Subversion Repositories ALCASAR

Rev

Rev 2711 | Rev 2728 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log | RSS feed

Rev 2711 Rev 2724
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2711 2019-03-10 23:23:31Z tom.houdayer $
2
#  $Id: alcasar.sh 2724 2019-05-05 19:05:53Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
Line 82... Line 82...
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"      # Default ALCASAR IP address
82
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"      # Default ALCASAR IP address
83
# ****** Paths - chemin des commandes *******
83
# ****** Paths - chemin des commandes *******
84
SED="/bin/sed -i"
84
SED="/bin/sed -i"
85
# ****************** End of global parameters *********************
85
# ****************** End of global parameters *********************
86
 
86
 
87
license ()
87
license()
88
{
88
{
89
        if [ $Lang == "fr" ]
89
        if [ $Lang == "fr" ]
90
        then
90
        then
91
                cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
                cat $DIR_INSTALL/gpl-warning.fr.txt | more
92
        else
92
        else
Line 104... Line 104...
104
        done
104
        done
105
        if [ "$response" = "n" ] || [ "$response" = "N" ]
105
        if [ "$response" = "n" ] || [ "$response" = "N" ]
106
        then
106
        then
107
                exit 1
107
                exit 1
108
        fi
108
        fi
109
}
109
} # End of license()
110
 
110
 
111
header_install ()
111
header_install()
112
{
112
{
113
        clear
113
        clear
114
        echo "-----------------------------------------------------------------------------"
114
        echo "-----------------------------------------------------------------------------"
115
        echo "                     ALCASAR V$VERSION Installation"
115
        echo "                     ALCASAR V$VERSION Installation"
116
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
117
        echo "-----------------------------------------------------------------------------"
117
        echo "-----------------------------------------------------------------------------"
118
}
-
 
-
 
118
} # End of header_install()
119
 
119
 
120
########################################################
120
########################################################
121
##                  Function "testing"                ##
121
##                  Function "testing"                ##
122
## - Test Mageia version                              ##
122
## - Test Mageia version                              ##
123
## - Test ALCASAR version (if already installed)      ##
123
## - Test ALCASAR version (if already installed)      ##
124
## - Test free space on /var  (>10G)                  ##
124
## - Test free space on /var  (>10G)                  ##
125
## - Test Internet access                             ##
125
## - Test Internet access                             ##
126
########################################################
126
########################################################
127
testing ()
127
testing()
128
{
128
{
129
# Test of Mageia version
129
# Test of Mageia version
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
# extract the current Mageia version and hardware architecture (i586 ou X64)
131
        fic=`cat /etc/product.id`
131
        fic=`cat /etc/product.id`
132
        unknown_os=0
132
        unknown_os=0
Line 253... Line 253...
253
                else echo "External interface (Internet) used: $EXTIF"
253
                else echo "External interface (Internet) used: $EXTIF"
254
        fi
254
        fi
255
 
255
 
256
        if [ -z "$INTIF" ]; then
256
        if [ -z "$INTIF" ]; then
257
                interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
257
                interfacesList=$(/usr/sbin/ip -br link show | cut -d' ' -f1 | grep -v "^\(lo\|tun0\|$EXTIF\)\$")
258
                interfacesCount=$(echo "$interfacesList" | wc -l)
258
                interfacesCount=$(echo "$interfacesList" | wc -w)
259
                if [ $interfacesCount -eq 0 ]; then
259
                if [ $interfacesCount -eq 0 ]; then
260
                        if [ "$Lang" == 'fr' ]
260
                        if [ "$Lang" == 'fr' ]
261
                                then echo "Aucune interface de disponible pour le réseau interne"
261
                                then echo "Aucune interface de disponible pour le réseau interne"
262
                                else echo "No interface available for the internal network"
262
                                else echo "No interface available for the internal network"
263
                        fi
263
                        fi
Line 265... Line 265...
265
                elif [ $interfacesCount -eq 1 ]; then
265
                elif [ $interfacesCount -eq 1 ]; then
266
                        INTIF="$interfacesList"
266
                        INTIF="$interfacesList"
267
                else
267
                else
268
                        interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
268
                        interfacesSorted=$(/usr/sbin/ip -br addr | grep -v "^\(lo\|tun0\|$EXTIF\) " | sort -b -k3n -k2r -k1)
269
                        interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
269
                        interfacePreferred=$(echo "$interfacesSorted" | head -1 | cut -d' ' -f1)
270
 
-
 
271
                        if [ "$Lang" == 'fr' ]
270
                        if [ "$Lang" == 'fr' ]
272
                                then echo 'Liste des interfaces disponible :'
271
                                then echo 'Liste des interfaces disponible :'
273
                                else echo 'List of available interfaces:'
272
                                else echo 'List of available interfaces:'
274
                        fi
273
                        fi
275
                        echo "$interfacesSorted"
274
                        echo "$interfacesSorted"
Line 414... Line 413...
414
                        echo "Verify the DNS IP addresses"
413
                        echo "Verify the DNS IP addresses"
415
                fi
414
                fi
416
                exit 1
415
                exit 1
417
        fi
416
        fi
418
        echo ". : ok"
417
        echo ". : ok"
419
} # end of testing ()
418
} # End of testing()
420
 
419
 
421
#######################################################################
420
#######################################################################
422
##                    Function "init"                                ##
421
##                    Function "init"                                ##
423
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
422
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
424
## - Creation of random password for GRUB, mariadb (admin and user)  ##
423
## - Creation of random password for GRUB, mariadb (admin and user)  ##
425
#######################################################################
424
#######################################################################
426
init ()
425
init()
427
{
426
{
428
        if [ "$mode" != "update" ]
427
        if [ "$mode" != "update" ]
429
        then
428
        then
430
# On affecte le nom d'organisme
429
# On affecte le nom d'organisme
431
                header_install
430
                header_install
Line 492... Line 491...
492
ORGANISM=$ORGANISME
491
ORGANISM=$ORGANISME
493
HOSTNAME=$HOSTNAME
492
HOSTNAME=$HOSTNAME
494
DOMAIN=$DOMAIN
493
DOMAIN=$DOMAIN
495
EOF
494
EOF
496
        chmod o-rwx $CONF_FILE
495
        chmod o-rwx $CONF_FILE
497
} # End of init ()
496
} # End of init()
498
 
497
 
499
#########################################################
498
#########################################################
500
##                    Function "network"               ##
499
##                    Function "network"               ##
501
## - Define the several network address                ##
500
## - Define the several network address                ##
502
## - Define the DNS naming                             ##
501
## - Define the DNS naming                             ##
503
## - INTIF parameters (consultation network)           ##
502
## - INTIF parameters (consultation network)           ##
504
## - Write "/etc/hosts" file                           ##
503
## - Write "/etc/hosts" file                           ##
505
## - write "hosts.allow" & "hosts.deny" files          ##
504
## - write "hosts.allow" & "hosts.deny" files          ##
506
#########################################################
505
#########################################################
507
network ()
506
network()
508
{
507
{
509
        header_install
508
        header_install
510
        if [ "$mode" != "update" ]
509
        if [ "$mode" != "update" ]
511
                then
510
                then
512
                if [ $Lang == "fr" ]
511
                if [ $Lang == "fr" ]
Line 759... Line 758...
759
        $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
758
        $SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
760
        [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
759
        [ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
761
        $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
760
        $SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
762
#
761
#
763
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
762
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
764
} # End of network ()
763
} # End of network()
765
 
764
 
766
###################################################
765
###################################################
767
##                  Function "ACC"               ##
766
##                  Function "ACC"               ##
768
## - copy ALCASAR Control Center (ACC) files     ##
767
## - copy ALCASAR Control Center (ACC) files     ##
769
## - configuration of the web server (Lighttpd)  ##
768
## - configuration of the web server (Lighttpd)  ##
770
## - creation of the first ACC admin account     ##
769
## - creation of the first ACC admin account     ##
771
## - secure the ACC access                       ##
770
## - secure the ACC access                       ##
772
###################################################
771
###################################################
773
ACC ()
772
ACC()
774
{
773
{
775
        [ -d $DIR_WEB ] && rm -rf $DIR_WEB
774
        [ -d $DIR_WEB ] && rm -rf $DIR_WEB
776
        mkdir $DIR_WEB
775
        mkdir $DIR_WEB
777
# Copy & adapt ACC files
776
# Copy & adapt ACC files
778
        cp -rf $DIR_INSTALL/web/* $DIR_WEB/
777
        cp -rf $DIR_INSTALL/web/* $DIR_WEB/
Line 874... Line 873...
874
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
873
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
875
        # Log file for ACC access imputability
874
        # Log file for ACC access imputability
876
        [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
875
        [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
877
        chown root:apache /var/Save/security/acc_access.log
876
        chown root:apache /var/Save/security/acc_access.log
878
        chmod 664 /var/Save/security/acc_access.log
877
        chmod 664 /var/Save/security/acc_access.log
879
} # End of ACC ()
878
} # End of ACC()
880
 
879
 
881
##################################################################
880
##################################################################
882
##                               Fonction "CA"                  ##
881
##                               Fonction "CA"                  ##
883
## - Creating the CA and the server certificate (lighttpd)      ##
882
## - Creating the CA and the server certificate (lighttpd)      ##
884
##################################################################
883
##################################################################
885
CA ()
884
CA()
886
{
885
{
887
        $DIR_DEST_BIN/alcasar-CA.sh
886
        $DIR_DEST_BIN/alcasar-CA.sh
888
        chown -R root:apache /etc/pki
887
        chown -R root:apache /etc/pki
889
        chmod -R 750 /etc/pki
888
        chmod -R 750 /etc/pki
890
} # End of CA ()
889
} # End of CA()
891
 
890
 
892
#############################################################
891
#############################################################
893
##               Function "time_server"                    ##
892
##               Function "time_server"                    ##
894
## - Configuring NTP server                                ##
893
## - Configuring NTP server                                ##
895
#############################################################
894
#############################################################
896
time_server ()
895
time_server()
897
{
896
{
898
# Set the Internet time server
897
# Set the Internet time server
899
        [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
898
        [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
900
        cat <<EOF > /etc/ntp/step-tickers
899
        cat <<EOF > /etc/ntp/step-tickers
901
0.fr.pool.ntp.org       # adapt to your country
900
0.fr.pool.ntp.org       # adapt to your country
Line 916... Line 915...
916
disable monitor
915
disable monitor
917
EOF
916
EOF
918
        chown -R ntp:ntp /var/lib/ntp
917
        chown -R ntp:ntp /var/lib/ntp
919
# Synchronize now
918
# Synchronize now
920
        ntpd -4 -q -g &
919
        ntpd -4 -q -g &
921
} # End of time_server ()
920
} # End of time_server()
922
 
921
 
923
#####################################################################
922
#####################################################################
924
##                     Function "init_db"                          ##
923
##                     Function "init_db"                          ##
925
## - Mysql initialization                                          ##
924
## - Mysql initialization                                          ##
926
## - Set admin (root) password                                     ##
925
## - Set admin (root) password                                     ##
927
## - Remove unused users & databases                               ##
926
## - Remove unused users & databases                               ##
928
## - Radius database creation                                      ##
927
## - Radius database creation                                      ##
929
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
928
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
930
#####################################################################
929
#####################################################################
931
init_db ()
930
init_db()
932
{
931
{
933
        if [ "`systemctl is-active mysqld`" == "active" ]
932
        if [ "`systemctl is-active mysqld`" == "active" ]
934
        then
933
        then
935
                systemctl stop mysqld
934
                systemctl stop mysqld
936
        fi
935
        fi
Line 939... Line 938...
939
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
938
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
940
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
939
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
941
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
940
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
942
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
941
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
943
        [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
942
        [ -e /etc/my.cnf.d/feedback.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
-
 
943
        [ -e /etc/my.cnf.d/auth_gssapi.cnf ] && $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/auth_gssapi.cnf # remove GSS plugin (ALCASAR doesn't use Kerberos)
944
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
944
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
945
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
945
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
946
        /usr/bin/systemctl start mysqld
946
        /usr/bin/systemctl start mysqld
947
        nb_round=1
947
        nb_round=1
948
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
948
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
Line 955... Line 955...
955
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
955
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
956
                exit
956
                exit
957
        fi
957
        fi
958
# Secure the server
958
# Secure the server
959
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
959
        /usr/bin/mysql --execute "GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
960
 
-
 
961
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
960
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
962
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
961
        $MYSQL "DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
963
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
962
        $MYSQL "CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
964
# Create 'radius' database
963
# Create 'radius' database
965
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
964
        $MYSQL "CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
Line 969... Line 968...
969
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
968
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
970
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
969
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
971
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
970
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
972
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
971
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
973
        /usr/bin/systemctl daemon-reload
972
        /usr/bin/systemctl daemon-reload
974
} # End of init_db ()
973
} # End of init_db()
975
 
974
 
976
###################################################################
975
###################################################################
977
##                       Function "freeradius"                   ##
976
##                       Function "freeradius"                   ##
978
## - Set the configuration files                                 ##
977
## - Set the configuration files                                 ##
979
## - Set the shared secret between coova-chilli and freeradius   ##
978
## - Set the shared secret between coova-chilli and freeradius   ##
980
## - Adapt the Mysql conf file and counters                      ##
979
## - Adapt the Mysql conf file and counters                      ##
981
###################################################################
980
###################################################################
982
freeradius ()
981
freeradius()
983
{
982
{
984
        cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
983
        cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
985
        chown -R radius:radius /etc/raddb
984
        chown -R radius:radius /etc/raddb
986
        [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
985
        [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
987
# Set radius global parameters (radius.conf)
986
# Set radius global parameters (radius.conf)
Line 1047... Line 1046...
1047
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1046
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1048
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1047
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1049
        /usr/bin/systemctl daemon-reload
1048
        /usr/bin/systemctl daemon-reload
1050
# Allow apache to change some conf files (ie : ldap on/off)
1049
# Allow apache to change some conf files (ie : ldap on/off)
1051
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1050
        chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1052
} # End freeradius ()
1051
} # End of freeradius()
1053
 
1052
 
1054
#############################################################################
1053
#############################################################################
1055
##                           Function "chilli"                             ##
1054
##                           Function "chilli"                             ##
1056
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1055
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1057
## - Adapt the authentication web page (intercept.php)                     ##
1056
## - Adapt the authentication web page (intercept.php)                     ##
1058
#############################################################################
1057
#############################################################################
1059
chilli ()
1058
chilli()
1060
{
1059
{
1061
# chilli unit for systemd
1060
# chilli unit for systemd
1062
        cat << EOF > /lib/systemd/system/chilli.service
1061
        cat << EOF > /lib/systemd/system/chilli.service
1063
#  This file is part of systemd.
1062
#  This file is part of systemd.
1064
#
1063
#
Line 1245... Line 1244...
1245
        then
1244
        then
1246
                userdel -r chilli 2>/dev/null
1245
                userdel -r chilli 2>/dev/null
1247
        fi
1246
        fi
1248
        groupadd -f chilli
1247
        groupadd -f chilli
1249
        useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1248
        useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1250
}  # End of chilli ()
1249
}  # End of chilli()
1251
 
1250
 
1252
################################################################
1251
################################################################
1253
##                   Function "e2guardian"                    ##
1252
##                   Function "e2guardian"                    ##
1254
## - Set the parameters of this HTML proxy (as controler)     ##
1253
## - Set the parameters of this HTML proxy (as controler)     ##
1255
################################################################
1254
################################################################
1256
e2guardian ()
1255
e2guardian()
1257
{
1256
{
1258
        mkdir -p /var/e2guardian /var/log/e2guardian
1257
        mkdir -p /var/e2guardian /var/log/e2guardian
1259
        chown -R e2guardian /var/e2guardian /var/log/e2guardian
1258
        chown -R e2guardian /var/e2guardian /var/log/e2guardian
1260
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1259
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1261
        $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1260
        $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
Line 1306... Line 1305...
1306
        [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1305
        [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1307
        touch $DIR_DG/lists/exceptioniplist
1306
        touch $DIR_DG/lists/exceptioniplist
1308
# Keep a copy of URL & domain filter configuration files
1307
# Keep a copy of URL & domain filter configuration files
1309
        [ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1308
        [ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1310
        [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1309
        [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1311
} # End of e2guardian ()
1310
} # End of e2guardian()
1312
 
1311
 
1313
##################################################################
1312
##################################################################
1314
##                     Function "antivirus"                     ##
1313
##                     Function "antivirus"                     ##
1315
## - Set the parameters of havp, libclamav and freshclam        ##
1314
## - Set the parameters of havp, libclamav and freshclam        ##
1316
##################################################################
1315
##################################################################
1317
antivirus ()
1316
antivirus()
1318
{
1317
{
1319
# create 'havp' user
1318
# create 'havp' user
1320
        havp_exist=`grep -c ^havp: /etc/passwd`
1319
        havp_exist=`grep -c ^havp: /etc/passwd`
1321
        if [ "$havp_exist" == "1" ]
1320
        if [ "$havp_exist" == "1" ]
1322
        then
1321
        then
Line 1360... Line 1359...
1360
        $SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1359
        $SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1361
        $SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1360
        $SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1362
        $SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1361
        $SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1363
# update now
1362
# update now
1364
        /usr/bin/freshclam --no-warnings
1363
        /usr/bin/freshclam --no-warnings
1365
} # End of antivirus ()
1364
} # End of antivirus()
1366
 
1365
 
1367
################################################################################
1366
################################################################################
1368
##                           Function "tinyproxy"                             ##
1367
##                           Function "tinyproxy"                             ##
1369
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1368
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1370
################################################################################
1369
################################################################################
1371
tinyproxy ()
1370
tinyproxy()
1372
{
1371
{
1373
        tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1372
        tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1374
        if [ "$tinyproxy_exist" == "1" ]
1373
        if [ "$tinyproxy_exist" == "1" ]
1375
        then
1374
        then
1376
                userdel -r tinyproxy 2>/dev/null
1375
                userdel -r tinyproxy 2>/dev/null
Line 1415... Line 1414...
1415
 
1414
 
1416
[Install]
1415
[Install]
1417
WantedBy=multi-user.target
1416
WantedBy=multi-user.target
1418
EOF
1417
EOF
1419
 
1418
 
1420
} # end of tinyproxy
1419
} # end of tinyproxy()
-
 
1420
 
1421
##############################################################################
1421
##############################################################
1422
##                            function "ulogd"                              ##
1422
##                            function "ulogd"              ##
1423
## - Ulog config for multi-log files                                        ##
1423
## - Ulog config for multi-log files                        ##
1424
##############################################################################
1424
##############################################################
1425
ulogd ()
1425
ulogd()
1426
{
1426
{
1427
# Three instances of ulogd (three different logfiles)
1427
# Three instances of ulogd (three different logfiles)
1428
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1428
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1429
        nl=1
1429
        nl=1
1430
        for log_type in traceability ssh ext-access
1430
        for log_type in traceability ssh ext-access
Line 1442... Line 1442...
1442
                nl=`expr $nl + 1`
1442
                nl=`expr $nl + 1`
1443
        done
1443
        done
1444
        chown -R root:apache /var/log/firewall
1444
        chown -R root:apache /var/log/firewall
1445
        chmod 750 /var/log/firewall
1445
        chmod 750 /var/log/firewall
1446
        chmod 640 /var/log/firewall/*
1446
        chmod 640 /var/log/firewall/*
1447
}  # End of ulogd ()
1447
}  # End of ulogd()
1448
 
-
 
1449
 
1448
 
1450
##########################################################
1449
##########################################################
1451
##                    Function "nfsen"                  ##
1450
##                    Function "nfsen"                  ##
1452
## - install the nfsen grapher                          ##
1451
## - install the nfsen grapher                          ##
1453
## - install the two plugins porttracker & surfmap      ##
1452
## - install the two plugins porttracker & surfmap      ##
Line 1510... Line 1509...
1510
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1509
# see https://adullact.net/forum/forum.php?thread_id=319545&forum_id=1601&group_id=450
1511
#       cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1510
#       cp $DIR_CONF/nfsen/SURFmap_*.tar.gz /tmp/
1512
#       cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1511
#       cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1513
#       tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1512
#       tar xzf /tmp/SURFmap_*.tar.gz -C /tmp/
1514
#       cd /tmp/
1513
#       cd /tmp/
1515
#       /usr/bin/sh SURFmap/install.sh
1514
#       /usr/bin/sh SURFmap/install.sh (no more used since Google sells the access to googleMap API)
1516
# clear the installation
1515
# clear the installation
1517
#       rm -rf /tmp/SURFmap*
1516
#       rm -rf /tmp/SURFmap*
1518
        rm -rf /tmp/nfsen-*
1517
        rm -rf /tmp/nfsen-*
1519
        cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1518
        cd $DirTmp || { echo "Unable to find $DirTmp directory"; exit 1; }
1520
        chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1519
        chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen /var/log/nfsen
1521
} # End of nfsen ()
1520
} # End of nfsen()
1522
 
1521
 
1523
###########################################################
1522
###########################################################
1524
##                     Function "vnstat"                 ##
1523
##                     Function "vnstat"                 ##
1525
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1524
## - Initialization of Vnstat and vnstat phpFrontEnd     ##
1526
###########################################################
1525
###########################################################
1527
vnstat ()
1526
vnstat()
1528
{
1527
{
1529
        [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1528
        [ -e /etc/vnstat.conf.default ] || cp /etc/vnstat.conf /etc/vnstat.conf.default
1530
        $SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1529
        $SED "s?^Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
1531
        $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1530
        $SED "s?^DatabaseDir.*?DatabaseDir /var/log/vnstat?g" /etc/vnstat.conf
1532
        [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1531
        [ -e $DIR_ACC/manager/stats/config.php.default ] || cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
1533
        $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1532
        $SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?" $DIR_ACC/manager/stats/config.php
1534
        $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1533
        $SED "s?\$iface_title\['.*?\$iface_title\['$EXTIF'\] = \$title;?" $DIR_ACC/manager/stats/config.php
1535
        /usr/bin/vnstat -i $EXTIF -u --force
1534
        /usr/bin/vnstat -i $EXTIF -u --force
1536
} # End of vnstat
1535
} # End of vnstat()
1537
 
1536
 
1538
##################################################################
1537
###################################################################
1539
##                     Function "dnsmasq"                       ##
1538
##                     Function "dnsmasq"                        ##
1540
## - creation of the conf files of the 4 intances of dnsmasq    ##
1539
## - creation of the conf files of dnsmasq (whitelist for ipset )##
1541
## - creation of the file managing domain name (local & remote) ##
-
 
1542
##################################################################
1540
###################################################################
1543
dnsmasq ()
1541
dnsmasq()
1544
{
1542
{
1545
        [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1543
        [ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1546
        [ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1544
        [ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1547
        # 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1545
        # dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1548
        cat << EOF > /etc/dnsmasq-whitelist.conf
1546
        cat << EOF > /etc/dnsmasq-whitelist.conf
1549
# Configuration file for "dnsmasq with whitelist"
1547
# Configuration file for "dnsmasq with whitelist"
1550
# ADD Toulouse university whitelist domains
1548
# ADD Toulouse university whitelist domains
1551
pid-file=/var/run/dnsmasq-whitelist.pid
1549
pid-file=/var/run/dnsmasq-whitelist.pid
1552
listen-address=127.0.0.1
1550
listen-address=127.0.0.1
Line 1560... Line 1558...
1560
filterwin2k
1558
filterwin2k
1561
ipset=/#/wl_ip_allowed  # dynamically add the resolv IP address in the Firewall rules
1559
ipset=/#/wl_ip_allowed  # dynamically add the resolv IP address in the Firewall rules
1562
server=$DNS1
1560
server=$DNS1
1563
server=$DNS2
1561
server=$DNS2
1564
EOF
1562
EOF
1565
 
-
 
1566
        # Create dnsmasq-whitelist unit
1563
        # Create dnsmasq-whitelist unit
1567
        mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1564
        mv /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1568
        cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1565
        cp /lib/systemd/system/dnsmasq.service.default /lib/systemd/system/dnsmasq-whitelist.service
1569
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1566
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1570
        $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1567
        $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
1571
} # End dnsmasq
1568
} # End of dnsmasq()
1572
 
1569
 
1573
##################################################
1570
#########################################################
1574
##              Function "unbound"              ##
1571
##              Function "unbound"                     ##
-
 
1572
## - create the conf files for 4 unbound services      ##
-
 
1573
## - create the systemd files for 4 unbound services   ##
1575
##################################################
1574
#########################################################
1576
unbound ()
1575
unbound ()
1577
{
1576
{
1578
        [ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1577
        [ -d /etc/unbound/conf.d ] || mkdir -p /etc/unbound/conf.d
1579
        [ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1578
        [ -d /etc/unbound/conf.d/common ] || mkdir /etc/unbound/conf.d/common
1580
        [ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
1579
        [ -d /etc/unbound/conf.d/common/local-forward ] || mkdir /etc/unbound/conf.d/common/local-forward
Line 1583... Line 1582...
1583
        [ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1582
        [ -d /etc/unbound/conf.d/blacklist ] || mkdir /etc/unbound/conf.d/blacklist
1584
        [ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1583
        [ -d /etc/unbound/conf.d/whitelist ] || mkdir /etc/unbound/conf.d/whitelist
1585
        [ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1584
        [ -d /etc/unbound/conf.d/blackhole ] || mkdir /etc/unbound/conf.d/blackhole
1586
        [ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1585
        [ -d /var/log/unbound ] || { mkdir /var/log/unbound; chown unbound:unbound /var/log/unbound; }
1587
        [ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1586
        [ -e /etc/unbound/unbound.conf.default ] || cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.default
1588
 
-
 
1589
        # Local static DNS configuration
1587
        # Local static DNS configuration
1590
        [ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1588
        [ -e /etc/unbound/conf.d/common/local-dns/global.conf ] || touch /etc/unbound/conf.d/common/local-dns/global.conf
1591
 
1589
 
1592
        # Forward zone configuration file for all unbound dns servers
1590
# Forward zone configuration file for all unbound dns servers
1593
        cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1591
        cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf
1594
forward-zone:
1592
forward-zone:
1595
        name: "."
1593
        name: "."
1596
        forward-addr: $DNS1
1594
        forward-addr: $DNS1
1597
        forward-addr: $DNS2
1595
        forward-addr: $DNS2
1598
EOF
1596
EOF
1599
 
1597
 
1600
        # Custom configuration file for manual DNS configuration
1598
# Custom configuration file for manual DNS configuration
1601
        cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1599
        cat << EOF > /etc/unbound/conf.d/common/local-forward/custom.conf
1602
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1600
## Ajouter un bloc pour chaque nom de domaine géré par un autre seveur DNS
1603
## Add one block for each domain name managed by an other DNS server
1601
## Add one block for each domain name managed by an other DNS server
1604
##
1602
##
1605
## Example:
1603
## Example:
Line 1611... Line 1609...
1611
##     forward-addr: <@IP_domain_server>
1609
##     forward-addr: <@IP_domain_server>
1612
##
1610
##
1613
## INFO : local hostnames are resolved in /etc/hosts file
1611
## INFO : local hostnames are resolved in /etc/hosts file
1614
EOF
1612
EOF
1615
 
1613
 
1616
        # Configuration file of ALCASAR main domains for $INTIF
1614
# Configuration file of ALCASAR main domains for $INTIF
1617
        cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1615
        cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf
1618
server:
1616
server:
1619
        local-zone: "$HOSTNAME.$DOMAIN" static
1617
        local-zone: "$HOSTNAME.$DOMAIN" static
1620
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1618
        local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP"
1621
        local-zone: "$HOSTNAME" static
1619
        local-zone: "$HOSTNAME" static
1622
        local-data: "$HOSTNAME A $PRIVATE_IP"
1620
        local-data: "$HOSTNAME A $PRIVATE_IP"
1623
        local-zone: "$DOMAIN." static
1621
        local-zone: "$DOMAIN." static
1624
        local-data: "$DOMAIN. A"
1622
        local-data: "$DOMAIN. A"
1625
EOF
1623
EOF
1626
 
1624
 
1627
        # Configuration file for lo of forward unbound
1625
# Configuration file for lo of forward unbound
1628
        cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1626
        cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf
1629
server:
1627
server:
1630
        interface: 127.0.0.1@53
1628
        interface: 127.0.0.1@53
1631
        access-control-view: 127.0.0.1/8 lo
1629
        access-control-view: 127.0.0.1/8 lo
1632
 
1630
 
Line 1637... Line 1635...
1637
        local-zone: "$HOSTNAME" static
1635
        local-zone: "$HOSTNAME" static
1638
        local-data: "$HOSTNAME A 127.0.0.1"
1636
        local-data: "$HOSTNAME A 127.0.0.1"
1639
        view-first: yes
1637
        view-first: yes
1640
EOF
1638
EOF
1641
 
1639
 
1642
        # Configuration file for $INTIF of forward unbound
1640
# Configuration file for $INTIF of forward unbound
1643
        cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1641
        cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf
1644
server:
1642
server:
1645
        interface: ${PRIVATE_IP}@53
1643
        interface: ${PRIVATE_IP}@53
1646
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1644
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1647
 
1645
 
Line 1652... Line 1650...
1652
        local-zone: "$HOSTNAME" static
1650
        local-zone: "$HOSTNAME" static
1653
        local-data: "$HOSTNAME A $PRIVATE_IP"
1651
        local-data: "$HOSTNAME A $PRIVATE_IP"
1654
        view-first: yes
1652
        view-first: yes
1655
EOF
1653
EOF
1656
 
1654
 
1657
        # Configuration file for forward unbound
1655
# Configuration file for forward unbound
1658
        cat << EOF > /etc/unbound/unbound.conf
1656
        cat << EOF > /etc/unbound/unbound.conf
1659
server:
1657
server:
1660
        verbosity: 1
1658
        verbosity: 1
1661
        hide-version: yes
1659
        hide-version: yes
1662
        hide-identity: yes
1660
        hide-identity: yes
1663
        do-ip6: no
1661
        do-ip6: no
1664
 
-
 
1665
        include: /etc/unbound/conf.d/common/forward-zone.conf
1662
        include: /etc/unbound/conf.d/common/forward-zone.conf
1666
        include: /etc/unbound/conf.d/common/local-forward/*
1663
        include: /etc/unbound/conf.d/common/local-forward/*
1667
        include: /etc/unbound/conf.d/common/local-dns/*
1664
        include: /etc/unbound/conf.d/common/local-dns/*
1668
        include: /etc/unbound/conf.d/forward/*
1665
        include: /etc/unbound/conf.d/forward/*
1669
EOF
1666
EOF
1670
 
1667
 
1671
        # Configuration file for $INTIF of blacklist unbound
1668
# Configuration file for $INTIF of blacklist unbound
1672
        cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1669
        cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf
1673
server:
1670
server:
1674
        interface: ${PRIVATE_IP}@54
1671
        interface: ${PRIVATE_IP}@54
1675
        access-control: $PRIVATE_IP_MASK allow
1672
        access-control: $PRIVATE_IP_MASK allow
1676
        access-control-tag: $PRIVATE_IP_MASK "blacklist"
1673
        access-control-tag: $PRIVATE_IP_MASK "blacklist"
1677
        access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1674
        access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect
1678
        access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1675
        access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP"
1679
EOF
1676
EOF
1680
 
1677
 
1681
        # Configuration file for blacklist unbound
1678
# Configuration file for blacklist unbound
1682
        cat << EOF > /etc/unbound/unbound-blacklist.conf
1679
        cat << EOF > /etc/unbound/unbound-blacklist.conf
1683
server:
1680
server:
1684
        verbosity: 1
1681
        verbosity: 1
1685
        hide-version: yes
1682
        hide-version: yes
1686
        hide-identity: yes
1683
        hide-identity: yes
1687
        do-ip6: no
1684
        do-ip6: no
1688
        logfile: "/var/log/unbound/unbound-blacklist.log"
1685
        logfile: "/var/log/unbound/unbound-blacklist.log"
1689
        chroot: ""
1686
        chroot: ""
1690
        define-tag: "blacklist"
1687
        define-tag: "blacklist"
1691
        log-local-actions: yes
1688
        log-local-actions: yes
1692
 
-
 
1693
        include: /etc/unbound/conf.d/common/forward-zone.conf
1689
        include: /etc/unbound/conf.d/common/forward-zone.conf
1694
        include: /etc/unbound/conf.d/common/local-forward/*
1690
        include: /etc/unbound/conf.d/common/local-forward/*
1695
        include: /etc/unbound/conf.d/common/local-dns/*
1691
        include: /etc/unbound/conf.d/common/local-dns/*
1696
        include: /etc/unbound/conf.d/blacklist/*
1692
        include: /etc/unbound/conf.d/blacklist/*
1697
 
-
 
1698
        include: /usr/local/share/unbound-bl-enabled/*
1693
        include: /usr/local/share/unbound-bl-enabled/*
1699
EOF
1694
EOF
1700
 
1695
 
1701
        # Configuration file for $INTIF of whitelist unbound
1696
# Configuration file for $INTIF of whitelist unbound
1702
        cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1697
        cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf
1703
server:
1698
server:
1704
        interface: ${PRIVATE_IP}@55
1699
        interface: ${PRIVATE_IP}@55
1705
        access-control: $PRIVATE_IP_MASK allow
1700
        access-control: $PRIVATE_IP_MASK allow
1706
        access-control-tag: $PRIVATE_IP_MASK "whitelist"
1701
        access-control-tag: $PRIVATE_IP_MASK "whitelist"
1707
        access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1702
        access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect
1708
        access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1703
        access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP"
1709
EOF
1704
EOF
1710
 
1705
 
1711
        # Configuration file for whitelist unbound
1706
# Configuration file for whitelist unbound
1712
        cat << EOF > /etc/unbound/unbound-whitelist.conf
1707
        cat << EOF > /etc/unbound/unbound-whitelist.conf
1713
server:
1708
server:
1714
        verbosity: 1
1709
        verbosity: 1
1715
        hide-version: yes
1710
        hide-version: yes
1716
        hide-identity: yes
1711
        hide-identity: yes
1717
        do-ip6: no
1712
        do-ip6: no
1718
        do-not-query-localhost: no
1713
        do-not-query-localhost: no
1719
        define-tag: "whitelist"
1714
        define-tag: "whitelist"
1720
 
-
 
1721
        local-zone: "." transparent
1715
        local-zone: "." transparent
1722
        local-zone-tag: "." "whitelist"
1716
        local-zone-tag: "." "whitelist"
1723
 
-
 
1724
        include: /usr/local/share/unbound-wl-enabled/*
1717
        include: /usr/local/share/unbound-wl-enabled/*
1725
        include: /etc/unbound/conf.d/whitelist/*
1718
        include: /etc/unbound/conf.d/whitelist/*
1726
        include: /etc/unbound/conf.d/common/local-dns/*
1719
        include: /etc/unbound/conf.d/common/local-dns/*
1727
        include: /etc/unbound/conf.d/common/local-forward/*
1720
        include: /etc/unbound/conf.d/common/local-forward/*
1728
 
-
 
1729
forward-zone:
1721
forward-zone:
1730
        name: "."
1722
        name: "."
1731
        forward-addr: 127.0.0.1@55
1723
        forward-addr: 127.0.0.1@55
1732
EOF
1724
EOF
1733
 
1725
 
1734
        # Configuration file for $INTIF of blackhole unbound
1726
# Configuration file for $INTIF of blackhole unbound
1735
        cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1727
        cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf
1736
server:
1728
server:
1737
        interface: ${PRIVATE_IP}@56
1729
        interface: ${PRIVATE_IP}@56
1738
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1730
        access-control-view: $PRIVATE_NETWORK_MASK $INTIF
1739
 
1731
 
Line 1741... Line 1733...
1741
        name: "$INTIF"
1733
        name: "$INTIF"
1742
        local-zone: "." redirect
1734
        local-zone: "." redirect
1743
        local-data: ". A $PRIVATE_IP"
1735
        local-data: ". A $PRIVATE_IP"
1744
EOF
1736
EOF
1745
 
1737
 
1746
        # Configuration file for blackhole unbound
1738
# Configuration file for blackhole unbound
1747
        cat << EOF > /etc/unbound/unbound-blackhole.conf
1739
        cat << EOF > /etc/unbound/unbound-blackhole.conf
1748
server:
1740
server:
1749
        verbosity: 1
1741
        verbosity: 1
1750
        hide-version: yes
1742
        hide-version: yes
1751
        hide-identity: yes
1743
        hide-identity: yes
1752
        do-ip6: no
1744
        do-ip6: no
1753
 
-
 
1754
        include: /etc/unbound/conf.d/blackhole/*
1745
        include: /etc/unbound/conf.d/blackhole/*
1755
        include: /etc/unbound/conf.d/common/local-dns/*
1746
        include: /etc/unbound/conf.d/common/local-dns/*
1756
        include: /etc/unbound/conf.d/common/local-forward/*
1747
        include: /etc/unbound/conf.d/common/local-forward/*
1757
EOF
1748
EOF
1758
 
1749
 
Line 1760... Line 1751...
1760
        then
1751
        then
1761
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1752
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound.service.default
1762
        fi
1753
        fi
1763
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1754
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound.conf?g" /lib/systemd/system/unbound.service
1764
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1755
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/unbound.service
1765
 
-
 
1766
        for list in blacklist blackhole whitelist
1756
        for list in blacklist blackhole whitelist
1767
        do
1757
        do
1768
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1758
                cp -f /lib/systemd/system/unbound.service /lib/systemd/system/unbound-$list.service
1769
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1759
                $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /lib/systemd/system/unbound-$list.service
1770
                $SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1760
                $SED "s?^PIDFile=.*?PIDFile=/var/run/unbound-$list.pid?g" /lib/systemd/system/unbound-$list.service
1771
        done
1761
        done
1772
 
-
 
1773
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1762
        $SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /lib/systemd/system/unbound-whitelist.service
1774
} # End unbound
1763
} # End of unbound()
1775
 
1764
 
1776
##################################################
1765
##################################################
1777
##              Function "dhcpd"                ##
1766
##              Function "dhcpd"                ##
1778
##################################################
1767
##################################################
1779
dhcpd ()
1768
dhcpd()
1780
{
1769
{
1781
        [ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1770
        [ -e /etc/dhcpd.conf.default ] || cp /etc/dhcpd.conf /etc/dhcpd.conf.default
1782
 
-
 
1783
        cat <<EOF > /etc/dhcpd.conf
1771
        cat <<EOF > /etc/dhcpd.conf
1784
ddns-update-style none;
1772
ddns-update-style none;
1785
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1773
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK {
1786
        option routers $PRIVATE_IP;
1774
        option routers $PRIVATE_IP;
1787
        option subnet-mask $PRIVATE_NETMASK;
1775
        option subnet-mask $PRIVATE_NETMASK;
1788
        option domain-name-servers $PRIVATE_IP;
1776
        option domain-name-servers $PRIVATE_IP;
1789
 
-
 
1790
        range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1777
        range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP;
1791
        default-lease-time 21600;
1778
        default-lease-time 21600;
1792
        max-lease-time 43200;
1779
        max-lease-time 43200;
1793
}
1780
}
1794
EOF
1781
EOF
1795
}
1782
} # End of dhcpd()
1796
 
1783
 
1797
##########################################################
1784
##########################################################
1798
##                      Function "BL"                   ##
1785
##                      Function "BL"                   ##
1799
## - copy Toulouse BL                                   ##
1786
## - copy Toulouse BL                                   ##
1800
## - adapt this BL to ALCASAR architecture              ##
1787
## - adapt this BL to ALCASAR architecture              ##
1801
##     - domain names for unbound-bl & unbound-wl       ##
1788
##     - domain names for unbound-bl & unbound-wl       ##
1802
##     - URLs for E²guardian                            ##
1789
##     - URLs for E²guardian                            ##
1803
##     - IPs for NetFilter                              ##
1790
##     - IPs for NetFilter                              ##
1804
##########################################################
1791
##########################################################
1805
BL ()
1792
BL()
1806
{
1793
{
1807
        # copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1794
        # copy the Toulouse university BL in order to be adapted to ALCASAR architecture (alcasar-bl.sh -adapt)
1808
        rm -rf $DIR_DG/lists/blacklists
1795
        rm -rf $DIR_DG/lists/blacklists
1809
        mkdir -p /tmp/blacklists
1796
        mkdir -p /tmp/blacklists
1810
        cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
1797
        cp $DIR_BLACKLIST/blacklists.tar.gz /tmp/blacklists/
Line 1855... Line 1842...
1855
# adapt the Toulouse BL to ALCASAR architecture
1842
# adapt the Toulouse BL to ALCASAR architecture
1856
        $DIR_DEST_BIN/alcasar-bl.sh --adapt
1843
        $DIR_DEST_BIN/alcasar-bl.sh --adapt
1857
# enable the default categories
1844
# enable the default categories
1858
        $DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1845
        $DIR_DEST_BIN/alcasar-bl.sh --cat_choice
1859
        rm -rf /tmp/blacklists
1846
        rm -rf /tmp/blacklists
1860
} # End BL()
1847
} # End of BL()
1861
 
1848
 
1862
#######################################################
1849
#######################################################
1863
##                  Function "cron"                  ##
1850
##                  Function "cron"                  ##
1864
## - write all cron & anacron files                  ##
1851
## - write all cron & anacron files                  ##
1865
#######################################################
1852
#######################################################
1866
cron ()
1853
cron()
1867
{
1854
{
1868
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1855
# 'crontab' with standard cron at midnight instead of 4:0 am (default)
1869
        [ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1856
        [ -e /etc/crontab.default ] || cp /etc/crontab /etc/crontab.default
1870
        cat <<EOF > /etc/crontab
1857
        cat <<EOF > /etc/crontab
1871
SHELL=/usr/bin/bash
1858
SHELL=/usr/bin/bash
Line 1937... Line 1924...
1937
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1924
@daily root $DIR_DEST_BIN/alcasar-letsencrypt.sh --cron > /dev/null 2>&1
1938
EOF
1925
EOF
1939
 
1926
 
1940
# removing the users crons
1927
# removing the users crons
1941
        rm -f /var/spool/cron/*
1928
        rm -f /var/spool/cron/*
1942
} # End cron()
1929
} # End of cron()
1943
 
1930
 
1944
######################################################################
1931
######################################################################
1945
##                      Fonction "Fail2Ban"                         ##
1932
##                      Fonction "Fail2Ban"                         ##
1946
##- Adapt conf file to ALCASAR                                      ##
1933
##- Adapt conf file to ALCASAR                                      ##
1947
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
1934
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
Line 1958... Line 1945...
1958
# fail2ban unit
1945
# fail2ban unit
1959
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1946
[ -e /lib/systemd/system/fail2ban.service.default ] || cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
1960
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1947
$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
1961
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1948
$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1962
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1949
$SED '/After=*/c After=syslog.target network.target lighttpd.service' /usr/lib/systemd/system/fail2ban.service
1963
} # End fail2ban()
1950
} # End of fail2ban()
1964
 
1951
 
1965
#########################################################
1952
#########################################################
1966
##                   Fonction "gammu_smsd"             ##
1953
##                   Fonction "gammu_smsd"             ##
1967
## - Creating of SMS management database               ##
1954
## - Creating of SMS management database               ##
1968
## - Write the gammu a gammu_smsd conf files           ##
1955
## - Write the gammu a gammu_smsd conf files           ##
Line 2047... Line 2034...
2047
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2034
#KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="$DIR_DEST_BIN/alcasar-sms.sh --mode"
2048
#EOF
2035
#EOF
2049
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2036
# Udev rule for fixing the enumeration of ttyUSB port on some MODEM (when they switch randomly the order of their ports at boot time)
2050
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2037
# example : http://hintshop.ludvig.co.nz/show/persistent-names-usb-serial-devices/
2051
 
2038
 
2052
} # End gammu_smsd()
2039
} # End of gammu_smsd()
2053
 
2040
 
2054
############################################################
2041
############################################################
2055
##                 Fonction "msec"                        ##
2042
##                 Fonction "msec"                        ##
2056
## - Apply the "fileserver" security level                ##
2043
## - Apply the "fileserver" security level                ##
2057
## - remove the "system request" for rebboting            ##
2044
## - remove the "system request" for rebboting            ##
Line 2082... Line 2069...
2082
EOF
2069
EOF
2083
# apply now hourly & daily checks
2070
# apply now hourly & daily checks
2084
/usr/sbin/msec
2071
/usr/sbin/msec
2085
/etc/cron.weekly/msec
2072
/etc/cron.weekly/msec
2086
 
2073
 
2087
} # End msec()
2074
} # End of msec()
2088
 
-
 
2089
 
2075
 
2090
##################################################################
2076
##################################################################
2091
##                   Fonction "letsencrypt"                     ##
2077
##                   Fonction "letsencrypt"                     ##
2092
## - Install Let's Encrypt client                               ##
2078
## - Install Let's Encrypt client                               ##
2093
## - Prepare Let's Encrypt ALCASAR configuration file           ##
2079
## - Prepare Let's Encrypt ALCASAR configuration file           ##
Line 2136... Line 2122...
2136
EOF
2122
EOF
2137
 
2123
 
2138
        cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2124
        cd $pwdInstall || { echo "Unable to find $pwdInstall directory"; exit 1; }
2139
        rm -rf /tmp/acme.sh-*
2125
        rm -rf /tmp/acme.sh-*
2140
 
2126
 
2141
} # END letsencrypt()
2127
} # End of letsencrypt()
2142
 
2128
 
2143
##################################################################
2129
##################################################################
2144
##                    Fonction "post_install"                   ##
2130
##                    Fonction "post_install"                   ##
2145
## - Modifying banners (locals et ssh) & prompts                ##
2131
## - Modifying banners (locals et ssh) & prompts                ##
2146
## - SSH config                                                 ##
2132
## - SSH config                                                 ##
Line 2350... Line 2336...
2350
        then
2336
        then
2351
                read
2337
                read
2352
        fi
2338
        fi
2353
        clear
2339
        clear
2354
        reboot
2340
        reboot
2355
} # End post_install ()
2341
} # End of post_install()
2356
 
2342
 
2357
#####################################################################################
2343
#####################################################################################
2358
#                                   Main Install loop                               #
2344
#                                   Main Install loop                               #
2359
#####################################################################################
2345
#####################################################################################
2360
dir_exec=`dirname "$0"`
2346
dir_exec=`dirname "$0"`
Line 2384... Line 2370...
2384
        -\? | -h* | --h*)
2370
        -\? | -h* | --h*)
2385
                echo "$usage"
2371
                echo "$usage"
2386
                exit 0
2372
                exit 0
2387
                ;;
2373
                ;;
2388
        -i | --install)
2374
        -i | --install)
-
 
2375
                for func in license testing
-
 
2376
                do
2389
                header_install
2377
                        header_install
-
 
2378
                        $func
-
 
2379
                        if [ $DEBUG_ALCASAR == "on" ]
2390
                license
2380
                        then
-
 
2381
                                echo "*** 'debug' : end of install '$func' ***"
2391
                header_install
2382
                                read
-
 
2383
                        fi
2392
                testing
2384
                done
2393
# RPMs install
2385
# RPMs install
2394
                $DIR_SCRIPTS/alcasar-urpmi.sh
2386
                $DIR_SCRIPTS/alcasar-urpmi.sh
2395
                if [ "$?" != "0" ]
2387
                if [ "$?" != "0" ]
2396
                then
2388
                then
2397
                        exit 0
2389
                        exit 0