $PRIVATE_IP;
1786
	option routers $PRIVATE_IP;
1789
	option subnet-mask $PRIVATE_NETMASK;
1787
	option subnet-mask $PRIVATE_NETMASK;
1790
	option domain-name-servers $PRIVATE_IP;
1788
	option domain-name-servers $PRIVATE_IP;
1791
 
1789
 
1792
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1790
	range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1793
	default-lease-time 21600;
1791
	default-lease-time 21600;
1794
	max-lease-time 43200;
1792
	max-lease-time 43200;
1795
}
1793
}
1796
EOF
1794
EOF
1797
}
1795
}
1798
 
1796
 
1799
##########################################################
1797
##########################################################
1800
##                      Function "BL"                   ##
1798
##                      Function "BL"                   ##
1801
## - copy Toulouse BL                                   ##
1799
## - copy Toulouse BL                                   ##
1802
## - adapt this BL to ALCASAR architecture              ##
1800
## - adapt this BL to ALCASAR architecture              ##
1803
##     - domain names for unbound-bl & unbound-wl       ##
1801
##     - domain names for unbound-bl & unbound-wl       ##
1804
##     - URLs for E²guardian                            ##
1802
##     - URLs for E²guardian                            ##
1805
##     - IPs for NetFilter                              ##
1803
##     - IPs for NetFilter                              ##
1806
##########################################################
1804
##########################################################
1807
BL ()
1805
BL ()
1808
{
1806
{
1809
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1807
	# copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1810
	rm -rf $DIR_DG/lists/blacklists
1808
	rm -rf $DIR_DG/lists/blacklists
1811
	mkdir -p /tmp/blacklists
1809
	mkdir -p /tmp/blacklists
1812
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1810
	cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1813
# creation of file for the rehabilited domains and urls
1811
# creation of file for the rehabilited domains and urls
1814
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1812
	[ -e $DIR_DG/lists/exceptionsitelist.default ] || mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
1815
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1813
	[ -e $DIR_DG/lists/exceptionurllist.default ] || mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
1816
	touch $DIR_DG/lists/exceptionsitelist
1814
	touch $DIR_DG/lists/exceptionsitelist
1817
	touch $DIR_DG/lists/exceptionurllist
1815
	touch $DIR_DG/lists/exceptionurllist
1818
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1816
# On crée la configuration de base du filtrage de domaine et d'URL pour E2guardian
1819
	cat <<EOF > $DIR_DG/lists/bannedurllist
1817
	cat <<EOF > $DIR_DG/lists/bannedurllist
1820
# E2guardian filter config for ALCASAR
1818
# E2guardian filter config for ALCASAR
1821
EOF
1819
EOF
1822
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1820
	cat <<EOF > $DIR_DG/lists/bannedsitelist
1823
# E2guardian domain filter config for ALCASAR
1821
# E2guardian domain filter config for ALCASAR
1824
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1822
# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
1825
#**
1823
#**
1826
# block all SSL and CONNECT tunnels
1824
# block all SSL and CONNECT tunnels
1827
**s
1825
**s
1828
# block all SSL and CONNECT tunnels specified only as an IP
1826
# block all SSL and CONNECT tunnels specified only as an IP
1829
*ips
1827
*ips
1830
# block all sites specified only by an IP
1828
# block all sites specified only by an IP
1831
*ip
1829
*ip
1832
EOF
1830
EOF
1833
# Add Bing to the safesearch url regext list (parental control)
1831
# Add Bing to the safesearch url regext list (parental control)
1834
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1832
	cat <<EOF >> $DIR_DG/lists/urlregexplist
1835
# Bing - add 'adlt=strict'
1833
# Bing - add 'adlt=strict'
1836
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1834
#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]*\?)(.*)"->"\1\2&adlt=strict"
1837
EOF
1835
EOF
1838
# change the google safesearch ("safe=strict" instead of "safe=vss")
1836
# change the google safesearch ("safe=strict" instead of "safe=vss")
1839
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1837
	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1840
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1838
# creation of the custom BL and WL categorie named "ossi" (for domain names & ip only)
1841
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1839
	mkdir -p $DIR_DG/lists/blacklists/ossi-bl
1842
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1840
	touch $DIR_DG/lists/blacklists/ossi-bl/domains
1843
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1841
	echo "ossi-bl" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1844
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1842
	mkdir -p $DIR_DG/lists/blacklists/ossi-wl
1845
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1843
	touch $DIR_DG/lists/blacklists/ossi-wl/domains
1846
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1844
	echo "ossi-wl" >> $DIR_DEST_ETC/alcasar-wl-categories-enabled
1847
# add custom ALCASAR BL files
1845
# add custom ALCASAR BL files
1848
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1846
	for x in $(ls $DIR_BLACKLIST | grep -v "^blacklist")
1849
	do
1847
	do
1850
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1848
		mkdir $DIR_DG/lists/blacklists/ossi-bl-$x
1851
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1849
		cp $DIR_BLACKLIST/$x  $DIR_DG/lists/blacklists/ossi-bl-$x/domains
1852
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1850
		echo "ossi-bl-$x" >> $DIR_DEST_ETC/alcasar-bl-categories-enabled
1853
	done
1851
	done
1854
	chown -R e2guardian:apache $DIR_DG
1852
	chown -R e2guardian:apache $DIR_DG
1855
	chown -R root:apache $DIR_DEST_SHARE
1853
	chown -R root:apache $DIR_DEST_SHARE
1856
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1854
	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1857
# adapt the Toulouse BL to ALCASAR architecture
1855
# adapt the Toulouse BL to ALCASAR architecture
1858
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1856
	$DIR_DEST_BIN/alcasar-bl.sh --adapt
1859
# enable the default categories
1857
# enable the default categories
1860
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1858
	$DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1861
	rm -rf /tmp/blacklists
1859
	rm -rf /tmp/blacklists
1862
} # End BL()
1860
} # End BL()
1863
 
1861
 
1864
#######################################################
1862
#######################################################
1865
##                  Function "cron"                  ##
1863
##                  Function "cron"                  ##
1866
## - write all cron & anacron files                  ##
1864
## - write all cron & anacron files                  ##
1867
#######################################################
1865
#######################################################
1868
cron ()
1866
cron ()
1869
{
1867
{
1870
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1868
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1871
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1869
	[ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1872
	cat <<EOF > /etc/crontab
1870
	cat <<EOF > /etc/crontab
1873
SHELL=/usr/bin/bash
1871
SHELL=/usr/bin/bash
1874
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1872
PATH=/sbin:/bin:/usr/sbin:/usr/bin
1875
MAILTO=root
1873
MAILTO=root
1876
HOME=/
1874
HOME=/
1877
 
1875
 
1878
# run-parts
1876
# run-parts
1879
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1877
01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
1880
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1878
02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
1881
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1879
22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
1882
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1880
42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
1883
EOF
1881
EOF
1884
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1882
	[ -e /etc/anacrontab.default ] || cp /etc/anacrontab /etc/anacrontab.default
1885
	cat <<EOF >> /etc/anacrontab
1883
	cat <<EOF >> /etc/anacrontab
1886
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1884
7	8	cron.MysqlDump		nice /etc/cron.d/alcasar-mysql
1887
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1885
7	10	cron.logExport		nice /etc/cron.d/alcasar-archive
1888
EOF
1886
EOF
1889
	cat <<EOF > /etc/cron.d/alcasar-mysql
1887
	cat <<EOF > /etc/cron.d/alcasar-mysql
1890
# Verify, repair and export users database (every monday at 4:45 am)
1888
# Verify, repair and export users database (every monday at 4:45 am)
1891
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1889
45 4 * * 1 root $DIR_DEST_BIN/alcasar-mysql.sh --dump
1892
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1890
# Remove users whose expiration date is exceeded for more more than 7 days (every Monday at 4:40 am)
1893
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1891
40 4 * * * root $DIR_DEST_BIN/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1894
EOF
1892
EOF
1895
	cat <<EOF > /etc/cron.d/alcasar-archive
1893
	cat <<EOF > /etc/cron.d/alcasar-archive
1896
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1894
# Archiving logs (traceability & users database) (every Monday at 5:35 am)
1897
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1895
35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
1898
EOF
1896
EOF
1899
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1897
	cat <<EOF > /etc/cron.d/alcasar-ticket-clean
1900
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1898
# Remove password files (created when importing users by CSV files) and user's PDF voucher (every hours at 30')
1901
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1899
30 * * * *  root $DIR_DEST_BIN/alcasar-ticket-clean.sh
1902
EOF
1900
EOF
1903
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1901
	cat <<EOF > /etc/cron.d/alcasar-distrib-updates
1904
# Update the system (everyday at 3:30 am)
1902
# Update the system (everyday at 3:30 am)
1905
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1903
30 3 * * *  root /usr/sbin/urpmi --auto-update --auto 2>&1
1906
EOF
1904
EOF
1907
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1905
	cat <<EOF > /etc/cron.d/alcasar-connections-stats
1908
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1906
# Connection stats update (accounting). These Perl scripts are from "dialup_admin" (cf. wiki.freeradius.org/Dialup_admin).
1909
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1907
# 'alcasar-tot_stats' : aggregate the daily connections of users and write it in the table 'totacct' (everyday at 1:01 pm)
1910
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1908
# 'alcasar-monthly_tot_stat' : aggregate the monthly connections of users and write it in table 'mtotacct' (everyday at 1h05 pm)
1911
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1909
# 'alcasar-truncate_raddact' : remove the user' session log older than 365 days (applying French law : "LCEN") (every month, the first at 01:10 pm)
1912
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1910
# 'alcasar-clean_radacct' : close the sessions openned for more than 30 days (every month, the first at 01:15 pm)
1913
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1911
# 'alcasar-activity_report.sh' : generate an activity report in PDF (every sunday at 5:35 pm)
1914
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1912
1 1 * * * root $DIR_DEST_BIN/alcasar-tot_stats > /dev/null 2>&1
1915
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1913
5 1 * * * root $DIR_DEST_BIN/alcasar-monthly_tot_stats > /dev/null 2>&1
1916
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1914
10 1 1 * * root $DIR_DEST_BIN/alcasar-truncate_radacct > /dev/null 2>&1
1917
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1915
15 1 1 * * root $DIR_DEST_BIN/alcasar-clean_radacct > /dev/null 2>&1
1918
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1916
35 5 * * 0 root $DIR_DEST_BIN/alcasar-activity_report.sh > /dev/null 2>&1
1919
EOF
1917
EOF
1920
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1918
	cat <<EOF > /etc/cron.d/alcasar-watchdog
1921
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1919
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
1922
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1920
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
1923
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1921
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
1924
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1922
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
1925
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1923
0 5 * * 0 root $DIR_DEST_BIN/alcasar-flush_ipset_wl.sh > /dev/null 2>&1
1926
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1924
#* * * * * root $DIR_DEST_BIN/alcasar-watchdog-hl.sh > /dev/null 2>&1
1927
EOF
1925
EOF
1928
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1926
	cat <<EOF > /etc/cron.d/alcasar-daemon-watchdog
1929
# start dead daemons (after boot process and every 18')
1927
# start dead daemons (after boot process and every 18')
1930
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1928
@reboot root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1931
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1929
*/18 * * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
1932
EOF
1930
EOF
1933
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1931
	cat <<EOF > /etc/cron.d/alcasar-rsync-bl
1934
# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1932
# Automatic update the BL via rsync (every 12 hours). The enabled categories are listed in '/usr/local/etc/update_cat.conf' (no sync if empty).
1935
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1933
0 */12 * * * root $DIR_DEST_BIN/alcasar-bl.sh --update_cat > /dev/null 2>&1
1936
EOF
1934
EOF
1937
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1935
	cat <<EOF > /etc/cron.d/alcasar-letsencrypt
1938
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1936
# Automatic renew the Let's Encrypt certificate (daily --> see "cron.daily")
1939
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1937
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1940
EOF
1938
EOF
1941
 
1939
 
1942
# removing the users crons
1940
# removing the users crons
1943
	rm -f /var/spool/cron/*
1941
	rm -f /var/spool/cron/*
1944
} # End cron()
1942
} # End cron()
1945
 
1943
 
1946
######################################################################
1944
######################################################################
1947
##                      Fonction "Fail2Ban"                         ##
1945
##                      Fonction "Fail2Ban"                         ##
1948
##- Adapt conf file to ALCASAR                                      ##
1946
##- Adapt conf file to ALCASAR                                      ##
1949
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1947
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1950
######################################################################
1948
######################################################################
1951
fail2ban()
1949
fail2ban()
1952
{
1950
{
1953
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1951
	/usr/bin/sh $DIR_CONF/fail2ban.sh
1954
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1952
# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1955
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1953
	[ -e /var/log/fail2ban.log ] || touch /var/log/fail2ban.log
1956
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1954
	[ -e /var/Save/security/watchdog.log ] || touch /var/Save/security/watchdog.log
1957
	chmod 644 /var/log/fail2ban.log
1955
	chmod 644 /var/log/fail2ban.log
1958
	chmod 644 /var/Save/security/watchdog.log
1956
	chmod 644 /var/Save/security/watchdog.log
1959
	/usr/bin/touch /var/log/auth.log
1957
	/usr/bin/touch /var/log/auth.log
1960
# fail2ban unit
1958
# fail2ban unit
1961
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1959
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1962
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1960
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1963
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1961
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1964
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1962
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1965
} # End fail2ban()
1963
} # End fail2ban()
1966
 
1964
 
1967
#########################################################
1965
#########################################################
1968
##                   Fonction "gammu_smsd"             ##
1966
##                   Fonction "gammu_smsd"             ##
1969
## - Creating of SMS management database               ##
1967
## - Creating of SMS management database               ##
1970
## - Write the gammu a gammu_smsd conf files           ##
1968
## - Write the gammu a gammu_smsd conf files           ##
1971
#########################################################
1969
#########################################################
1972
gammu_smsd()
1970
gammu_smsd()
1973
{
1971
{
1974
# Create 'gammu' system user
1972
# Create 'gammu' system user
1975
	groupadd -f gammu_smsd
1973
	groupadd -f gammu_smsd
1976
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1974
	useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
1977
	usermod -a -G dialout gammu_smsd
1975
	usermod -a -G dialout gammu_smsd
1978
 
1976
 
1979
# Create 'gammu' database
1977
# Create 'gammu' database
1980
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1978
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
1981
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1979
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"
1982
# Add a gammu database structure
1980
# Add a gammu database structure
1983
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1981
	/usr/bin/mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/empty-gammu-smsd-db.sql
1984
 
1982
 
1985
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1983
# Config file for the gammu_smsd daemon & gammu (ttyUSB0 as default com port)
1986
	cat << EOF > /etc/gammurc
1984
	cat << EOF > /etc/gammurc
1987
[gammu]
1985
[gammu]
1988
device = /dev/ttyUSB0
1986
device = /dev/ttyUSB0
1989
connection = at115200
1987
connection = at115200
1990
EOF
1988
EOF
1991
 
1989
 
1992
	cat << EOF > /etc/gammu_smsd_conf
1990
	cat << EOF > /etc/gammu_smsd_conf
1993
[gammu]
1991
[gammu]
1994
port = /dev/ttyUSB0
1992
port = /dev/ttyUSB0
1995
connection = at115200
1993
connection = at115200
1996
 
1994
 
1997
[smsd]
1995
[smsd]
1998
PIN = 1234
1996
PIN = 1234
1999
logfile = /var/log/gammu-smsd/gammu-smsd.log
1997
logfile = /var/log/gammu-smsd/gammu-smsd.log
2000
logformat = textall
1998
logformat = textall
2001
debuglevel = 0
1999
debuglevel = 0
2002
 
2000
 
2003
service = sql
2001
service = sql
2004
driver = native_mysql
2002
driver = native_mysql
2005
user = $DB_USER
2003
user = $DB_USER
2006
password = $radiuspwd
2004
password = $radiuspwd
2007
pc = localhost
2005
pc = localhost
2008
database = $DB_GAMMU
2006
database = $DB_GAMMU
2009
 
2007
 
2010
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
2008
RunOnReceive = sudo $DIR_DEST_BIN/alcasar-sms.sh --new_sms
2011
 
2009
 
2012
StatusFrequency = 30
2010
StatusFrequency = 30
2013
;LoopSleep = 2
2011
;LoopSleep = 2
2014
 
2012
 
2015
;ResetFrequency = 300
2013
;ResetFrequency = 300
2016
;HardResetFrequency = 120
2014
;HardResetFrequency = 120
2017
 
2015
 
2018
CheckSecurity = 1
2016
CheckSecurity = 1
2019
CheckSignal = 1
2017
CheckSignal = 1
2020
CheckBattery = 0
2018
CheckBattery = 0
2021
EOF
2019
EOF
2022
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2020
	chmod 755 /etc/gammu_smsd_conf /etc/gammurc
2023
 
2021
 
2024
# Create the systemd unit
2022
# Create the systemd unit
2025
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2023
	cat << EOF > /lib/systemd/system/gammu-smsd.service
2026
[Unit]
2024
[Unit]
2027
Description=SMS daemon for Gammu
2025
Description=SMS daemon for Gammu
2028
Documentation=man:gammu-smsd(1)
2026
Documentation=man:gammu-smsd(1)
2029
After=network.target mysql.service
2027
After=network.target mysql.service
2030
 
2028
 
2031
[Service]
2029
[Service]
2032
Type=forking
2030
Type=forking
2033
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
2031
ExecStart=/usr/bin/gammu-smsd --config /etc/gammu_smsd_conf --user=gammu_smsd --group=gammu_smsd --pid=/var/run/gammu-smsd.pid --daemon
2034
ExecReload=/bin/kill -HUP $MAINPID
2032
ExecReload=/bin/kill -HUP $MAINPID
2035
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
2033
ExecStopPost=/bin/rm -f /var/run/gammu-smsd.pid
2036
PIDFile=/var/run/gammu-smsd.pid
2034
PIDFile=/var/run/gammu-smsd.pid
2037
 
2035
 
2038
[Install]
2036
[Install]
2039
WantedBy=multi-user.target
2037
WantedBy=multi-user.target
2040
EOF
2038
EOF
2041
 
2039
 
2042
# Log folder for gammu-smsd
2040
# Log folder for gammu-smsd
2043
	[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2041
	[ -e /var/log/gammu-smsd ] || mkdir /var/log/gammu-smsd
2044
	chmod 755 /var/log/gammu-smsd
2042
	chmod 755 /var/log/gammu-smsd
2045
 
2043
 
2046
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2044
# Udev rule for Modeswitch (switch from "mass_storage" mode to "ttyUSB" modem) needed with some Huawei MODEM (idVendor: 12d1)
2047
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2045
# normally not needed now since modeswitch is managed by udev (see Mageia RPM)
2048
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2046
#cat << EOF > /lib/udev/rules.d/66-huawei.rules
2049
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2047
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2050
#EOF
2048
#EOF
2051
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2049
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2052
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2050
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2053
 
2051
 
2054
} # End gammu_smsd()
2052
} # End gammu_smsd()
2055
 
2053
 
2056
############################################################
2054
############################################################
2057
##                 Fonction "msec"                        ##
2055
##                 Fonction "msec"                        ##
2058
## - Apply the "fileserver" security level                ##
2056
## - Apply the "fileserver" security level                ##
2059
## - remove the "system request" for rebboting            ##
2057
## - remove the "system request" for rebboting            ##
2060
## - Fix several file permissions                         ##
2058
## - Fix several file permissions                         ##
2061
############################################################
2059
############################################################
2062
msec()
2060
msec()
2063
{
2061
{
2064
 
2062
 
2065
# Apply fileserver security level
2063
# Apply fileserver security level
2066
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2064
[ -e /etc/security/msec/security.conf.default ] || cp /etc/security/msec/security.conf /etc/security/msec/security.conf.default
2067
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2065
echo "BASE_LEVEL=fileserver" > /etc/security/msec/security.conf
2068
 
2066
 
2069
# Set permissions monitoring and enforcement
2067
# Set permissions monitoring and enforcement
2070
cat <<EOF > /etc/security/msec/perm.local
2068
cat <<EOF > /etc/security/msec/perm.local
2071
/var/log/firefwall/                     root.apache     750
2069
/var/log/firefwall/                     root.apache     750
2072
/var/log/firewall/*                     root.apache     640
2070
/var/log/firewall/*                     root.apache     640
2073
/etc/security/msec/perm.local           root.root       640
2071
/etc/security/msec/perm.local           root.root       640
2074
/etc/security/msec/level.local          root.root       640
2072
/etc/security/msec/level.local          root.root       640
2075
/etc/freeradius-web                     root.apache     750
2073
/etc/freeradius-web                     root.apache     750
2076
/etc/freeradius-web/admin.conf          root.apache     640
2074
/etc/freeradius-web/admin.conf          root.apache     640
2077
/etc/raddb/client.conf                  radius.radius   640
2075
/etc/raddb/client.conf                  radius.radius   640
2078
/etc/raddb/radius.conf                  radius.radius   640
2076
/etc/raddb/radius.conf                  radius.radius   640
2079
/etc/raddb/mods-available/ldap          radius.apache   660
2077
/etc/raddb/mods-available/ldap          radius.apache   660
2080
/etc/raddb/sites-available/alcasar      radius.apache   660
2078
/etc/raddb/sites-available/alcasar      radius.apache   660
2081
/etc/pki/*                              root.apache     750
2079
/etc/pki/*                              root.apache     750
2082
/var/log/netflow/porttracker            root.apache     770
2080
/var/log/netflow/porttracker            root.apache     770
2083
/var/log/netflow/porttracker/*          root.apache     660
2081
/var/log/netflow/porttracker/*          root.apache     660
2084
EOF
2082
EOF
2085
# apply now hourly & daily checks
2083
# apply now hourly & daily checks
2086
/usr/sbin/msec
2084
/usr/sbin/msec
2087
/etc/cron.weekly/msec
2085
/etc/cron.weekly/msec
2088
 
2086
 
2089
} # End msec()
2087
} # End msec()
2090
 
2088
 
2091
 
2089
 
2092
##################################################################
2090
##################################################################
2093
##                   Fonction "letsencrypt"                     ##
2091
##                   Fonction "letsencrypt"                     ##
2094
## - Install Let's Encrypt client                               ##
2092
## - Install Let's Encrypt client                               ##
2095
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2093
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2096
##################################################################
2094
##################################################################
2097
letsencrypt()
2095
letsencrypt()
2098
{
2096
{
2099
	echo "Installing Let's Encrypt client..."
2097
	echo "Installing Let's Encrypt client..."
2100
 
2098
 
2101
	# Remove potential old installers
2099
	# Remove potential old installers
2102
	rm -rf /tmp/acme.sh-*
2100
	rm -rf /tmp/acme.sh-*
2103
 
2101
 
2104
	# Extract acme.sh
2102
	# Extract acme.sh
2105
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2103
	tar xzf ./conf/letsencrypt-client/acme.sh-*.tar.gz -C /tmp/
2106
 
2104
 
2107
	pwdInstall=$(pwd)
2105
	pwdInstall=$(pwd)
2108
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2106
	cd /tmp/acme.sh-* || { echo "Unable to find ACME directory"; exit 1; }
2109
 
2107
 
2110
	acmesh_installDir="/opt/acme.sh"
2108
	acmesh_installDir="/opt/acme.sh"
2111
	acmesh_confDir="/usr/local/etc/letsencrypt"
2109
	acmesh_confDir="/usr/local/etc/letsencrypt"
2112
	acmesh_userAgent="ALCASAR"
2110
	acmesh_userAgent="ALCASAR"
2113
 
2111
 
2114
	# Install acme.sh
2112
	# Install acme.sh
2115
	./acme.sh --install \
2113
	./acme.sh --install \
2116
		--home $acmesh_installDir \
2114
		--home $acmesh_installDir \
2117
		--config-home $acmesh_confDir/data \
2115
		--config-home $acmesh_confDir/data \
2118
		--certhome $acmesh_confDir/certs \
2116
		--certhome $acmesh_confDir/certs \
2119
		--accountkey $acmesh_confDir/ca/account.key \
2117
		--accountkey $acmesh_confDir/ca/account.key \
2120
		--accountconf $acmesh_confDir/data/account.conf \
2118
		--accountconf $acmesh_confDir/data/account.conf \
2121
		--useragent $acmesh_userAgent \
2119
		--useragent $acmesh_userAgent \
2122
		--nocron \
2120
		--nocron \
2123
		> /dev/null
2121
		> /dev/null
2124
 
2122
 
2125
	if [ $? -ne 0 ]; then
2123
	if [ $? -ne 0 ]; then
2126
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2124
		echo "Error during installation of Let's Encrypt client (acme.sh)."
2127
	fi
2125
	fi
2128
 
2126
 
2129
	# Create configuration file
2127
	# Create configuration file
2130
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2128
	cat <<EOF > /usr/local/etc/alcasar-letsencrypt
2131
email=
2129
email=
2132
dateIssueRequest=
2130
dateIssueRequest=
2133
domainRequest=
2131
domainRequest=
2134
challenge=
2132
challenge=
2135
dateIssued=
2133
dateIssued=
2136
dnsapi=
2134
dnsapi=
2137
dateNextRenewal=
2135
dateNextRenewal=
2138
EOF
2136
EOF
2139
 
2137
 
2140
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2138
	cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2141
	rm -rf /tmp/acme.sh-*
2139
	rm -rf /tmp/acme.sh-*
2142
 
2140
 
2143
} # END letsencrypt()
2141
} # END letsencrypt()
2144
 
2142
 
2145
##################################################################
2143
##################################################################
2146
##                    Fonction "post_install"                   ##
2144
##                    Fonction "post_install"                   ##
2147
## - Modifying banners (locals et ssh) & prompts                ##
2145
## - Modifying banners (locals et ssh) & prompts                ##
2148
## - SSH config                                                 ##
2146
## - SSH config                                                 ##
2149
## - sudoers config & files security                            ##
2147
## - sudoers config & files security                            ##
2150
## - log rotate & ANSSI security parameters                     ##
2148
## - log rotate & ANSSI security parameters                     ##
2151
## - Apply former conf in case of an update                     ##
2149
## - Apply former conf in case of an update                     ##
2152
##################################################################
2150
##################################################################
2153
post_install()
2151
post_install()
2154
{
2152
{
2155
# change the SSH banner
2153
# change the SSH banner
2156
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2154
	cp -f $DIR_CONF/banner /etc/ssh/alcasar-banner-ssh
2157
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2155
	echo " V$VERSION" >> /etc/ssh/alcasar-banner-ssh
2158
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2156
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
2159
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2157
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
2160
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2158
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2161
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2159
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
2162
# postfix banner anonymisation
2160
# postfix banner anonymisation
2163
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2161
	$SED "s?^smtpd_banner =.*?smtpd_banner = \$myhostname ESMTP?g" /etc/postfix/main.cf
2164
	chown -R postfix:postfix /var/lib/postfix
2162
	chown -R postfix:postfix /var/lib/postfix
2165
# sshd liste on EXTIF & INTIF
2163
# sshd liste on EXTIF & INTIF
2166
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2164
	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
2167
# sshd authorized certificate for root login
2165
# sshd authorized certificate for root login
2168
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2166
	$SED "s?^PermitRootLogin.*?PermitRootLogin without-password?g" /etc/ssh/sshd_config
2169
# ALCASAR conf file
2167
# ALCASAR conf file
2170
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2168
	echo "HTTPS_LOGIN=on" >> $CONF_FILE
2171
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2169
	echo "HTTPS_CHILLI=off" >> $CONF_FILE
2172
	echo "SSH=on" >> $CONF_FILE
2170
	echo "SSH=on" >> $CONF_FILE
2173
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2171
	echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
2174
	echo "LDAP=off" >> $CONF_FILE
2172
	echo "LDAP=off" >> $CONF_FILE
2175
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2173
	echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
2176
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2174
	echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
2177
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2175
	echo "LDAP_UID=sAMAccountName" >> $CONF_FILE
2178
	echo "LDAP_FILTER=" >> $CONF_FILE
2176
	echo "LDAP_FILTER=" >> $CONF_FILE
2179
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2177
	echo "LDAP_USER=alcasar" >> $CONF_FILE
2180
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2178
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2181
	echo "LDAP_SSL=on" >> $CONF_FILE
2179
	echo "LDAP_SSL=on" >> $CONF_FILE
2182
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2180
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2183
	echo "SMS=off" >> $CONF_FILE
2181
	echo "SMS=off" >> $CONF_FILE
2184
	echo "SMS_NUM=" >> $CONF_FILE
2182
	echo "SMS_NUM=" >> $CONF_FILE
2185
	echo "MULTIWAN=off" >> $CONF_FILE
2183
	echo "MULTIWAN=off" >> $CONF_FILE
2186
	echo "FAILOVER=30" >> $CONF_FILE
2184
	echo "FAILOVER=30" >> $CONF_FILE
2187
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2185
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
2188
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2186
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
2189
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2187
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
2190
	echo "BL_PUREIP=on" >> $CONF_FILE
2188
	echo "BL_PUREIP=on" >> $CONF_FILE
2191
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2189
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2192
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2190
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2193
# Prompt customisation (colors)
2191
# Prompt customisation (colors)
2194
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2192
	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
2195
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2193
	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
2196
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2194
	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
2197
# sudoers configuration for "apache" & "sysadmin"
2195
# sudoers configuration for "apache" & "sysadmin"
2198
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2196
	[ -e /etc/sudoers.default ]  || cp /etc/sudoers /etc/sudoers.default
2199
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2197
	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
2200
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2198
	$SED "s?^Host_Alias.*?Host_Alias	LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost		#réseau de l'organisme?g" /etc/sudoers
2201
# Modify some logrotate files (gammu, ulogd)
2199
# Modify some logrotate files (gammu, ulogd)
2202
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2200
	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
2203
	chmod 644 /etc/logrotate.d/*
2201
	chmod 644 /etc/logrotate.d/*
2204
# Log compression
2202
# Log compression
2205
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2203
	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
2206
# actualisation des fichiers logs compressés
2204
# actualisation des fichiers logs compressés
2207
	for dir in firewall e2guardian lighttpd
2205
	for dir in firewall e2guardian lighttpd
2208
	do
2206
	do
2209
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2207
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2210
	done
2208
	done
2211
# create the alcasar-load_balancing unit
2209
# create the alcasar-load_balancing unit
2212
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2210
	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
2213
#  This file is part of systemd.
2211
#  This file is part of systemd.
2214
#
2212
#
2215
#  systemd is free software; you can redistribute it and/or modify it
2213
#  systemd is free software; you can redistribute it and/or modify it
2216
#  under the terms of the GNU General Public License as published by
2214
#  under the terms of the GNU General Public License as published by
2217
#  the Free Software Foundation; either version 2 of the License, or
2215
#  the Free Software Foundation; either version 2 of the License, or
2218
#  (at your option) any later version.
2216
#  (at your option) any later version.
2219
 
2217
 
2220
# This unit lauches alcasar-load-balancing.sh script.
2218
# This unit lauches alcasar-load-balancing.sh script.
2221
[Unit]
2219
[Unit]
2222
Description=alcasar-load_balancing.sh execution
2220
Description=alcasar-load_balancing.sh execution
2223
After=network.target iptables.service
2221
After=network.target iptables.service
2224
 
2222
 
2225
[Service]
2223
[Service]
2226
Type=oneshot
2224
Type=oneshot
2227
RemainAfterExit=yes
2225
RemainAfterExit=yes
2228
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2226
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
2229
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2227
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
2230
TimeoutSec=0
2228
TimeoutSec=0
2231
SysVStartPriority=99
2229
SysVStartPriority=99
2232
 
2230
 
2233
[Install]
2231
[Install]
2234
WantedBy=multi-user.target
2232
WantedBy=multi-user.target
2235
EOF
2233
EOF
2236
	/usr/bin/systemctl daemon-reload
2234
	/usr/bin/systemctl daemon-reload
2237
# processes launched at boot time (Systemctl)
2235
# processes launched at boot time (Systemctl)
2238
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2236
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfsen e2guardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat sshd
2239
	do
2237
	do
2240
		/usr/bin/systemctl -q enable $i.service
2238
		/usr/bin/systemctl -q enable $i.service
2241
	done
2239
	done
2242
 
2240
 
2243
# disable processes at boot time (Systemctl)
2241
# disable processes at boot time (Systemctl)
2244
	for i in ulogd gpm dhcpd
2242
	for i in ulogd gpm dhcpd
2245
	do
2243
	do
2246
		/usr/bin/systemctl -q disable $i.service
2244
		/usr/bin/systemctl -q disable $i.service
2247
	done
2245
	done
2248
 
2246
 
2249
# Apply French Security Agency (ANSSI) rules
2247
# Apply French Security Agency (ANSSI) rules
2250
# ignore ICMP broadcast (smurf attack)
2248
# ignore ICMP broadcast (smurf attack)
2251
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2249
	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
2252
# ignore ICMP errors bogus
2250
# ignore ICMP errors bogus
2253
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2251
	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
2254
# remove ICMP redirects responces
2252
# remove ICMP redirects responces
2255
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2253
	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2256
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2254
	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
2257
# enable SYN Cookies (Syn flood attacks)
2255
# enable SYN Cookies (Syn flood attacks)
2258
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2256
	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
2259
# enable kernel antispoofing
2257
# enable kernel antispoofing
2260
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2258
	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
2261
# ignore source routing
2259
# ignore source routing
2262
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2260
	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
2263
# set conntrack timer to 1h (3600s) instead of 5 weeks
2261
# set conntrack timer to 1h (3600s) instead of 5 weeks
2264
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2262
	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
2265
# disable log_martians (ALCASAR is often installed between two private network addresses)
2263
# disable log_martians (ALCASAR is often installed between two private network addresses)
2266
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2264
	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
2267
# disable iptables_helpers
2265
# disable iptables_helpers
2268
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2266
	echo "net.netfilter.nf_conntrack_helper = 0" >> /etc/sysctl.d/alcasar.conf
2269
# Switch to the router mode
2267
# Switch to the router mode
2270
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2268
	echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/alcasar.conf
2271
# Remove unused service ipv6
2269
# Remove unused service ipv6
2272
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2270
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2273
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2271
	echo "net.ipv6.conf.all.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2274
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2272
	echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/alcasar.conf
2275
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2273
	echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf
2276
# switch to multi-users runlevel (instead of x11)
2274
# switch to multi-users runlevel (instead of x11)
2277
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2275
	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
2278
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2276
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner
2279
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2277
	[ -e /etc/default/grub.default ]  || cp /etc/default/grub /etc/default/grub.default
2280
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2278
	$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub
2281
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2279
	$SED "s?^GRUB_DISTRIBUTOR=.*?GRUB_DISTRIBUTOR=ALCASAR?g" /etc/default/grub
2282
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2280
	[ -e /etc/mageia-release.default ]  || cp /etc/mageia-release /etc/mageia-release.default
2283
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2281
	vm_vga=`lsmod | egrep -c "virtio|vmwgfx"` # test if in VM
2284
	if [ $vm_vga == 0 ] # is not a VM
2282
	if [ $vm_vga == 0 ] # is not a VM
2285
	then
2283
	then
2286
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2284
		cp -f $DIR_CONF/banner /etc/mageia-release # ALCASAR ASCII-Art
2287
		echo >> /etc/mageia-release
2285
		echo >> /etc/mageia-release
2288
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2286
		$SED "s?^GRUB_CMDLINE_LINUX_DEFAULT=\"?&vga=791 ?" /etc/default/grub
2289
	fi
2287
	fi
2290
	if [ $Lang == "fr" ]
2288
	if [ $Lang == "fr" ]
2291
	then
2289
	then
2292
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2290
		echo "Bienvenue sur ALCASAR V$VERSION" >> /etc/mageia-release
2293
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2291
		echo "Connectez-vous à l'URL 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2294
	else
2292
	else
2295
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2293
		echo "Welcome on ALCASAR V$VERSION" >> /etc/mageia-release
2296
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2294
		echo "Connect to 'https://$HOSTNAME.$DOMAIN/acc'" >> /etc/mageia-release
2297
	fi
2295
	fi
2298
	/usr/bin/update-grub2
2296
	/usr/bin/update-grub2
2299
# Load and apply the previous conf file
2297
# Load and apply the previous conf file
2300
	if [ "$mode" = "update" ]
2298
	if [ "$mode" = "update" ]
2301
	then
2299
	then
2302
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2300
		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/archive
2303
		$DIR_DEST_BIN/alcasar-conf.sh --load
2301
		$DIR_DEST_BIN/alcasar-conf.sh --load
2304
		PARENT_SCRIPT=`basename $0`
2302
		PARENT_SCRIPT=`basename $0`
2305
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2303
		export PARENT_SCRIPT # to avoid stop&start process during the installation process
2306
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2304
		$DIR_DEST_BIN/alcasar-conf.sh --apply
2307
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2305
		$DIR_DEST_BIN/alcasar-file-clean.sh # Clean & sort conf files. Add uamallowed domains to the dns-blackhole conf
2308
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2306
		$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
2309
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2307
		$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
2310
	fi
2308
	fi
2311
	rm -f /var/tmp/alcasar-conf*
2309
	rm -f /var/tmp/alcasar-conf*
2312
	chown -R root:apache $DIR_DEST_ETC/*
2310
	chown -R root:apache $DIR_DEST_ETC/*
2313
	chmod -R 660 $DIR_DEST_ETC/*
2311
	chmod -R 660 $DIR_DEST_ETC/*
2314
	chmod ug+x $DIR_DEST_ETC/digest
2312
	chmod ug+x $DIR_DEST_ETC/digest
2315
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2313
	cd $DIR_INSTALL || { echo "Unable to find $DIR_INSTALL directory"; exit 1; }
2316
	echo ""
2314
	echo ""
2317
	echo "#############################################################################"
2315
	echo "#############################################################################"
2318
	if [ $Lang == "fr" ]
2316
	if [ $Lang == "fr" ]
2319
		then
2317
		then
2320
		echo "#                        Fin d'installation d'ALCASAR                       #"
2318
		echo "#                        Fin d'installation d'ALCASAR                       #"
2321
		echo "#                                                                           #"
2319
		echo "#                                                                           #"
2322
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2320
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2323
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2321
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2324
		echo "#                                                                           #"
2322
		echo "#                                                                           #"
2325
		echo "#############################################################################"
2323
		echo "#############################################################################"
2326
		echo
2324
		echo
2327
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2325
		echo "- ALCASAR sera fonctionnel après redémarrage du système"
2328
		echo
2326
		echo
2329
		echo "- Lisez attentivement la documentation d'exploitation"
2327
		echo "- Lisez attentivement la documentation d'exploitation"
2330
		echo
2328
		echo
2331
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2329
		echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://$HOSTNAME.$DOMAIN"
2332
		echo
2330
		echo
2333
		echo "                   Appuyez sur 'Entrée' pour continuer"
2331
		echo "                   Appuyez sur 'Entrée' pour continuer"
2334
	else
2332
	else
2335
		echo "#                        End of ALCASAR install process                     #"
2333
		echo "#                        End of ALCASAR install process                     #"
2336
		echo "#                                                                           #"
2334
		echo "#                                                                           #"
2337
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2335
		echo "#         Application Libre pour le Contrôle Authentifié et Sécurisé        #"
2338
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2336
		echo "#                     des Accès au Réseau ( ALCASAR )                       #"
2339
		echo "#                                                                           #"
2337
		echo "#                                                                           #"
2340
		echo "#############################################################################"
2338
		echo "#############################################################################"
2341
		echo
2339
		echo
2342
		echo "- The system will be rebooted in order to operate ALCASAR"
2340
		echo "- The system will be rebooted in order to operate ALCASAR"
2343
		echo
2341
		echo
2344
		echo "- Read the exploitation documentation"
2342
		echo "- Read the exploitation documentation"
2345
		echo
2343
		echo
2346
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2344
		echo "- The ALCASAR Control Center (ACC) is at http://$HOSTNAME.$DOMAIN"
2347
		echo
2345
		echo
2348
		echo "                   Hit 'Enter' to continue"
2346
		echo "                   Hit 'Enter' to continue"
2349
	fi
2347
	fi
2350
	sleep 2
2348
	sleep 2
2351
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2349
	if [ "$mode" == "install" ] || [ "$DEBUG_ALCASAR" == "on" ]
2352
	then
2350
	then
2353
		read
2351
		read
2354
	fi
2352
	fi
2355
	clear
2353
	clear
2356
	reboot
2354
	reboot
2357
} # End post_install ()
2355
} # End post_install ()
2358
 
2356
 
2359
#####################################################################################
2357
#####################################################################################
2360
#                                   Main Install loop                               #
2358
#                                   Main Install loop                               #
2361
#####################################################################################
2359
#####################################################################################
2362
dir_exec=`dirname "$0"`
2360
dir_exec=`dirname "$0"`
2363
if [ $dir_exec != "." ]
2361
if [ $dir_exec != "." ]
2364
then
2362
then
2365
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2363
	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
2366
	echo "Launch this program from the ALCASAR archive directory"
2364
	echo "Launch this program from the ALCASAR archive directory"
2367
	exit 0
2365
	exit 0
2368
fi
2366
fi
2369
if [ $EUID -gt 0 ]
2367
if [ $EUID -gt 0 ]
2370
then
2368
then
2371
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2369
	echo "Vous devez être \"root\" pour installer ALCASAR (commande 'su')"
2372
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2370
	echo "You must be \"root\" to install ALCASAR ('su' command)"
2373
	exit 0
2371
	exit 0
2374
fi
2372
fi
2375
VERSION=`cat $DIR_INSTALL/VERSION`
2373
VERSION=`cat $DIR_INSTALL/VERSION`
2376
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2374
usage="Usage: alcasar.sh {-i or --install} | {-u or --uninstall}"
2377
nb_args=$#
2375
nb_args=$#
2378
args=$1
2376
args=$1
2379
if [ $nb_args -eq 0 ]
2377
if [ $nb_args -eq 0 ]
2380
then
2378
then
2381
	nb_args=1
2379
	nb_args=1
2382
	args="-h"
2380
	args="-h"
2383
fi
2381
fi
2384
chmod -R u+x $DIR_SCRIPTS/*
2382
chmod -R u+x $DIR_SCRIPTS/*
2385
case $args in
2383
case $args in
2386
	-\? | -h* | --h*)
2384
	-\? | -h* | --h*)
2387
		echo "$usage"
2385
		echo "$usage"
2388
		exit 0
2386
		exit 0
2389
		;;
2387
		;;
2390
	-i | --install)
2388
	-i | --install)
2391
		header_install
2389
		header_install
2392
		license
2390
		license
2393
		header_install
2391
		header_install
2394
		testing
2392
		testing
2395
# RPMs install
2393
# RPMs install
2396
		$DIR_SCRIPTS/alcasar-urpmi.sh
2394
		$DIR_SCRIPTS/alcasar-urpmi.sh
2397
		if [ "$?" != "0" ]
2395
		if [ "$?" != "0" ]
2398
		then
2396
		then
2399
			exit 0
2397
			exit 0
2400
		fi
2398
		fi
2401
		if [ -e $CONF_FILE ]
2399
		if [ -e $CONF_FILE ]
2402
		then
2400
		then
2403
# Uninstall or update the running version
2401
# Uninstall or update the running version
2404
			if [ "$mode" == "update" ]
2402
			if [ "$mode" == "update" ]
2405
			then
2403
			then
2406
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2404
				$DIR_DEST_BIN/alcasar-uninstall.sh -update
2407
			else
2405
			else
2408
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2406
				$DIR_DEST_BIN/alcasar-uninstall.sh -full
2409
			fi
2407
			fi
2410
		fi
2408
		fi
2411
	if [ $DEBUG_ALCASAR == "on" ]
2409
	if [ $DEBUG_ALCASAR == "on" ]
2412
	then
2410
	then
2413
		echo "*** 'debug' : end of cleaning ***"
2411
		echo "*** 'debug' : end of cleaning ***"
2414
		read
2412
		read
2415
	fi
2413
	fi
2416
# Test if manual update
2414
# Test if manual update
2417
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2415
		if [ -e /var/tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
2418
		then
2416
		then
2419
			header_install
2417
			header_install
2420
			if [ $Lang == "fr" ]
2418
			if [ $Lang == "fr" ]
2421
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2419
				then echo "Le fichier de configuration d'une ancienne version a été trouvé";
2422
				else echo "The configuration file of an old version has been found";
2420
				else echo "The configuration file of an old version has been found";
2423
			fi
2421
			fi
2424
			response=0
2422
			response=0
2425
			PTN='^[oOnNyY]$'
2423
			PTN='^[oOnNyY]$'
2426
			until [[ $(expr $response : $PTN) -gt 0 ]]
2424
			until [[ $(expr $response : $PTN) -gt 0 ]]
2427
			do
2425
			do
2428
				if [ $Lang == "fr" ]
2426
				if [ $Lang == "fr" ]
2429
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2427
					then echo -n "Voulez-vous l'utiliser (O/n)? ";
2430
					else echo -n "Do you want to use it (Y/n)?";
2428
					else echo -n "Do you want to use it (Y/n)?";
2431
				 fi
2429
				 fi
2432
				read response
2430
				read response
2433
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2431
				if [ "$response" = "n" ] || [ "$response" = "N" ]
2434
				then rm -f /var/tmp/alcasar-conf*
2432
				then rm -f /var/tmp/alcasar-conf*
2435
				fi
2433
				fi
2436
			done
2434
			done
2437
		fi
2435
		fi
2438
# Test if update
2436
# Test if update
2439
		if [ -e /var/tmp/alcasar-conf* ]
2437
		if [ -e /var/tmp/alcasar-conf* ]
2440
		then
2438
		then
2441
			if [ $Lang == "fr" ]
2439
			if [ $Lang == "fr" ]
2442
				then echo "#### Installation avec mise à jour ####";
2440
				then echo "#### Installation avec mise à jour ####";
2443
				else echo "#### Installation with update     ####";
2441
				else echo "#### Installation with update     ####";
2444
			fi
2442
			fi
2445
# Extract some info from the previous configuration file
2443
# Extract some info from the previous configuration file
2446
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2444
			tar -xf /var/tmp/alcasar-conf* conf/etc/alcasar.conf
2447
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2445
			ORGANISME=`grep ^ORGANISM= conf/etc/alcasar.conf|cut -d"=" -f2`
2448
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2446
			PREVIOUS_VERSION=`grep ^VERSION= conf/etc/alcasar.conf|cut -d"=" -f2`
2449
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2447
			MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2450
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2448
			MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2451
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2449
			UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2452
			mode="update"
2450
			mode="update"
2453
		fi
2451
		fi
2454
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2452
		for func in init network ACC CA time_server init_db freeradius chilli e2guardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt post_install
2455
		do
2453
		do
2456
			$func
2454
			$func
2457
			if [ $DEBUG_ALCASAR == "on" ]
2455
			if [ $DEBUG_ALCASAR == "on" ]
2458
			then
2456
			then
2459
				echo "*** 'debug' : end of install '$func' ***"
2457
				echo "*** 'debug' : end of install '$func' ***"
2460
				read
2458
				read
2461
			fi
2459
			fi
2462
		done
2460
		done
2463
		;;
2461
		;;
2464
	-u | --uninstall)
2462
	-u | --uninstall)
2465
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2463
		if [ ! -e $DIR_DEST_BIN/alcasar-uninstall.sh ]
2466
		then
2464
		then
2467
			if [ $Lang == "fr" ]
2465
			if [ $Lang == "fr" ]
2468
				then echo "ALCASAR n'est pas installé!";
2466
				then echo "ALCASAR n'est pas installé!";
2469
				else echo "ALCASAR isn't installed!";
2467
				else echo "ALCASAR isn't installed!";
2470
			fi
2468
			fi
2471
			exit 0
2469
			exit 0
2472
		fi
2470
		fi
2473
		response=0
2471
		response=0
2474
		PTN='^[oOnN]$'
2472
		PTN='^[oOnN]$'
2475
		until [[ $(expr $response : $PTN) -gt 0 ]]
2473
		until [[ $(expr $response : $PTN) -gt 0 ]]
2476
		do
2474
		do
2477
			if [ $Lang == "fr" ]
2475
			if [ $Lang == "fr" ]
2478
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2476
				then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
2479
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2477
				else echo -n "Do you want to create the running version configuration file (Y/n)? ";
2480
			fi
2478
			fi
2481
			read response
2479
			read response
2482
		done
2480
		done
2483
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2481
		if [ "$response" = "o" ] || [ "$response" = "O" ] || [ "$response" = "Y" ] || [ "$response" = "y" ]
2484
		then
2482
		then
2485
			$DIR_SCRIPTS/alcasar-conf.sh --create
2483
			$DIR_SCRIPTS/alcasar-conf.sh --create
2486
		else
2484
		else
2487
			rm -f /var/tmp/alcasar-conf*
2485
			rm -f /var/tmp/alcasar-conf*
2488
		fi
2486
		fi
2489
# Uninstall the running version
2487
# Uninstall the running version
2490
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2488
		$DIR_DEST_BIN/alcasar-uninstall.sh -full
2491
		;;
2489
		;;
2492
	*)
2490
	*)
2493
		echo "Argument inconnu :$1";
2491
		echo "Argument inconnu :$1";
2494
		echo "Unknown argument :$1";
2492
		echo "Unknown argument :$1";
2495
		echo "$usage"
2493
		echo "$usage"
2496
		exit 1
2494
		exit 1
2497
		;;
2495
		;;
2498
esac
2496
esac
2499
# end of script
2497
# end of script
2500
 
2498
 
2501
 
2499
 
2502

Generated by GNU Enscript 1.6.6.
2500

Generated by GNU Enscript 1.6.6.
2503
 
2501
 
2504
 
2502
 
2505
 
2503