Subversion Repositories ALCASAR

Rev

Rev 2711 | Rev 2728 | Go to most recent revision | Show entire file | Regard whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 2711 Rev 2724
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2711 2019-03-10 23:23:31Z tom.houdayer $
2
#  $Id: alcasar.sh 2724 2019-05-05 19:05:53Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 104... Line 104...
104
        done
104
        done
105
        if [ "$response" = "n" ] || [ "$response" = "N" ]
105
        if [ "$response" = "n" ] || [ "$response" = "N" ]
106
        then
106
        then
107
                exit 1
107
                exit 1
108
        fi
108
        fi
109
}
109
} # End of license()
110
 
110
 
111
header_install ()
111
header_install()
112
{
112
{
113
        clear
113
        clear
114
        echo "-----------------------------------------------------------------------------"
114
        echo "-----------------------------------------------------------------------------"
115
        echo "                     ALCASAR V$VERSION Installation"
115
        echo "                     ALCASAR V$VERSION Installation"
116
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
117
        echo "-----------------------------------------------------------------------------"
117
        echo "-----------------------------------------------------------------------------"
118
}
-
 
-
 
118
} # End of header_install()
119
 
119
 
120
########################################################
120
########################################################
121
##                  Function "testing"                ##
121
##                  Function "testing"                ##
122
## - Test Mageia version                              ##
122
## - Test Mageia version                              ##
123
## - Test ALCASAR version (if already installed)      ##
123
## - Test ALCASAR version (if already installed)      ##
Line 253... Line 253...
253
                else echo "External interface (Internet) used: $EXTIF"
253
                else echo "External interface (Internet) used: $EXTIF"
254
        fi
254
        fi
255
 
255
 
256
        if [ -z "$INTIF" ]; then
256
        if [ -z "$INTIF" ]; then
257
                interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
                interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
                interfacesCount=$(echo "$interfacesList" | wc -l)
258
                interfacesCount=$(echo "$interfacesList" | wc -w)
259
                if [ $interfacesCount -eq 0 ]; then
259
                if [ $interfacesCount -eq 0 ]; then
260
                        if [ "$Lang" == 'fr' ]
260
                        if [ "$Lang" == 'fr' ]
261
                                then echo "Aucune interface de disponible pour le réseau interne"
261
                                then echo "Aucune interface de disponible pour le réseau interne"
262
                                else echo "No interface available for the internal network"
262
                                else echo "No interface available for the internal network"
263
                        fi
263
                        fi
Line 265... Line 265...
265
                elif [ $interfacesCount -eq 1 ]; then
265
                elif [ $interfacesCount -eq 1 ]; then
266
                        INTIF="$interfacesList"
266
                        INTIF="$interfacesList"
267
                else
267
                else
268
                        interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
                        interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
                        interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
                        interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
 
-
 
271
                        if [ "$Lang" == 'fr' ]
270
                        if [ "$Lang" == 'fr' ]
272
                                then echo 'Liste des interfaces disponible :'
271
                                then echo 'Liste des interfaces disponible :'
273
                                else echo 'List of available interfaces:'
272
                                else echo 'List of available interfaces:'
274
                        fi
273
                        fi
275
                        echo "$interfacesSorted"
274
                        echo "$interfacesSorted"
Line 414... Line 413...
414
                        echo "Verify the DNS IP addresses"
413
                        echo "Verify the DNS IP addresses"
415
                fi
414
                fi
416
                exit 1
415
                exit 1
417
        fi
416
        fi
418
        echo ". : ok"
417
        echo ". : ok"
419
} # end of testing ()
418
} # End of testing()
420
 
419
 
421
#######################################################################
420
#######################################################################
422
##                    Function "init"                                ##
421
##                    Function "init"                                ##
423
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
424
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
Line 939... Line 938...
939
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
938
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
940
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
939
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
941
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
940
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
942
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
941
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
943
        [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
942
        [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
-
 
943
        [ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
944
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
944
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
945
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
945
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
946
        /usr/bin/systemctl start mysqld
946
        /usr/bin/systemctl start mysqld
947
        nb_round=1
947
        nb_round=1
948
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
948
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
Line 955... Line 955...
955
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
955
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
956
                exit
956
                exit
957
        fi
957
        fi
958
# Secure the server
958
# Secure the server
959
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
959
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
960
 
-
 
961
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
960
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
962
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
961
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
963
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
962
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
964
# Create 'radius' database
963
# Create 'radius' database
965
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
964
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
Line 1047... Line 1046...
1047
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1046
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1048
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1047
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1049
        /usr/bin/systemctl daemon-reload
1048
        /usr/bin/systemctl daemon-reload
1050
# Allow apache to change some conf files (ie : ldap on/off)
1049
# Allow apache to change some conf files (ie : ldap on/off)
1051
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1050
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
} # End freeradius ()
1051
} # End of freeradius()
1053
 
1052
 
1054
#############################################################################
1053
#############################################################################
1055
##                           Function "chilli"                             ##
1054
##                           Function "chilli"                             ##
1056
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1055
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1057
## - Adapt the authentication web page (intercept.php)                     ##
1056
## - Adapt the authentication web page (intercept.php)                     ##
Line 1415... Line 1414...
1415
 
1414
 
1416
[Install]
1415
[Install]
1417
WantedBy=multi-user.target
1416
WantedBy=multi-user.target
1418
EOF
1417
EOF
1419
 
1418
 
1420
} # end of tinyproxy
1419
} # end of tinyproxy()
-
 
1420
 
1421
##############################################################################
1421
##############################################################
1422
##                            function "ulogd"                              ##
1422
##                            function "ulogd"              ##
1423
## - Ulog config for multi-log files                                        ##
1423
## - Ulog config for multi-log files                        ##
1424
##############################################################################
1424
##############################################################
1425
ulogd ()
1425
ulogd()
1426
{
1426
{
1427
# Three instances of ulogd (three different logfiles)
1427
# Three instances of ulogd (three different logfiles)
1428
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1428
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1429
        nl=1
1429
        nl=1
Line 1443... Line 1443...
1443
        done
1443
        done
1444
        chown -R root:apache /var/log/firewall
1444
        chown -R root:apache /var/log/firewall
1445
        chmod 750 /var/log/firewall
1445
        chmod 750 /var/log/firewall
1446
        chmod 640 /var/log/firewall/*
1446
        chmod 640 /var/log/firewall/*
1447
}  # End of ulogd ()
1447
}  # End of ulogd()
1448
 
-
 
1449
 
1448
 
1450
##########################################################
1449
##########################################################
1451
##                    Function "nfsen"                  ##
1450
##                    Function "nfsen"                  ##
1452
## - install the nfsen grapher                          ##
1451
## - install the nfsen grapher                          ##
1453
## - install the two plugins porttracker & surfmap      ##
1452
## - install the two plugins porttracker & surfmap      ##
Line 1510... Line 1509...
1510
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1509
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1511
#       cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1510
#       cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1512
#       cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1511
#       cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1513
#       tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1512
#       tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1514
#       cd /tmp/
1513
#       cd /tmp/
1515
#       /usr/bin/sh SURFmap/install.sh
1514
#       /usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
1516
# clear the installation
1515
# clear the installation
1517
#       rm -rf /tmp/SURFmap*
1516
#       rm -rf /tmp/SURFmap*
1518
        rm -rf /tmp/nfsen-*
1517
        rm -rf /tmp/nfsen-*
1519
        cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1518
        cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1520
        chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1519
        chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
Line 1531... Line 1530...
1531
        $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1530
        $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1532
        [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1531
        [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1533
        $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1532
        $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1534
        $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1533
        $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1535
        /usr/bin/vnstat -i $EXTIF -u --force
1534
        /usr/bin/vnstat -i $EXTIF -u --force
1536
} # End of vnstat
1535
} # End of vnstat()
1537
 
1536
 
1538
##################################################################
1537
###################################################################
1539
##                     Function "dnsmasq"                       ##
1538
##                     Function "dnsmasq"                        ##
1540
## - creation of the conf files of the 4 intances of dnsmasq    ##
1539
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1541
## - creation of the file managing domain name (local & remote) ##
-
 
1542
##################################################################
1540
###################################################################
1543
dnsmasq ()
1541
dnsmasq()
1544
{
1542
{
1545
        [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1543
        [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1546
        [ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1544
        [ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1547
        # 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1545
        # dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1548
        cat << EOF > /etc/dnsmasq-whitelist.conf
1546
        cat << EOF > /etc/dnsmasq-whitelist.conf
1549
# Configuration file for "dnsmasq with whitelist"
1547
# Configuration file for "dnsmasq with whitelist"
1550
# ADD Toulouse university whitelist domains
1548
# ADD Toulouse university whitelist domains
1551
pid-file=/var/run/dnsmasq-whitelist.pid
1549
pid-file=/var/run/dnsmasq-whitelist.pid
1552
listen-address=127.0.0.1
1550
listen-address=127.0.0.1
Line 1560... Line 1558...
1560
filterwin2k
1558
filterwin2k
1561
ipset=/#/wl_ip_allowed  # dynamically add the resolv IP address in the Firewall rules
1559
ipset=/#/wl_ip_allowed  # dynamically add the resolv IP address in the Firewall rules
1562
server=$DNS1
1560
server=$DNS1
1563
server=$DNS2
1561
server=$DNS2
1564
EOF
1562
EOF
1565
 
-
 
1566
        # Create dnsmasq-whitelist unit
1563
        # Create dnsmasq-whitelist unit
1567
        mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1564
        mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1568
        cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1565
        cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1569
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1566
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1570
        $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1567
        $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1571
} # End dnsmasq
1568
} # End of dnsmasq()
1572
 
1569
 
1573
##################################################
1570
#########################################################
1574
##              Function "unbound"              ##
1571
##              Function "unbound"                     ##
-
 
1572
## - create the conf files for 4 unbound services      ##
-
 
1573
## - create the systemd files for 4 unbound services   ##
1575
##################################################
1574
#########################################################
1576
unbound ()
1575
unbound ()
1577
{
1576
{
1578
        [ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1577
        [ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1579
        [ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1578
        [ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1580
        [ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1579
        [ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
Line 1583... Line 1582...
1583
        [ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1582
        [ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1584
        [ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1583
        [ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1585
        [ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1584
        [ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1586
        [ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1585
        [ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1587
        [ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1586
        [ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1588
 
-
 
1589
        # Local static DNS configuration
1587
        # Local static DNS configuration
1590
        [ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1588
        [ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1591
 
1589
 
1592
        # Forward zone configuration file for all unbound dns servers
1590
# Forward zone configuration file for all unbound dns servers
1593
        cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1591
        cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
Line 1659... Line 1657...
1659
server:
1657
server:
1660
        verbosity: 1
1658
        verbosity: 1
1661
        hide-version: yes
1659
        hide-version: yes
1662
        hide-identity: yes
1660
        hide-identity: yes
1663
        do-ip6: no
1661
        do-ip6: no
1664
 
-
 
1665
        include: /etc/unbound/conf.d/common/forward-zone.conf
1662
        include: /etc/unbound/conf.d/common/forward-zone.conf
1666
        include: /etc/unbound/conf.d/common/local-forward/*
1663
        include: /etc/unbound/conf.d/common/local-forward/*
1667
        include: /etc/unbound/conf.d/common/local-dns/*
1664
        include: /etc/unbound/conf.d/common/local-dns/*
1668
        include: /etc/unbound/conf.d/forward/*
1665
        include: /etc/unbound/conf.d/forward/*
1669
EOF
1666
EOF
Line 1687... Line 1684...
1687
        do-ip6: no
1684
        do-ip6: no
1688
        logfile: "/var/log/unbound/unbound-blacklist.log"
1685
        logfile: "/var/log/unbound/unbound-blacklist.log"
1689
        chroot: ""
1686
        chroot: ""
1690
        define-tag: "blacklist"
1687
        define-tag: "blacklist"
1691
        log-local-actions: yes
1688
        log-local-actions: yes
1692
 
-
 
1693
        include: /etc/unbound/conf.d/common/forward-zone.conf
1689
        include: /etc/unbound/conf.d/common/forward-zone.conf
1694
        include: /etc/unbound/conf.d/common/local-forward/*
1690
        include: /etc/unbound/conf.d/common/local-forward/*
1695
        include: /etc/unbound/conf.d/common/local-dns/*
1691
        include: /etc/unbound/conf.d/common/local-dns/*
1696
        include: /etc/unbound/conf.d/blacklist/*
1692
        include: /etc/unbound/conf.d/blacklist/*
1697
 
-
 
1698
        include: /usr/local/share/unbound-bl-enabled/*
1693
        include: /usr/local/share/unbound-bl-enabled/*
1699
EOF
1694
EOF
1700
 
1695
 
1701
        # Configuration file for $INTIF of whitelist unbound
1696
# Configuration file for $INTIF of whitelist unbound
1702
        cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1697
        cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
Line 1715... Line 1710...
1715
        hide-version: yes
1710
        hide-version: yes
1716
        hide-identity: yes
1711
        hide-identity: yes
1717
        do-ip6: no
1712
        do-ip6: no
1718
        do-not-query-localhost: no
1713
        do-not-query-localhost: no
1719
        define-tag: "whitelist"
1714
        define-tag: "whitelist"
1720
 
-
 
1721
        local-zone: "." transparent
1715
        local-zone: "." transparent
1722
        local-zone-tag: "." "whitelist"
1716
        local-zone-tag: "." "whitelist"
1723
 
-
 
1724
        include: /usr/local/share/unbound-wl-enabled/*
1717
        include: /usr/local/share/unbound-wl-enabled/*
1725
        include: /etc/unbound/conf.d/whitelist/*
1718
        include: /etc/unbound/conf.d/whitelist/*
1726
        include: /etc/unbound/conf.d/common/local-dns/*
1719
        include: /etc/unbound/conf.d/common/local-dns/*
1727
        include: /etc/unbound/conf.d/common/local-forward/*
1720
        include: /etc/unbound/conf.d/common/local-forward/*
1728
 
-
 
1729
forward-zone:
1721
forward-zone:
1730
        name: "."
1722
        name: "."
1731
        forward-addr: 127.0.0.1@55
1723
        forward-addr: 127.0.0.1@55
1732
EOF
1724
EOF
1733
 
1725
 
Line 1748... Line 1740...
1748
server:
1740
server:
1749
        verbosity: 1
1741
        verbosity: 1
1750
        hide-version: yes
1742
        hide-version: yes
1751
        hide-identity: yes
1743
        hide-identity: yes
1752
        do-ip6: no
1744
        do-ip6: no
1753
 
-
 
1754
        include: /etc/unbound/conf.d/blackhole/*
1745
        include: /etc/unbound/conf.d/blackhole/*
1755
        include: /etc/unbound/conf.d/common/local-dns/*
1746
        include: /etc/unbound/conf.d/common/local-dns/*
1756
        include: /etc/unbound/conf.d/common/local-forward/*
1747
        include: /etc/unbound/conf.d/common/local-forward/*
1757
EOF
1748
EOF
1758
 
1749
 
Line 1760... Line 1751...
1760
        then
1751
        then
1761
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1752
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1762
        fi
1753
        fi
1763
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1754
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1764
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1755
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1765
 
-
 
1766
        for list in blacklist blackhole whitelist
1756
        for list in blacklist blackhole whitelist
1767
        do
1757
        do
1768
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1758
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1769
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1759
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1770
                $SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1760
                $SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1771
        done
1761
        done
1772
 
-
 
1773
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1762
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1774
} # End unbound
1763
} # End of unbound()
1775
 
1764
 
1776
##################################################
1765
##################################################
1777
##              Function "dhcpd"                ##
1766
##              Function "dhcpd"                ##
1778
##################################################
1767
##################################################
1779
dhcpd ()
1768
dhcpd()
1780
{
1769
{
1781
        [ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1770
        [ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1782
 
-
 
1783
        cat <<EOF > /etc/dhcpd.conf
1771
        cat <<EOF > /etc/dhcpd.conf
1784
ddns-update-style none;
1772
ddns-update-style none;
1785
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1773
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1786
        option routers $PRIVATE_IP;
1774
        option routers $PRIVATE_IP;
1787
        option subnet-mask $PRIVATE_NETMASK;
1775
        option subnet-mask $PRIVATE_NETMASK;
1788
        option domain-name-servers $PRIVATE_IP;
1776
        option domain-name-servers $PRIVATE_IP;
1789
 
-
 
1790
        range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1777
        range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1791
        default-lease-time 21600;
1778
        default-lease-time 21600;
1792
        max-lease-time 43200;
1779
        max-lease-time 43200;
1793
}
1780
}
1794
EOF
1781
EOF
1795
}
1782
} # End of dhcpd()
1796
 
1783
 
1797
##########################################################
1784
##########################################################
1798
##                      Function "BL"                   ##
1785
##                      Function "BL"                   ##
1799
## - copy Toulouse BL                                   ##
1786
## - copy Toulouse BL                                   ##
1800
## - adapt this BL to ALCASAR architecture              ##
1787
## - adapt this BL to ALCASAR architecture              ##
Line 1855... Line 1842...
1855
# adapt the Toulouse BL to ALCASAR architecture
1842
# adapt the Toulouse BL to ALCASAR architecture
1856
        $DIR_DEST_BIN/alcasar-bl.sh --adapt
1843
        $DIR_DEST_BIN/alcasar-bl.sh --adapt
1857
# enable the default categories
1844
# enable the default categories
1858
        $DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1845
        $DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1859
        rm -rf /tmp/blacklists
1846
        rm -rf /tmp/blacklists
1860
} # End BL()
1847
} # End of BL()
1861
 
1848
 
1862
#######################################################
1849
#######################################################
1863
##                  Function "cron"                  ##
1850
##                  Function "cron"                  ##
1864
## - write all cron & anacron files                  ##
1851
## - write all cron & anacron files                  ##
1865
#######################################################
1852
#######################################################
Line 1937... Line 1924...
1937
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1924
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1938
EOF
1925
EOF
1939
 
1926
 
1940
# removing the users crons
1927
# removing the users crons
1941
        rm -f /var/spool/cron/*
1928
        rm -f /var/spool/cron/*
1942
} # End cron()
1929
} # End of cron()
1943
 
1930
 
1944
######################################################################
1931
######################################################################
1945
##                      Fonction "Fail2Ban"                         ##
1932
##                      Fonction "Fail2Ban"                         ##
1946
##- Adapt conf file to ALCASAR                                      ##
1933
##- Adapt conf file to ALCASAR                                      ##
1947
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1934
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
Line 1958... Line 1945...
1958
# fail2ban unit
1945
# fail2ban unit
1959
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1946
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1960
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1947
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1961
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1948
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1962
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1949
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1963
} # End fail2ban()
1950
} # End of fail2ban()
1964
 
1951
 
1965
#########################################################
1952
#########################################################
1966
##                   Fonction "gammu_smsd"             ##
1953
##                   Fonction "gammu_smsd"             ##
1967
## - Creating of SMS management database               ##
1954
## - Creating of SMS management database               ##
1968
## - Write the gammu a gammu_smsd conf files           ##
1955
## - Write the gammu a gammu_smsd conf files           ##
Line 2047... Line 2034...
2047
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2034
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2048
#EOF
2035
#EOF
2049
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2036
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2050
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2037
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2051
 
2038
 
2052
} # End gammu_smsd()
2039
} # End of gammu_smsd()
2053
 
2040
 
2054
############################################################
2041
############################################################
2055
##                 Fonction "msec"                        ##
2042
##                 Fonction "msec"                        ##
2056
## - Apply the "fileserver" security level                ##
2043
## - Apply the "fileserver" security level                ##
2057
## - remove the "system request" for rebboting            ##
2044
## - remove the "system request" for rebboting            ##
Line 2082... Line 2069...
2082
EOF
2069
EOF
2083
# apply now hourly & daily checks
2070
# apply now hourly & daily checks
2084
/usr/sbin/msec
2071
/usr/sbin/msec
2085
/etc/cron.weekly/msec
2072
/etc/cron.weekly/msec
2086
 
2073
 
2087
} # End msec()
2074
} # End of msec()
2088
 
-
 
2089
 
2075
 
2090
##################################################################
2076
##################################################################
2091
##                   Fonction "letsencrypt"                     ##
2077
##                   Fonction "letsencrypt"                     ##
2092
## - Install Let's Encrypt client                               ##
2078
## - Install Let's Encrypt client                               ##
2093
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2079
## - Prepare Let's Encrypt ALCASAR configuration file           ##
Line 2136... Line 2122...
2136
EOF
2122
EOF
2137
 
2123
 
2138
        cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2124
        cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2139
        rm -rf /tmp/acme.sh-*
2125
        rm -rf /tmp/acme.sh-*
2140
 
2126
 
2141
} # END letsencrypt()
2127
} # End of letsencrypt()
2142
 
2128
 
2143
##################################################################
2129
##################################################################
2144
##                    Fonction "post_install"                   ##
2130
##                    Fonction "post_install"                   ##
2145
## - Modifying banners (locals et ssh) & prompts                ##
2131
## - Modifying banners (locals et ssh) & prompts                ##
2146
## - SSH config                                                 ##
2132
## - SSH config                                                 ##
Line 2350... Line 2336...
2350
        then
2336
        then
2351
                read
2337
                read
2352
        fi
2338
        fi
2353
        clear
2339
        clear
2354
        reboot
2340
        reboot
2355
} # End post_install ()
2341
} # End of post_install()
2356
 
2342
 
2357
#####################################################################################
2343
#####################################################################################
2358
#                                   Main Install loop                               #
2344
#                                   Main Install loop                               #
2359
#####################################################################################
2345
#####################################################################################
2360
dir_exec=`dirname "$0"`
2346
dir_exec=`dirname "$0"`
Line 2384... Line 2370...
2384
        -\? | -h* | --h*)
2370
        -\? | -h* | --h*)
2385
                echo "$usage"
2371
                echo "$usage"
2386
                exit 0
2372
                exit 0
2387
                ;;
2373
                ;;
2388
        -i | --install)
2374
        -i | --install)
-
 
2375
                for func in license testing
-
 
2376
                do
2389
                header_install
2377
                        header_install
-
 
2378
                        $func
-
 
2379
                        if [ $DEBUG_ALCASAR == "on" ]
2390
                license
2380
                        then
-
 
2381
                                echo "*** 'debug' : end of install '$func' ***"
2391
                header_install
2382
                                read
-
 
2383
                        fi
2392
                testing
2384
                done
2393
# RPMs install
2385
# RPMs install
2394
                $DIR_SCRIPTS/alcasar-urpmi.sh
2386
                $DIR_SCRIPTS/alcasar-urpmi.sh
2395
                if [ "$?" != "0" ]
2387
                if [ "$?" != "0" ]
2396
                then
2388
                then
2397
                        exit 0
2389
                        exit 0